mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-17 20:00:23 +00:00
cephfs: upgrade fscrypt version to fix concurrency issue
In older versions of fscrypt there is a race condition when multiple encrypted cephfs instances are deployed simultaneously. Signed-off-by: NymanRobin <robin.nyman@est.tech>
This commit is contained in:
parent
55bc4b406f
commit
3073409695
8
go.mod
8
go.mod
@ -14,7 +14,7 @@ require (
|
||||
github.com/csi-addons/spec v0.2.1-0.20230606140122-d20966d2e444
|
||||
github.com/gemalto/kmip-go v0.0.10
|
||||
github.com/golang/protobuf v1.5.4
|
||||
github.com/google/fscrypt v0.3.4
|
||||
github.com/google/fscrypt v0.3.6-0.20240502174735-068b9f8f5dec
|
||||
github.com/google/uuid v1.6.0
|
||||
github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
|
||||
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
|
||||
@ -57,6 +57,7 @@ require (
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect
|
||||
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect
|
||||
github.com/BurntSushi/toml v1.3.2 // indirect
|
||||
github.com/NYTimes/gziphandler v1.1.1 // indirect
|
||||
github.com/ansel1/merry v1.6.2 // indirect
|
||||
github.com/ansel1/merry/v2 v2.0.1 // indirect
|
||||
@ -73,6 +74,7 @@ require (
|
||||
github.com/cenkalti/backoff/v3 v3.2.2 // indirect
|
||||
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
|
||||
github.com/cespare/xxhash/v2 v2.2.0 // indirect
|
||||
github.com/client9/misspell v0.3.4 // indirect
|
||||
github.com/coreos/go-semver v0.3.1 // indirect
|
||||
github.com/coreos/go-systemd/v22 v22.5.0 // indirect
|
||||
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
|
||||
@ -146,6 +148,7 @@ require (
|
||||
github.com/spf13/cobra v1.7.0 // indirect
|
||||
github.com/spf13/pflag v1.0.5 // indirect
|
||||
github.com/stoewer/go-strcase v1.2.0 // indirect
|
||||
github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad // indirect
|
||||
go.etcd.io/etcd/api/v3 v3.5.10 // indirect
|
||||
go.etcd.io/etcd/client/pkg/v3 v3.5.10 // indirect
|
||||
go.etcd.io/etcd/client/v3 v3.5.10 // indirect
|
||||
@ -161,6 +164,8 @@ require (
|
||||
go.uber.org/multierr v1.11.0 // indirect
|
||||
go.uber.org/zap v1.26.0 // indirect
|
||||
golang.org/x/exp v0.0.0-20220827204233-334a2380cb91 // indirect
|
||||
golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a // indirect
|
||||
golang.org/x/mod v0.14.0 // indirect
|
||||
golang.org/x/oauth2 v0.17.0 // indirect
|
||||
golang.org/x/sync v0.6.0 // indirect
|
||||
golang.org/x/term v0.20.0 // indirect
|
||||
@ -176,6 +181,7 @@ require (
|
||||
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
|
||||
gopkg.in/yaml.v2 v2.4.0 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
honnef.co/go/tools v0.4.5 // indirect
|
||||
k8s.io/apiextensions-apiserver v0.29.2 // indirect
|
||||
k8s.io/apiserver v0.29.3 // indirect
|
||||
k8s.io/component-base v0.29.3 // indirect
|
||||
|
11
go.sum
11
go.sum
@ -785,6 +785,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 h1:DzHpqpoJVaC
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
|
||||
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
||||
github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
|
||||
github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
|
||||
github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
|
||||
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
|
||||
github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
|
||||
github.com/IBM/keyprotect-go-client v0.12.2 h1:Cjxcqin9Pl0xz3MnxdiVd4v/eIa79xL3hQpSbwOr/DQ=
|
||||
@ -880,6 +882,7 @@ github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
|
||||
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
|
||||
github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
|
||||
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
|
||||
github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
|
||||
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
|
||||
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
|
||||
github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
|
||||
@ -1122,6 +1125,8 @@ github.com/google/cel-go v0.17.7/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulN
|
||||
github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
|
||||
github.com/google/fscrypt v0.3.4 h1:XGSVMIsQFooj82aRRfYn3JpgU/4fOTnzXPnjhxC8uH8=
|
||||
