From 075542f99e501ac15c5500febf3e4df8e70f13c0 Mon Sep 17 00:00:00 2001 From: Kailun Qin Date: Thu, 9 Sep 2021 09:49:35 -0400 Subject: [PATCH] Update go-landlock and use NewConfig instead Signed-off-by: Kailun Qin --- go.mod | 2 +- go.sum | 4 ++-- libcontainer/landlock/landlock.go | 14 +++++++------- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index dfeb440c16c..e849271220f 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/cyphar/filepath-securejoin v0.2.3 github.com/docker/go-units v0.4.0 github.com/godbus/dbus/v5 v5.0.4 - github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946 + github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4 github.com/moby/sys/mountinfo v0.4.1 github.com/mrunalp/fileutils v0.5.0 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 diff --git a/go.sum b/go.sum index 39ac0e0726c..59568008d61 100644 --- a/go.sum +++ b/go.sum @@ -40,8 +40,8 @@ github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946 h1:RRTOwBnwZR4a3IMyPq1uchxJcrLKWF4NTCHB2fbvo5Y= -github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946/go.mod h1:wjznJ04q4Tvsbx3vkzfmgfEOe6w5dSGlXFa+xbSl9X8= +github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4 h1:5FNPB9FxONNZ10VtNC2n15+0O4O6wfCqCBmkxm2O5x0= +github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4/go.mod h1:wjznJ04q4Tvsbx3vkzfmgfEOe6w5dSGlXFa+xbSl9X8= github.com/moby/sys/mountinfo v0.4.1 h1:1O+1cHA1aujwEwwVMa2Xm2l+gIpUHyd3+D+d7LZh1kM= github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4= diff --git a/libcontainer/landlock/landlock.go b/libcontainer/landlock/landlock.go index c15ef8a4c2b..52b7aa49a02 100644 --- a/libcontainer/landlock/landlock.go +++ b/libcontainer/landlock/landlock.go @@ -21,14 +21,14 @@ func InitLandlock(config *configs.Landlock) error { return errors.New("cannot initialize Landlock - nil config passed") } - var llConfig landlock.Config - ruleset := config.Ruleset.HandledAccessFS - // Panic on error when constructing the Landlock configuration using invalid config values. - if config.DisableBestEffort { - llConfig = landlock.MustConfig(ruleset) - } else { - llConfig = landlock.MustConfig(ruleset).BestEffort() + llConfig, err := landlock.NewConfig(ruleset) + if err != nil { + return fmt.Errorf("could not create ruleset: %w", err) + } + + if !config.DisableBestEffort { + *llConfig = llConfig.BestEffort() } if err := llConfig.RestrictPaths(