vendor: update docker and fsutil

Brings in fixes for the pattern matcher.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

go.mod

@@ -52,7 +52,7 @@ require (
 	github.com/serialx/hashring v0.0.0-20190422032157-8b2912629002
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.0
-	github.com/tonistiigi/fsutil v0.0.0-20211208180946-61a57076b9b0
+	github.com/tonistiigi/fsutil v0.0.0-20220115021204-b19f7f9cb274
 	github.com/tonistiigi/go-actions-cache v0.0.0-20211202175116-9642704158ff
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea
 	github.com/tonistiigi/vt100 v0.0.0-20210615222946-8066bb97264f
@@ -124,4 +124,4 @@ require (
 	gotest.tools/v3 v3.0.3 // indirect
 )
 
-replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20211208011758-87521affb077+incompatible
+replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220121014307-40bb9831756f+incompatible

go.sum

@@ -440,8 +440,8 @@ github.com/docker/distribution v2.6.0-rc.1.0.20180327202408-83389a148052+incompa
 github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v20.10.3-0.20211208011758-87521affb077+incompatible h1:gUm2bOLaaAPkV1z4te7ahrXTWyA+PNNWroISSOttSgU=
-github.com/docker/docker v20.10.3-0.20211208011758-87521affb077+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.3-0.20220121014307-40bb9831756f+incompatible h1:IDzw9qR4h7PF3aEriDajLKrkvc3owPWHasPKUEliWUE=
+github.com/docker/docker v20.10.3-0.20220121014307-40bb9831756f+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/docker-credential-helpers v0.6.4 h1:axCks+yV+2MR3/kZhAmy07yC56WZ2Pwu/fKWtKuZB0o=
 github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c=
@@ -1230,8 +1230,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1
 github.com/tommy-muehle/go-mnd v1.1.1/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig=
 github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig=
 github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85/go.mod h1:a7cilN64dG941IOXfhJhlH0qB92hxJ9A1ewrdUmJ6xo=
-github.com/tonistiigi/fsutil v0.0.0-20211208180946-61a57076b9b0 h1:1s9pEdOzN6AuOsBXKpAoSVupUDsGx2v6Fee/hIto8Vg=
-github.com/tonistiigi/fsutil v0.0.0-20211208180946-61a57076b9b0/go.mod h1:oPAfvw32vlUJSjyDcQ3Bu0nb2ON2B+G0dtVN/SZNJiA=
+github.com/tonistiigi/fsutil v0.0.0-20220115021204-b19f7f9cb274 h1:wbyZxD6IPFp0sl5uscMOJRsz5UKGFiNiD16e+MVfKZY=
+github.com/tonistiigi/fsutil v0.0.0-20220115021204-b19f7f9cb274/go.mod h1:oPAfvw32vlUJSjyDcQ3Bu0nb2ON2B+G0dtVN/SZNJiA=
 github.com/tonistiigi/go-actions-cache v0.0.0-20211202175116-9642704158ff h1:n8i1G5sBFmY8aDteg5Kf2rdU15KnFcS807QrYRM9/yQ=
 github.com/tonistiigi/go-actions-cache v0.0.0-20211202175116-9642704158ff/go.mod h1:qqvyZqkfwkoJuPU/bw61bItaoO0SJ8YSW0vSVRRvsRg=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea h1:SXhTLE6pb6eld/v/cCndK0AMpt1wiVFb/YYmqB3/QG0=

vendor/github.com/docker/docker/api/swagger.yaml

@@ -8782,12 +8782,20 @@ paths:
         if `tty` was specified as part of creating and starting the exec instance.
       operationId: "ExecResize"
       responses:
-        201:
+        200:
           description: "No error"
+        400:
+          description: "bad parameter"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
         404:
           description: "No such exec instance"
           schema:
             $ref: "#/definitions/ErrorResponse"
+        500:
+          description: "Server error"
+          schema:
+            $ref: "#/definitions/ErrorResponse"
       parameters:
         - name: "id"
           in: "path"

vendor/github.com/docker/docker/pkg/fileutils/fileutils.go

@@ -285,12 +285,23 @@ func (pm *PatternMatcher) Patterns() []*Pattern {
 
 // Pattern defines a single regexp used to filter file paths.
 type Pattern struct {
+	matchType      matchType
 	cleanedPattern string
 	dirs           []string
 	regexp         *regexp.Regexp
 	exclusion      bool
 }
 