github.com/google/fscrypt v0.3.4/go.mod h1:BRpw7vaeDitXGRvXa281i/ivQszAdBIiUYDWHjVTkcs=
|
||||
github.com/google/fscrypt v0.3.6-0.20240502174735-068b9f8f5dec h1:bXRTgu+1I882EvvYVEUwehBVahYfqeX9Qqb9eUyPs/g=
|
||||
github.com/google/fscrypt v0.3.6-0.20240502174735-068b9f8f5dec/go.mod h1:HyY8Z/kUPrnIKAwuhjrn2tSTM5/s9zfRRTqRMG0mHks=
|
||||
github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ=
|
||||
github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
|
||||
github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
|
||||
@ -1632,6 +1637,7 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1
|
||||
github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=
|
||||
github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
|
||||
github.com/urfave/cli v1.22.5/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
|
||||
github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad h1:W0LEBv82YCGEtcmPA3uNZBI33/qF//HAAs3MawDjRa0=
|
||||
github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad/go.mod h1:Hy8o65+MXnS6EwGElrSRjUzQDLXreJlzYLlWiHtt8hM=
|
||||
github.com/xhit/go-str2duration v1.2.0/go.mod h1:3cPSlfZlUHVlneIVfePFWcJZsuwf+P1v2SRTV4cUmp4=
|
||||
github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
|
||||
@ -1781,6 +1787,8 @@ golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2F
|
||||
golang.org/x/exp v0.0.0-20220827204233-334a2380cb91 h1:tnebWN09GYg9OLPss1KXj8txwZc6X6uMr6VFdcGNbHw=
|
||||
golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
|
||||
golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
|
||||
golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a h1:Jw5wfR+h9mnIYH+OtGT2im5wV1YGGDora5vTv/aa5bE=
|
||||
golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
|
||||
golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
|
||||
golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
|
||||
golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
|
||||
@ -1828,6 +1836,7 @@ golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||
golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||
golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
|
||||
golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
|
||||
golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
|
||||
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
@ -2594,6 +2603,8 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
|
||||
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
|
||||
honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
|
||||
honnef.co/go/tools v0.3.0/go.mod h1:vlRD9XErLMGT+mDuofSr0mMMquscM/1nQqtRSsh6m70=
|
||||
honnef.co/go/tools v0.4.5 h1:YGD4H+SuIOOqsyoLOpZDWcieM28W47/zRO7f+9V3nvo=
|
||||
honnef.co/go/tools v0.4.5/go.mod h1:GUV+uIBCLpdf0/v6UhHHG/yzI/z6qPskBeQCjcNB96k=
|
||||
k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw=
|
||||
k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80=
|
||||
k8s.io/apiextensions-apiserver v0.29.3 h1:9HF+EtZaVpFjStakF4yVufnXGPRppWFEQ87qnO91YeI=
|
||||
|
8
vendor/github.com/google/fscrypt/actions/context.go
generated
vendored
8
vendor/github.com/google/fscrypt/actions/context.go
generated
vendored
@ -22,10 +22,10 @@
|
||||
// All of the actions include a significant amount of logging, so that good
|
||||
// output can be provided for cmd/fscrypt's verbose mode.
|
||||
// The top-level actions currently include:
|
||||
// - Creating a new config file
|
||||
// - Creating a context on which to perform actions
|
||||
// - Creating, unlocking, and modifying Protectors
|
||||
// - Creating, unlocking, and modifying Policies
|
||||
// - Creating a new config file
|
||||
// - Creating a context on which to perform actions
|
||||
// - Creating, unlocking, and modifying Protectors
|
||||
// - Creating, unlocking, and modifying Policies
|
||||
package actions
|
||||
|
||||
import (
|
||||
|
5
vendor/github.com/google/fscrypt/actions/policy.go
generated
vendored
5
vendor/github.com/google/fscrypt/actions/policy.go
generated
vendored
@ -24,6 +24,7 @@ import (
|
||||
"log"
|
||||
"os"
|
||||
"os/user"
|
||||
"reflect"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"google.golang.org/protobuf/proto"
|
||||
@ -452,7 +453,7 @@ func (policy *Policy) AddProtector(protector *Protector) error {
|
||||
|
||||
// If the protector is on a different filesystem, we need to add a link
|
||||
// to it on the policy's filesystem.
