Merge pull request #2818 from tonistiigi/vendor-buildkit-v0.18.0-rc2

vendor: update buildkit to v0.18.0-rc2

.github/workflows/build.yml

@@ -54,7 +54,7 @@ jobs:
           - master
           - latest
           - buildx-stable-1
-          - v0.17.0
+          - v0.17.2
           - v0.16.0
           - v0.15.2
         worker:

Dockerfile

@@ -9,7 +9,7 @@ ARG DOCKER_VERSION_ALT_26=26.1.3
 ARG DOCKER_CLI_VERSION=${DOCKER_VERSION}
 ARG GOTESTSUM_VERSION=v1.12.0
 ARG REGISTRY_VERSION=2.8.3
-ARG BUILDKIT_VERSION=v0.17.1
+ARG BUILDKIT_VERSION=v0.17.2
 ARG UNDOCK_VERSION=0.8.0
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx

bake/entitlements.go

@@ -326,7 +326,14 @@ func isParentOrEqualPath(p, parent string) bool {
 }
 
 func findMissingPaths(set []string, paths map[string]struct{}) ([]string, error) {
-	paths, err := evaluateToExistingPaths(paths)
+	set, allowAny, err := evaluatePaths(set)
+	if err != nil {
+		return nil, err
+	} else if allowAny {
+		return nil, nil
+	}
+
+	paths, err = evaluateToExistingPaths(paths)
 	if err != nil {
 		return nil, err
 	}
@@ -335,11 +342,6 @@ func findMissingPaths(set []string, paths map[string]struct{}) ([]string, error)
 		return nil, err
 	}
 
-	set, err = evaluatePaths(set)
-	if err != nil {
-		return nil, err
-	}
-
 	out := make([]string, 0, len(paths))
 loop0:
 	for p := range paths {
@@ -441,6 +443,27 @@ func removeCommonPaths(in, common []string) []string {
 	return filtered
 }
 
+func evaluatePaths(in []string) ([]string, bool, error) {
+	out := make([]string, 0, len(in))
+	allowAny := false
+	for _, p := range in {
+		if p == "*" {
+			allowAny = true
+			continue
+		}
+		v, err := filepath.Abs(p)
+		if err != nil {
+			return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
+		}
+		v, err = filepath.EvalSymlinks(v)
+		if err != nil {
+			return nil, false, errors.Wrapf(err, "failed to evaluate path %q", p)
+		}
+		out = append(out, v)
+	}
+	return out, allowAny, nil
+}
+
 func evaluateToExistingPaths(in map[string]struct{}) (map[string]struct{}, error) {
 	m := make(map[string]struct{}, len(in))
 	for p := range in {

bake/entitlements_test.go

@@ -175,15 +175,22 @@ func TestDedupePaths(t *testing.T) {
 }
 
 func TestValidateEntitlements(t *testing.T) {
-	dir1, err := osutil.GetLongPathName(t.TempDir())
+	dir1 := t.TempDir()
+	dir2 := t.TempDir()
+
+	// the paths returned by entitlements validation will have symlinks resolved
+	expDir1, err := filepath.EvalSymlinks(dir1)
 	require.NoError(t, err)
-	dir2, err := osutil.GetLongPathName(t.TempDir())
+	expDir2, err := filepath.EvalSymlinks(dir2)
 	require.NoError(t, err)
 
 	escapeLink := filepath.Join(dir1, "escape_link")
 	require.NoError(t, os.Symlink("../../aa", escapeLink))
 
-	wd := osutil.GetWd()
+	wd, err := os.Getwd()
+	require.NoError(t, err)
+	expWd, err := filepath.EvalSymlinks(wd)
+	require.NoError(t, err)
 
 	tcases := []struct {
 		name     string
@@ -208,7 +215,7 @@ func TestValidateEntitlements(t *testing.T) {
 			},
 			expected: EntitlementConf{
 				NetworkHost: true,
-				FSRead:      []string{wd},
+				FSRead:      []string{expWd},
 			},
 		},
 		{
@@ -222,7 +229,7 @@ func TestValidateEntitlements(t *testing.T) {
 				},
 			},
 			expected: EntitlementConf{
-				FSRead: []string{wd},
+				FSRead: []string{expWd},
 			},
 		},
 		{
@@ -236,7 +243,7 @@ func TestValidateEntitlements(t *testing.T) {
 			expected: EntitlementConf{
 				NetworkHost:      true,
 				SecurityInsecure: true,
-				FSRead:           []string{wd},
+				FSRead:           []string{expWd},
 			},
 		},
 		{
@@ -252,7 +259,7 @@ func TestValidateEntitlements(t *testing.T) {
 			},
 			expected: EntitlementConf{
 				SecurityInsecure: true,
-				FSRead:           []string{wd},
+				FSRead:           []string{expWd},
 			},
 		},
 		{
@@ -266,7 +273,7 @@ func TestValidateEntitlements(t *testing.T) {
 			},
 			expected: EntitlementConf{
 				SSH:    true,
-				FSRead: []string{wd},
+				FSRead: []string{expWd},
 			},
 		},
 		{
@@ -295,11 +302,11 @@ func TestValidateEntitlements(t *testing.T) {
 			},
 			expected: EntitlementConf{
 				FSWrite: func() []string {
-					exp := []string{dir1, dir2}
+					exp := []string{expDir1, expDir2}
 					slices.Sort(exp)
 					return exp
 				}(),
-				FSRead: []string{wd},
+				FSRead: []string{expWd},
 			},
 		},
 		{
@@ -328,7 +335,7 @@ func TestValidateEntitlements(t *testing.T) {
 				FSRead: []string{wd, dir1},
 			},
 			expected: EntitlementConf{
-				FSRead: []string{filepath.Join(dir1, "../..")},
+				FSRead: []string{filepath.Join(expDir1, "../..")},
 			},
 		},
 		{
@@ -343,6 +350,33 @@ func TestValidateEntitlements(t *testing.T) {
 			conf: EntitlementConf{
 				FSRead: []string{"/"},
 			},
+			expected: EntitlementConf{
+				FSRead: func() []string {
+					// on windows root (/) is only allowed if it is the same volume as wd
+					if filepath.VolumeName(wd) == filepath.VolumeName(escapeLink) {
+						return nil
+					}
+					// if not, then escapeLink is not allowed
+					exp, err := evaluateToExistingPath(escapeLink)
+					require.NoError(t, err)
+					exp, err = filepath.EvalSymlinks(exp)
+					require.NoError(t, err)
+					return []string{exp}
+				}(),
+			},
+		},
+		{
+			name: "SecretFromEscapeLinkAllowAny",
+			opt: build.Options{
+				SecretSpecs: []*pb.Secret{
+					{
+						FilePath: escapeLink,
+					},
+				},
+			},
+			conf: EntitlementConf{
+				FSRead: []string{"*"},
+			},
 			expected: EntitlementConf{},
 		},
 	}

