From 634401d24c46cb8598cd3ea3fc0b500679ff83f5 Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Fri, 13 Feb 2026 09:21:32 +0100 Subject: [PATCH 1/3] Don't bail out if no image verifiers available When the local transfer plugin is instantiated, it loads verifiers through `ic.GetByType()` which returns ErrPluginNotFound if no plugins of the given type is available. This would happen if users explicitly disabled the bindir plugin. Users may wish to disable that plugin to prevent containerd from executing arbitrary binaries on the host (e.g. when running rootless). Currently, the only way to achieve that is to set bindir's param `bin_dir` to the empty string but that seems more fragile than disabling the plugin altogether. The local transfer plugin is already checking if there are no plugins available, and take action accordingly. Thus, not handling `ErrPluginNotFound` seems to be an oversight. Signed-off-by: Albin Kerouanton --- plugins/transfer/plugin.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/transfer/plugin.go b/plugins/transfer/plugin.go index 6ab1041fbd140..cd4fd4ccd0244 100644 --- a/plugins/transfer/plugin.go +++ b/plugins/transfer/plugin.go @@ -17,6 +17,7 @@ package transfer import ( + "errors" "fmt" "github.com/containerd/errdefs" @@ -71,7 +72,7 @@ func init() { lc.Leases = l.(leases.Manager) vps, err := ic.GetByType(plugins.ImageVerifierPlugin) - if err != nil { + if err != nil && !errors.Is(err, plugin.ErrPluginNotFound) { return nil, err } if len(vps) > 0 { From 50988274259ca48c3b3716bd756a7cf7ad8c1cef Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 16 Feb 2026 17:36:47 +0100 Subject: [PATCH 2/3] contrib/apparmor: fix /proc/sys rule The current AppArmor profile intends to block write access to everything in `/proc`, except for `/proc/` and `/proc/sys/kernel/shm*`. Currently the rules block access to everything in `/proc/sys`, and do not successfully allow access to `/proc/sys/kernel/shm*`. Specifically, a path like /proc/sys/kernel/shmmax matches this part of the pattern: deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]* }/** w, /proc / s y s / kernel /shmmax This downstreams the patch from [moby@66f14e4] to the containerd profile, and updates the rule so that it works as intended. [moby@66f14e4]: https://github.com/moby/moby/commit/66f14e4ae9173f6fb7d1e4a7e13632297bdb8d29 Co-authored-by: Phil Sphicas Signed-off-by: Sebastiaan van Stijn --- contrib/apparmor/template.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go index 263c09d1bdf22..94a45a8b6487b 100644 --- a/contrib/apparmor/template.go +++ b/contrib/apparmor/template.go @@ -72,7 +72,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) # deny write to files not in /proc//** or /proc/sys/** - deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, + deny @{PROC}/{[^1-9/],[^1-9/][^0-9/],[^1-9s/][^0-9y/][^0-9s/],[^1-9/][^0-9/][^0-9/][^0-9/]*}/** w, deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ deny @{PROC}/sysrq-trigger rwklx, From 5ef537b3876bca101789a0ceba7d0265510843bc Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 17 Feb 2026 13:57:23 +0100 Subject: [PATCH 3/3] cmd/protoc-gen-go-fieldpath: add support for optional fields generating protos produced a warning: WARN plugin "protoc-gen-go-fieldpath" does not support required features. Feature "proto3 optional" is required by 1 file(s): services/images/v1/images.proto Implement handling for optional fields (nillable / pointer) Signed-off-by: Sebastiaan van Stijn --- cmd/protoc-gen-go-fieldpath/generator.go | 19 ++++++++++++++++--- cmd/protoc-gen-go-fieldpath/main.go | 2 ++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/cmd/protoc-gen-go-fieldpath/generator.go b/cmd/protoc-gen-go-fieldpath/generator.go index b651f1b06579b..103afdcb79bfe 100644 --- a/cmd/protoc-gen-go-fieldpath/generator.go +++ b/cmd/protoc-gen-go-fieldpath/generator.go @@ -107,14 +107,27 @@ func (gen *generator) genFieldMethod(m *protogen.Message) { p.P("}") p.P("return m.", f.GoName, ".Field(fieldpath[1:])") case f.Desc.Kind() == protoreflect.StringKind: - p.P("return string(m.", f.GoName, "), len(m.", f.GoName, ") > 0") + if f.Desc.HasPresence() { + p.P("if m.", f.GoName, " == nil {") + p.P(`return "", false`) + p.P("}") + p.P("return *m.", f.GoName, ", true") + } else { + p.P("return string(m.", f.GoName, "), len(m.", f.GoName, ") > 0") + } case f.Desc.Kind() == protoreflect.BoolKind: fmtSprint := gen.out.QualifiedGoIdent(protogen.GoIdent{ GoImportPath: "fmt", GoName: "Sprint", }) - - p.P("return ", fmtSprint, "(m.", f.GoName, "), true") + if f.Desc.HasPresence() { + p.P("if m.", f.GoName, " == nil {") + p.P(`return "", false`) + p.P("}") + p.P("return ", fmtSprint, "(*m.", f.GoName, "), true") + } else { + p.P("return ", fmtSprint, "(m.", f.GoName, "), true") + } } } diff --git a/cmd/protoc-gen-go-fieldpath/main.go b/cmd/protoc-gen-go-fieldpath/main.go index faa2005d2f4c8..5b6a8ea76190d 100644 --- a/cmd/protoc-gen-go-fieldpath/main.go +++ b/cmd/protoc-gen-go-fieldpath/main.go @@ -18,10 +18,12 @@ package main import ( "google.golang.org/protobuf/compiler/protogen" + "google.golang.org/protobuf/types/pluginpb" ) func main() { protogen.Options{}.Run(func(gen *protogen.Plugin) error { + gen.SupportedFeatures = uint64(pluginpb.CodeGeneratorResponse_FEATURE_PROTO3_OPTIONAL) for _, f := range gen.Files { if !f.Generate { continue