From cfe834c1db7cebe124e99d94aa821c34de85c766 Mon Sep 17 00:00:00 2001
From: Kailun Qin <kailun.qin@intel.com>
Date: Thu, 9 Sep 2021 09:49:35 -0400
Subject: [PATCH] Update go-landlock and use NewConfig instead

Co-authored-by: Zheao Li <me@manjusaka.me>
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
---
 go.mod                            | 22 ++++++++++++++++++++++
 go.sum                            | 15 +++++++++++++++
 libcontainer/landlock/landlock.go | 14 +++++++-------
 3 files changed, 44 insertions(+), 7 deletions(-)

diff --git a/go.mod b/go.mod
index 211914c40c6..574b4492685 100644
--- a/go.mod
+++ b/go.mod
@@ -38,4 +38,26 @@ require (
 	github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
+	github.com/bits-and-blooms/bitset v1.2.0
+	github.com/checkpoint-restore/go-criu/v5 v5.0.0
+	github.com/cilium/ebpf v0.6.2
+	github.com/containerd/console v1.0.3
+	github.com/coreos/go-systemd/v22 v22.3.2
+	github.com/cyphar/filepath-securejoin v0.2.3
+	github.com/docker/go-units v0.4.0
+	github.com/godbus/dbus/v5 v5.0.4
+	github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4
+	github.com/moby/sys/mountinfo v0.4.1
+	github.com/mrunalp/fileutils v0.5.0
+	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
+	github.com/opencontainers/selinux v1.8.4
+	github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921
+	github.com/sirupsen/logrus v1.8.1
+	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
+	// NOTE: urfave/cli must be <= v1.22.1 due to a regression: https://github.com/urfave/cli/issues/1092
+	github.com/urfave/cli v1.22.1
+	github.com/vishvananda/netlink v1.1.0
+	golang.org/x/net v0.0.0-20201224014010-6772e930b67b
+	golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf
+	google.golang.org/protobuf v1.27.1
 )
diff --git a/go.sum b/go.sum
index e6d8ccf7067..d2e5a604dca 100644
--- a/go.sum
+++ b/go.sum
@@ -55,6 +55,21 @@ github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE
 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
 github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4 h1:5FNPB9FxONNZ10VtNC2n15+0O4O6wfCqCBmkxm2O5x0=
+github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4/go.mod h1:wjznJ04q4Tvsbx3vkzfmgfEOe6w5dSGlXFa+xbSl9X8=
+github.com/moby/sys/mountinfo v0.4.1 h1:1O+1cHA1aujwEwwVMa2Xm2l+gIpUHyd3+D+d7LZh1kM=
+github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
+github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4=
+github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/selinux v1.8.4 h1:krlgQ6/j9CkCXT5oW0yVXdQFOME3NjKuuAZXuR6O7P4=
+github.com/opencontainers/selinux v1.8.4/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
diff --git a/libcontainer/landlock/landlock.go b/libcontainer/landlock/landlock.go
index c15ef8a4c2b..52b7aa49a02 100644
--- a/libcontainer/landlock/landlock.go
+++ b/libcontainer/landlock/landlock.go
@@ -21,14 +21,14 @@ func InitLandlock(config *configs.Landlock) error {
 		return errors.New("cannot initialize Landlock - nil config passed")
 	}
 
-	var llConfig landlock.Config
-
 	ruleset := config.Ruleset.HandledAccessFS
-	// Panic on error when constructing the Landlock configuration using invalid config values.
-	if config.DisableBestEffort {
-		llConfig = landlock.MustConfig(ruleset)
-	} else {
-		llConfig = landlock.MustConfig(ruleset).BestEffort()
+	llConfig, err := landlock.NewConfig(ruleset)
+	if err != nil {
+		return fmt.Errorf("could not create ruleset: %w", err)
+	}
+
+	if !config.DisableBestEffort {
+		*llConfig = llConfig.BestEffort()
 	}
 
 	if err := llConfig.RestrictPaths(