|
||||
if policy.Context.Mount != protector.Context.Mount {
|
||||
if !reflect.DeepEqual(policy.Context.Mount, protector.Context.Mount) {
|
||||
log.Printf("policy on %s\n protector on %s\n", policy.Context.Mount, protector.Context.Mount)
|
||||
ownerIfCreating, err := getOwnerOfMetadataForProtector(protector)
|
||||
if err != nil {
|
||||
@ -525,7 +526,7 @@ func (policy *Policy) RemoveProtector(protectorDescriptor string) error {
|
||||
func (policy *Policy) Apply(path string) error {
|
||||
if pathMount, err := filesystem.FindMount(path); err != nil {
|
||||
return err
|
||||
} else if pathMount != policy.Context.Mount {
|
||||
} else if !reflect.DeepEqual(pathMount, policy.Context.Mount) {
|
||||
return &ErrDifferentFilesystem{policy.Context.Mount, pathMount}
|
||||
}
|
||||
|
||||
|
22
vendor/github.com/google/fscrypt/crypto/crypto.go
generated
vendored
22
vendor/github.com/google/fscrypt/crypto/crypto.go
generated
vendored
@ -18,17 +18,17 @@
|
||||
*/
|
||||
|
||||
// Package crypto manages all the cryptography for fscrypt. This includes:
|
||||
// - Key management (key.go)
|
||||
// - Securely holding keys in memory
|
||||
// - Making recovery keys
|
||||
// - Randomness (rand.go)
|
||||
// - Cryptographic algorithms (crypto.go)
|
||||
// - encryption (AES256-CTR)
|
||||
// - authentication (SHA256-based HMAC)
|
||||
// - key stretching (SHA256-based HKDF)
|
||||
// - key wrapping/unwrapping (Encrypt then MAC)
|
||||
// - passphrase-based key derivation (Argon2id)
|
||||
// - key descriptor computation (double SHA512, or HKDF-SHA512)
|
||||
// 1. Key management (key.go)
|
||||
// - Securely holding keys in memory
|
||||
// - Making recovery keys
|
||||
// 2. Randomness (rand.go)
|
||||
// 3. Cryptographic algorithms (crypto.go)
|
||||
// - encryption (AES256-CTR)
|
||||
// - authentication (SHA256-based HMAC)
|
||||
// - key stretching (SHA256-based HKDF)
|
||||
// - key wrapping/unwrapping (Encrypt then MAC)
|
||||
// - passphrase-based key derivation (Argon2id)
|
||||
// - key descriptor computation (double SHA512, or HKDF-SHA512)
|
||||
package crypto
|
||||
|
||||
import (
|
||||
|
3
vendor/github.com/google/fscrypt/crypto/rand.go
generated
vendored
3
vendor/github.com/google/fscrypt/crypto/rand.go
generated
vendored
@ -30,7 +30,8 @@ import (
|
||||
// the operating system has insufficient randomness, the buffer creation will
|
||||
// fail. This is an improvement over Go's built-in crypto/rand which will still
|
||||
// return bytes if the system has insufficiency entropy.
