full diff: https://github.com/opencontainers/selinux/compare/v1.3.1...v1.3.3
- go-selinux/SetKeyLabel: fix for RHEL7 kernels
- getSELinuxfs: optimize/simplify using sync.Once
- xattr: use x/sys/unix, simplify
- Use /proc/thread-self if available
- Fix EnforceMode, SetEnforceMode, and SecurityCheckContext
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.0.1...v3.0.2
- assert: Fix NilError, error non-nil type
- fixes: Typed nil errors should not pass "NilError"
- fixes: "reflect: call of reflect.Value.IsNil on struct Value" for struct error type
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
lgetxattr(2) man page says:
> If size is specified as zero, these calls return the current size of
> the named extended attribute (and leave value unchanged). This can be
> used to determine the size of the buffer that should be supplied in a
> subsequent call. (But, bear in mind that there is a possibility that
> the attribute value may change between the two calls, so that it is
> still necessary to check the return status from the second call.)
The current code does not handle the case when the size changes between
the two calls, and the new size is larger.
Fix the above problem, and slightly simplify the code.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
full diff: https://github.com/checkpoint-restore/criu/compare/v3.12...v3.13
Here we have some bugfixes, huuuge *.py patch for coding style
and nice set of new features like 32bit for ARM, TLS for page
server and new mode for CGroups.
New features
- VDSO: arm32 support
- Add TLS support for page server communications
- "Ignore" mode for --manage-cgroups
- Restore SO_BROADCAST option for inet sockets
Bugfixes
- Auxiliary events were left in inotify queues
- Lazy-pages daemon didn't detect stack pages and surrounders properly and marked them as "lazy"
- Memory and resource leakage were detected by coverity, cppcheck and clang
Improvements
- Use gettimeofday() directly from vdso for restore timings
- Reformat all .py code into pep8 style
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Someday, we'll hopefully support nftables directly and will likely then need some kind of in-container runtime detection (perhaps based on loaded modules or something similar). This updates the related `Dockerfile` comment accordingly (linking to the appropriate `nftables` tracking issue).
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
This reverts commit 2808762b27.
This exception was added for rootless mode, but superseded by the
follow-up commit f4fa98f583, which
uses a different path to look for the certs when running in rootless
mode
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration over the API per container is intentionally left out for
the time being, but is supported to configure the default from the
daemon config.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit cbecf48bc352e680a5390a7ca9cff53098cd16d7)
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This supplements any log driver which does not support reads with a
custom read implementation that uses a local file cache.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit d675e2bf2b75865915c7a4552e00802feeb0847f)
Signed-off-by: Madhu Venugopal <madhu@docker.com>
The template used was broken with Go 1.14, which has some stricter
rules, introduced in https://golang.org/cl/206124
```
root@b5beaed18589:/go/src/github.com/docker/docker# ./hack/generate-swagger-api.sh
2020/02/07 15:12:01 trying to read config from /go/src/github.com/docker/docker/api/swagger-gen.yaml
2020/02/07 15:12:02 rendering 1 templates for model ErrorResponse
2020/02/07 15:12:02 name field ErrorResponse
2020/02/07 15:12:02 package field types
2020/02/07 15:12:02 creating "error_response.go" in "api/types" as definition
model: template: schematype:2:18: executing "schemaType" at <(len .AllOf) gt 0>: can't give argument to non-function len .AllOf
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
