Support priv/unpriv image extraction

Optionally add back privileged extraction which can be enabled with LUET_PRIVILEGED_EXTRACT=true Signed-off-by: Ettore Di Giacinto <mudler@sabayon.org>
2025-09-03 08:14:46 +00:00 · 2021-06-16 23:29:23 +02:00
parent 8780e4f16f
commit 92e18d5782
663 changed files with 157764 additions and 203 deletions
--- a/vendor/github.com/moby/buildkit/snapshot/containerd/content.go
+++ b/vendor/github.com/moby/buildkit/snapshot/containerd/content.go
@@ -0,0 +1,82 @@
+package containerd
+
+import (
+	"context"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/opencontainers/go-digest"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+func NewContentStore(store content.Store, ns string) content.Store {
+	return &nsContent{ns, store}
+}
+
+type nsContent struct {
+	ns string
+	content.Store
+}
+
+func (c *nsContent) Info(ctx context.Context, dgst digest.Digest) (content.Info, error) {
+	ctx = namespaces.WithNamespace(ctx, c.ns)
+	return c.Store.Info(ctx, dgst)
+}
+
+func (c *nsContent) Update(ctx context.Context, info content.Info, fieldpaths ...string) (content.Info, error) {
+	ctx = namespaces.WithNamespace(ctx, c.ns)
+	return c.Store.Update(ctx, info, fieldpaths...)
+}
+
+func (c *nsContent) Walk(ctx context.Context, fn content.WalkFunc, filters ...string) error {
+	ctx = namespaces.WithNamespace(ctx, c.ns)
+	return c.Store.Walk(ctx, fn, filters...)
+}
+
+func (c *nsContent) Delete(ctx context.Context, dgst digest.Digest) error {
+	return errors.Errorf("contentstore.Delete usage is forbidden")
+}
+
+func (c *nsContent) Status(ctx context.Context, ref string) (content.Status, error) {
+	ctx = namespaces.WithNamespace(ctx, c.ns)
+	return c.Store.Status(ctx, ref)
+}
+
+func (c *nsContent) ListStatuses(ctx context.Context, filters ...string) ([]content.Status, error) {
+	ctx = namespaces.WithNamespace(ctx, c.ns)
+	return c.Store.ListStatuses(ctx, filters...)
+}
+
+func (c *nsContent) Abort(ctx context.Context, ref string) error {
+	ctx = namespaces.WithNamespace(ctx, c.ns)
+	return c.Store.Abort(ctx, ref)
+}
+
+func (c *nsContent) ReaderAt(ctx context.Context, desc ocispec.Descriptor) (content.ReaderAt, error) {
+	ctx = namespaces.WithNamespace(ctx, c.ns)
+	return c.Store.ReaderAt(ctx, desc)
+}
+
+func (c *nsContent) Writer(ctx context.Context, opts ...content.WriterOpt) (content.Writer, error) {
+	return c.writer(ctx, 3, opts...)
+}
+
+func (c *nsContent) writer(ctx context.Context, retries int, opts ...content.WriterOpt) (content.Writer, error) {
+	ctx = namespaces.WithNamespace(ctx, c.ns)
+	w, err := c.Store.Writer(ctx, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &nsWriter{Writer: w, ns: c.ns}, nil
+}
+
+type nsWriter struct {
+	content.Writer
+	ns string
+}
+
+func (w *nsWriter) Commit(ctx context.Context, size int64, expected digest.Digest, opts ...content.Opt) error {
+	ctx = namespaces.WithNamespace(ctx, w.ns)
+	return w.Writer.Commit(ctx, size, expected, opts...)
+}
--- a/vendor/github.com/moby/buildkit/snapshot/containerd/snapshotter.go
+++ b/vendor/github.com/moby/buildkit/snapshot/containerd/snapshotter.go
@@ -0,0 +1,63 @@
+package containerd
+
+import (
+	"context"
+
+	"github.com/containerd/containerd/mount"
+	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/snapshots"
+	"github.com/docker/docker/pkg/idtools"
+	"github.com/moby/buildkit/snapshot"
+	"github.com/pkg/errors"
+)
+
+func NewSnapshotter(name string, snapshotter snapshots.Snapshotter, ns string, idmap *idtools.IdentityMapping) snapshot.Snapshotter {
+	return snapshot.FromContainerdSnapshotter(name, &nsSnapshotter{ns, snapshotter}, idmap)
+}
+
+func NSSnapshotter(ns string, snapshotter snapshots.Snapshotter) snapshots.Snapshotter {
+	return &nsSnapshotter{ns: ns, Snapshotter: snapshotter}
+}
+
+type nsSnapshotter struct {
+	ns string
+	snapshots.Snapshotter
+}
+
+func (s *nsSnapshotter) Stat(ctx context.Context, key string) (snapshots.Info, error) {
+	ctx = namespaces.WithNamespace(ctx, s.ns)
+	return s.Snapshotter.Stat(ctx, key)
+}
+
+func (s *nsSnapshotter) Update(ctx context.Context, info snapshots.Info, fieldpaths ...string) (snapshots.Info, error) {
+	ctx = namespaces.WithNamespace(ctx, s.ns)
+	return s.Snapshotter.Update(ctx, info, fieldpaths...)
+}
+
+func (s *nsSnapshotter) Usage(ctx context.Context, key string) (snapshots.Usage, error) {
+	ctx = namespaces.WithNamespace(ctx, s.ns)
+	return s.Snapshotter.Usage(ctx, key)
+}
+func (s *nsSnapshotter) Mounts(ctx context.Context, key string) ([]mount.Mount, error) {
+	ctx = namespaces.WithNamespace(ctx, s.ns)
+	return s.Snapshotter.Mounts(ctx, key)
+}
+func (s *nsSnapshotter) Prepare(ctx context.Context, key, parent string, opts ...snapshots.Opt) ([]mount.Mount, error) {
+	ctx = namespaces.WithNamespace(ctx, s.ns)
+	return s.Snapshotter.Prepare(ctx, key, parent, opts...)
+}
+func (s *nsSnapshotter) View(ctx context.Context, key, parent string, opts ...snapshots.Opt) ([]mount.Mount, error) {
+	ctx = namespaces.WithNamespace(ctx, s.ns)
+	return s.Snapshotter.View(ctx, key, parent, opts...)
+}
+func (s *nsSnapshotter) Commit(ctx context.Context, name, key string, opts ...snapshots.Opt) error {
+	ctx = namespaces.WithNamespace(ctx, s.ns)
+	return s.Snapshotter.Commit(ctx, name, key, opts...)
+}
+func (s *nsSnapshotter) Remove(ctx context.Context, key string) error {
+	return errors.Errorf("calling snapshotter.Remove is forbidden")
+}
+func (s *nsSnapshotter) Walk(ctx context.Context, fn snapshots.WalkFunc, filters ...string) error {
+	ctx = namespaces.WithNamespace(ctx, s.ns)
+	return s.Snapshotter.Walk(ctx, fn, filters...)
+}