|
||||
// See: https://github.com/golang/go/issues/19274
|
||||
//
|
||||
// See: https://github.com/golang/go/issues/19274
|
||||
//
|
||||
// While this syscall was only introduced in Kernel v3.17, it predates the
|
||||
// introduction of filesystem encryption, so it introduces no additional
|
||||
|
38
vendor/github.com/google/fscrypt/filesystem/filesystem.go
generated
vendored
38
vendor/github.com/google/fscrypt/filesystem/filesystem.go
generated
vendored
@ -21,15 +21,15 @@
|
||||
|
||||
// Package filesystem deals with the structure of the files on disk used to
|
||||
// store the metadata for fscrypt. Specifically, this package includes:
|
||||
// - mountpoint management (mountpoint.go)
|
||||
// - querying existing mounted filesystems
|
||||
// - getting filesystems from a UUID
|
||||
// - finding the filesystem for a specific path
|
||||
// - metadata organization (filesystem.go)
|
||||
// - setting up a mounted filesystem for use with fscrypt
|
||||
// - adding/querying/deleting metadata
|
||||
// - making links to other filesystems' metadata
|
||||
// - following links to get data from other filesystems
|
||||
// 1. mountpoint management (mountpoint.go)
|
||||
// - querying existing mounted filesystems
|
||||
// - getting filesystems from a UUID
|
||||
// - finding the filesystem for a specific path
|
||||
// 2. metadata organization (filesystem.go)
|
||||
// - setting up a mounted filesystem for use with fscrypt
|
||||
// - adding/querying/deleting metadata
|
||||
// - making links to other filesystems' metadata
|
||||
// - following links to get data from other filesystems
|
||||
package filesystem
|
||||
|
||||
import (
|
||||
@ -195,6 +195,7 @@ func (err *ErrProtectorNotFound) Error() string {
|
||||
var SortDescriptorsByLastMtime = false
|
||||
|
||||
// Mount contains information for a specific mounted filesystem.
|
||||
//
|
||||
// Path - Absolute path where the directory is mounted
|
||||
// FilesystemType - Type of the mounted filesystem, e.g. "ext4"
|
||||
// Device - Device for filesystem (empty string if we cannot find one)
|
||||
@ -210,8 +211,9 @@ var SortDescriptorsByLastMtime = false
|
||||
// setup first. Specifically, the directories created look like:
|
||||
// <mountpoint>
|
||||
// └── .fscrypt
|
||||
// ├── policies
|
||||
// └── protectors
|
||||
//
|
||||
// ├── policies
|
||||
// └── protectors
|
||||
//
|
||||
// These "policies" and "protectors" directories will contain files that are
|
||||
// the corresponding metadata structures for policies and protectors. The public
|
||||
@ -723,13 +725,13 @@ func (m *Mount) addMetadata(path string, md metadata.Metadata, owner *user.User)
|
||||
// considering that it could be a malicious file created to cause a
|
||||
// denial-of-service. Specifically, the following checks are done:
|
||||
//
|
||||
// - It must be a regular file, not another type of file like a symlink or FIFO.
|
||||
// (Symlinks aren't bad by themselves, but given that a malicious user could
|
||||
// point one to absolutely anywhere, and there is no known use case for the
|
||||
// metadata files themselves being symlinks, it seems best to disallow them.)
|
||||
// - It must have a reasonable size (<= maxMetadataFileSize).
|
||||
// - If trustedUser is non-nil, then the file must be owned by the given user
|
||||
// or by root.
|
||||
// - It must be a regular file, not another type of file like a symlink or FIFO.
|
||||
// (Symlinks aren't bad by themselves, but given that a malicious user could
|
||||
// point one to absolutely anywhere, and there is no known use case for the
|
||||
// metadata files themselves being symlinks, it seems best to disallow them.)
|
||||
// - It must have a reasonable size (<= maxMetadataFileSize).
|
||||
// - If trustedUser is non-nil, then the file must be owned by the given user
|
||||
// or by root.
|
||||
//
|
||||
// Take care to avoid TOCTOU (time-of-check-time-of-use) bugs when doing these
|
||||
// tests. Notably, we must open the file before checking the file type, as the
|
||||
|
19
vendor/github.com/google/fscrypt/filesystem/mountpoint.go
generated
vendored
19
vendor/github.com/google/fscrypt/filesystem/mountpoint.go
generated
vendored
@ -106,6 +106,7 @@ func getDeviceName(num DeviceNumber) string {
|
||||
// Parse one line of /proc/self/mountinfo.