bake/entitlements_unix.go

@@ -1,26 +0,0 @@
-//go:build !windows
-// +build !windows
-
-package bake
-
-import (
-	"path/filepath"
-
-	"github.com/pkg/errors"
-)
-
-func evaluatePaths(in []string) ([]string, error) {
-	out := make([]string, 0, len(in))
-	for _, p := range in {
-		v, err := filepath.Abs(p)
-		if err != nil {
-			return nil, err
-		}
-		v, err = filepath.EvalSymlinks(v)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to evaluate path %q", p)
-		}
-		out = append(out, v)
-	}
-	return out, nil
-}

bake/entitlements_windows.go

@@ -1,39 +0,0 @@
-package bake
-
-import (
-	"os"
-	"path/filepath"
-
-	"github.com/pkg/errors"
-)
-
-func evaluatePaths(in []string) ([]string, error) {
-	out := make([]string, 0, len(in))
-	for _, p := range in {
-		if p == "/" {
-			out = append(out, getAllVolumes()...)
-			continue
-		}
-		v, err := filepath.Abs(p)
-		if err != nil {
-			return nil, err
-		}
-		v, err = filepath.EvalSymlinks(v)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to evaluate path %q", p)
-		}
-		out = append(out, v)
-	}
-	return out, nil
-}
-
-func getAllVolumes() []string {
-	var volumes []string
-	for _, drive := range "ABCDEFGHIJKLMNOPQRSTUVWXYZ" {
-		p := string(drive) + ":" + string(filepath.Separator)
-		if _, err := os.Stat(p); !os.IsNotExist(err) {
-			volumes = append(volumes, p)
-		}
-	}
-	return volumes
-}

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/hashicorp/hcl/v2 v2.20.1
 	github.com/in-toto/in-toto-golang v0.5.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/moby/buildkit v0.18.0-rc1
+	github.com/moby/buildkit v0.18.0-rc2
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/moby/sys/signal v0.7.1
 	github.com/morikuni/aec v1.0.0

go.sum

@@ -301,8 +301,8 @@ github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/z
 github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.18.0-rc1 h1:fxurq9IkqaX7ZXRlxbBpY3DO7xw/vISJoNFw1Gtl4c0=
-github.com/moby/buildkit v0.18.0-rc1/go.mod h1:vCR5CX8NGsPTthTg681+9kdmfvkvqJBXEv71GZe5msU=
+github.com/moby/buildkit v0.18.0-rc2 h1:Q4jxxicZM5sqdy6gJPikgILBrBUncPok0Z0rRbhtVWk=
+github.com/moby/buildkit v0.18.0-rc2/go.mod h1:vCR5CX8NGsPTthTg681+9kdmfvkvqJBXEv71GZe5msU=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=

vendor/github.com/moby/buildkit/util/testutil/workers/dockerd.go

@@ -50,6 +50,7 @@ func InitDockerdWorker() {
 		Unsupported: []string{
 			FeatureSecurityMode,
 			FeatureCNINetwork,
+			FeatureContentCheck,
 		},
 	})
 }

vendor/github.com/moby/buildkit/util/testutil/workers/features.go

@@ -30,6 +30,7 @@ const (
 	FeatureSecurityMode         = "security_mode"
 	FeatureSourceDateEpoch      = "source_date_epoch"
 	FeatureCNINetwork           = "cni_network"
+	FeatureContentCheck         = "content_check"
 )
 
 var features = map[string]struct{}{
@@ -56,6 +57,7 @@ var features = map[string]struct{}{
 	FeatureSecurityMode:         {},
 	FeatureSourceDateEpoch:      {},
 	FeatureCNINetwork:           {},
+	FeatureContentCheck:         {},
 }
 
 func CheckFeatureCompat(t *testing.T, sb integration.Sandbox, reason ...string) {

vendor/modules.txt

@@ -483,7 +483,7 @@ github.com/mitchellh/go-wordwrap
 github.com/mitchellh/hashstructure/v2
 # github.com/mitchellh/mapstructure v1.5.0
 ## explicit; go 1.14
-# github.com/moby/buildkit v0.18.0-rc1
+# github.com/moby/buildkit v0.18.0-rc2
 ## explicit; go 1.22.0
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types