vendor: update buildkit and dockerd

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2025-07-09 21:17:09 +08:00 · 2019-04-06 13:19:36 -07:00
parent f0142b9e8b
commit 9129a49409
29 changed files with 1686 additions and 284 deletions
--- a/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go
+++ b/vendor/github.com/moby/buildkit/util/entitlements/entitlements.go
@ -1,26 +1,19 @@
 package entitlements

-import "github.com/pkg/errors"
+import (
+	"github.com/pkg/errors"
+)

 type Entitlement string

 const (
-	EntitlementSecurityConfined   Entitlement = "security.confined"
-	EntitlementSecurityUnconfined Entitlement = "security.unconfined" // unimplemented
-	EntitlementNetworkHost        Entitlement = "network.host"
-	EntitlementNetworkNone        Entitlement = "network.none"
+	EntitlementSecurityInsecure Entitlement = "security.insecure"
+	EntitlementNetworkHost      Entitlement = "network.host"
 )

 var all = map[Entitlement]struct{}{
-	EntitlementSecurityConfined:   {},
-	EntitlementSecurityUnconfined: {},
-	EntitlementNetworkHost:        {},
-	EntitlementNetworkNone:        {},
-}
-
-var defaults = map[Entitlement]struct{}{
-	EntitlementSecurityConfined: {},
-	EntitlementNetworkNone:      {},
+	EntitlementSecurityInsecure: {},
+	EntitlementNetworkHost:      {},
 }

 func Parse(s string) (Entitlement, error) {
@ -56,9 +49,6 @@ func WhiteList(allowed, supported []Entitlement) (Set, error) {
 		m[e] = struct{}{}
 	}

-	for e := range defaults {
-		m[e] = struct{}{}
-	}
 	return Set(m), nil
 }

--- a/vendor/github.com/moby/buildkit/util/entitlements/security_linux.go
+++ b/vendor/github.com/moby/buildkit/util/entitlements/security_linux.go
@ -0,0 +1,67 @@
+package entitlements
+
+import (
+	"context"
+
+	"github.com/containerd/containerd/containers"
+	"github.com/containerd/containerd/oci"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// WithInsecureSpec sets spec with All capability.
+func WithInsecureSpec() oci.SpecOpts {
+	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+		addCaps := []string{
+			"CAP_FSETID",
+			"CAP_KILL",
+			"CAP_FOWNER",
+			"CAP_MKNOD",
+			"CAP_CHOWN",
+			"CAP_DAC_OVERRIDE",
+			"CAP_NET_RAW",
+			"CAP_SETGID",
+			"CAP_SETUID",
+			"CAP_SETPCAP",
+			"CAP_SETFCAP",
+			"CAP_NET_BIND_SERVICE",
+			"CAP_SYS_CHROOT",
+			"CAP_AUDIT_WRITE",
+			"CAP_MAC_ADMIN",
+			"CAP_MAC_OVERRIDE",
+			"CAP_DAC_READ_SEARCH",
+			"CAP_SYS_PTRACE",
+			"CAP_SYS_MODULE",
+			"CAP_SYSLOG",
+			"CAP_SYS_RAWIO",
+			"CAP_SYS_ADMIN",
+			"CAP_LINUX_IMMUTABLE",
+			"CAP_SYS_BOOT",
+			"CAP_SYS_NICE",
+			"CAP_SYS_PACCT",
+			"CAP_SYS_TTY_CONFIG",
+			"CAP_SYS_TIME",
+			"CAP_WAKE_ALARM",
+			"CAP_AUDIT_READ",
+			"CAP_AUDIT_CONTROL",
+			"CAP_SYS_RESOURCE",
+			"CAP_BLOCK_SUSPEND",
+			"CAP_IPC_LOCK",
+			"CAP_IPC_OWNER",
+			"CAP_LEASE",
+			"CAP_NET_ADMIN",
+			"CAP_NET_BROADCAST",
+		}
+		for _, cap := range addCaps {
+			s.Process.Capabilities.Bounding = append(s.Process.Capabilities.Bounding, cap)
+			s.Process.Capabilities.Ambient = append(s.Process.Capabilities.Ambient, cap)
+			s.Process.Capabilities.Effective = append(s.Process.Capabilities.Effective, cap)
+			s.Process.Capabilities.Inheritable = append(s.Process.Capabilities.Inheritable, cap)
+			s.Process.Capabilities.Permitted = append(s.Process.Capabilities.Permitted, cap)
+		}
+		s.Linux.ReadonlyPaths = []string{}
+		s.Linux.MaskedPaths = []string{}
+		s.Process.ApparmorProfile = ""
+
+		return nil
+	}
+}