|
||||
//
|
||||
// The line contains the following space-separated fields:
|
||||
//
|
||||
// [0] mount ID
|
||||
// [1] parent ID
|
||||
// [2] major:minor
|
||||
@ -184,11 +185,11 @@ func addUncontainedSubtreesRecursive(dst map[string]bool,
|
||||
// preferably a read-write mount. However, that doesn't work in containers
|
||||
// where the "/" subtree might not be mounted. Here's a real-world example:
|
||||
//
|
||||
// mnt.Subtree mnt.Path
|
||||
// ----------- --------
|
||||
// /var/lib/lxc/base/rootfs /
|
||||
// /var/cache/pacman/pkg /var/cache/pacman/pkg
|
||||
// /srv/repo/x86_64 /srv/http/x86_64
|
||||
// mnt.Subtree mnt.Path
|
||||
// ----------- --------
|
||||
// /var/lib/lxc/base/rootfs /
|
||||
// /var/cache/pacman/pkg /var/cache/pacman/pkg
|
||||
// /srv/repo/x86_64 /srv/http/x86_64
|
||||
//
|
||||
// In this case, all mnt.Subtree are independent. To handle this case, we must
|
||||
// choose the Mount whose mnt.Path contains the others, i.e. the first one.
|
||||
@ -199,10 +200,10 @@ func addUncontainedSubtreesRecursive(dst map[string]bool,
|
||||
// needed to correctly handle bind mounts. For example, in the following case,
|
||||
// the first Mount should be chosen:
|
||||
//
|
||||
// mnt.Subtree mnt.Path
|
||||
// ----------- --------
|
||||
// /foo /foo
|
||||
// /foo/dir /dir
|
||||
// mnt.Subtree mnt.Path
|
||||
// ----------- --------
|
||||
// /foo /foo
|
||||
// /foo/dir /dir
|
||||
//
|
||||
// To solve this, we divide the mounts into non-overlapping trees of mnt.Path.
|
||||
// Then, we choose one of these trees which contains (exactly or via path
|
||||
|
6
vendor/github.com/google/fscrypt/metadata/config.go
generated
vendored
6
vendor/github.com/google/fscrypt/metadata/config.go
generated
vendored
@ -21,9 +21,9 @@
|
||||
// Package metadata contains all of the on disk structures.
|
||||
// These structures are defined in metadata.proto. The package also
|
||||
// contains functions for manipulating these structures, specifically:
|
||||
// * Reading and Writing the Config file to disk
|
||||
// * Getting and Setting Policies for directories
|
||||
// * Reasonable defaults for a Policy's EncryptionOptions
|
||||
// - Reading and Writing the Config file to disk
|
||||
// - Getting and Setting Policies for directories
|
||||
// - Reasonable defaults for a Policy's EncryptionOptions
|
||||
package metadata
|
||||
|
||||
import (
|
||||
|
2
vendor/github.com/google/fscrypt/metadata/metadata.pb.go
generated
vendored
2
vendor/github.com/google/fscrypt/metadata/metadata.pb.go
generated
vendored
@ -23,7 +23,7 @@
|
||||
|
||||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.28.0
|
||||
// protoc-gen-go v1.33.0
|
||||
// protoc v3.6.1
|
||||
// source: metadata/metadata.proto
|
||||
|
||||
|
13
vendor/github.com/google/fscrypt/metadata/policy.go
generated
vendored
13
vendor/github.com/google/fscrypt/metadata/policy.go
generated
vendored
@ -28,6 +28,7 @@ import (
|
||||
"os"
|
||||
"os/user"
|
||||
"strconv"
|
||||
"syscall"
|
||||
"unsafe"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
@ -85,6 +86,15 @@ func (err *ErrDirectoryNotOwned) Error() string {
|
||||
write access to the directory.`, err.Path, owner)
|
||||
}
|
||||
|
||||
// ErrLockedRegularFile indicates that the path is a locked regular file.
|
||||
type ErrLockedRegularFile struct {
|
||||
Path string
|
||||
}
|
||||
|
||||
func (err *ErrLockedRegularFile) Error() string {
|
||||
return fmt.Sprintf("cannot operate on locked regular file %q", err.Path)
|
||||
}
|
||||
|
||||
// ErrNotEncrypted indicates that the path is not encrypted.
|
||||
type ErrNotEncrypted struct {
|
||||
Path string
|
||||
@ -164,6 +174,9 @@ func buildV2PolicyData(policy *unix.FscryptPolicyV2) *PolicyData {
|
||||
func GetPolicy(path string) (*PolicyData, error) {
|
||||
file, err := os.Open(path)
|
||||
if err != nil {
|
||||
if err.(*os.PathError).Err == syscall.ENOKEY {
|
||||
return nil, &ErrLockedRegularFile{path}
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
defer file.Close()
|
||||
|
4
vendor/github.com/google/fscrypt/security/privileges.go
generated
vendored
4
vendor/github.com/google/fscrypt/security/privileges.go
generated
vendored
@ -18,8 +18,8 @@
|
||||
*/
|
||||
|
||||
// Package security manages:
|
||||
// - Cache clearing (cache.go)
|
||||
// - Privilege manipulation (privileges.go)
|
||||
// - Cache clearing (cache.go)
|
||||
// - Privilege manipulation (privileges.go)
|
||||
package security
|
||||
|
||||
// Use the libc versions of setreuid, setregid, and setgroups instead of the
|
||||
|
16
vendor/modules.txt
vendored
16
vendor/modules.txt
vendored
@ -62,6 +62,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/options
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go/apps/public
|
||||
# github.com/BurntSushi/toml v1.3.2
|
||||
## explicit; go 1.16
|
||||
# github.com/IBM/keyprotect-go-client v0.12.2
|
||||
## explicit; go 1.15
|
||||
github.com/IBM/keyprotect-go-client
|
||||
@ -224,6 +226,8 @@ github.com/ceph/go-ceph/rbd/admin
|
||||
# github.com/cespare/xxhash/v2 v2.2.0
|
||||
## explicit; go 1.11
|
||||
github.com/cespare/xxhash/v2
|
||||
# github.com/client9/misspell v0.3.4
|
||||
## explicit
|
||||
# github.com/container-storage-interface/spec v1.9.0
|
||||
## explicit; go 1.18
|
||||
github.com/container-storage-interface/spec/lib/go/csi
|
||||
@ -347,8 +351,8 @@ github.com/google/cel-go/interpreter
|
||||
github.com/google/cel-go/interpreter/functions
|
||||
github.com/google/cel-go/parser
|
||||
github.com/google/cel-go/parser/gen
|
||||
# github.com/google/fscrypt v0.3.4
|
||||
## explicit; go 1.16
|
||||
# github.com/google/fscrypt v0.3.6-0.20240502174735-068b9f8f5dec
|
||||
## explicit; go 1.18
|
||||
github.com/google/fscrypt/actions
|
||||
github.com/google/fscrypt/crypto
|
||||
github.com/google/fscrypt/filesystem
|
||||
@ -617,6 +621,8 @@ github.com/stoewer/go-strcase
|
||||
## explicit; go 1.17
|
||||
github.com/stretchr/testify/assert
|
||||
github.com/stretchr/testify/require
|
||||
# github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad
|
||||
## explicit
|
||||
# go.etcd.io/etcd/api/v3 v3.5.10
|
||||
## explicit; go 1.20
|
||||
go.etcd.io/etcd/api/v3/authpb
|
||||
@ -737,6 +743,10 @@ golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
|
||||
golang.org/x/exp/constraints
|
||||
golang.org/x/exp/maps
|
||||
golang.org/x/exp/slices
|
||||
# golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a
|
||||
## explicit; go 1.18
|
||||
# golang.org/x/mod v0.14.0
|
||||
## explicit; go 1.18
|
||||
# golang.org/x/net v0.25.0
|
||||
## explicit; go 1.18
|
||||
golang.org/x/net/context
|
||||
@ -943,6 +953,8 @@ gopkg.in/yaml.v2
|
||||
# gopkg.in/yaml.v3 v3.0.1
|
||||
## explicit
|
||||
gopkg.in/yaml.v3
|
||||
# honnef.co/go/tools v0.4.5
|
||||
## explicit; go 1.19
|
||||
# k8s.io/api v0.29.3 => k8s.io/api v0.29.3
|
||||
## explicit; go 1.21
|
||||
k8s.io/api/admission/v1
|
||||
|
Loading…
Reference in New Issue
Block a user