+type matchType int
+
+const (
+	unknownMatch matchType = iota
+	exactMatch
+	prefixMatch
+	suffixMatch
+	regexpMatch
+)
+
 func (p *Pattern) String() string {
 	return p.cleanedPattern
 }
@@ -301,18 +312,34 @@ func (p *Pattern) Exclusion() bool {
 }
 
 func (p *Pattern) match(path string) (bool, error) {
-	if p.regexp == nil {
-		if err := p.compile(); err != nil {
+	if p.matchType == unknownMatch {
+		if err := p.compile(string(os.PathSeparator)); err != nil {
 			return false, filepath.ErrBadPattern
 		}
 	}
 
-	b := p.regexp.MatchString(path)
-
-	return b, nil
+	switch p.matchType {
+	case exactMatch:
+		return path == p.cleanedPattern, nil
+	case prefixMatch:
+		// strip trailing **
+		return strings.HasPrefix(path, p.cleanedPattern[:len(p.cleanedPattern)-2]), nil
+	case suffixMatch:
+		// strip leading **
+		suffix := p.cleanedPattern[2:]
+		if strings.HasSuffix(path, suffix) {
+			return true, nil
+		}
+		// **/foo matches "foo"
+		return suffix[0] == os.PathSeparator && path == suffix[1:], nil
+	case regexpMatch:
+		return p.regexp.MatchString(path), nil
 	}
 
-func (p *Pattern) compile() error {
+	return false, nil
+}
+
+func (p *Pattern) compile(sl string) error {
 	regStr := "^"
 	pattern := p.cleanedPattern
 	// Go through the pattern and convert it to a regexp.
@@ -320,13 +347,13 @@ func (p *Pattern) compile() error {
 	var scan scanner.Scanner
 	scan.Init(strings.NewReader(pattern))
 
-	sl := string(os.PathSeparator)
 	escSL := sl
 	if sl == `\` {
 		escSL += `\`
 	}
 
-	for scan.Peek() != scanner.EOF {
+	p.matchType = exactMatch
+	for i := 0; scan.Peek() != scanner.EOF; i++ {
 		ch := scan.Next()
 
 		if ch == '*' {
@@ -341,20 +368,32 @@ func (p *Pattern) compile() error {
 
 				if scan.Peek() == scanner.EOF {
 					// is "**EOF" - to align with .gitignore just accept all
+					if p.matchType == exactMatch {
+						p.matchType = prefixMatch
+					} else {
 						regStr += ".*"
+						p.matchType = regexpMatch
+					}
 				} else {
 					// is "**"
 					// Note that this allows for any # of /'s (even 0) because
 					// the .* will eat everything, even /'s
 					regStr += "(.*" + escSL + ")?"
+					p.matchType = regexpMatch
+				}
+
+				if i == 0 {
+					p.matchType = suffixMatch
 				}
 			} else {
 				// is "*" so map it to anything but "/"
 				regStr += "[^" + escSL + "]*"
+				p.matchType = regexpMatch
 			}
 		} else if ch == '?' {
 			// "?" is any char except "/"
 			regStr += "[^" + escSL + "]"
+			p.matchType = regexpMatch
 		} else if shouldEscape(ch) {
 			// Escape some regexp special chars that have no meaning
 			// in golang's filepath.Match
@@ -371,14 +410,22 @@ func (p *Pattern) compile() error {
 			}
 			if scan.Peek() != scanner.EOF {
 				regStr += `\` + string(scan.Next())
+				p.matchType = regexpMatch
 			} else {
 				regStr += `\`
 			}
+		} else if ch == '[' || ch == ']' {
+			regStr += string(ch)
+			p.matchType = regexpMatch
 		} else {
 			regStr += string(ch)
 		}
 	}
 
+	if p.matchType != regexpMatch {
+		return nil
+	}
+
 	regStr += "$"
 
 	re, err := regexp.Compile(regStr)
@@ -387,6 +434,7 @@ func (p *Pattern) compile() error {
 	}
 
 	p.regexp = re
+	p.matchType = regexpMatch
 	return nil
 }
 

vendor/github.com/docker/docker/pkg/system/mknod_unix.go

@@ -1,3 +1,6 @@
+//go:build !freebsd && !windows
+// +build !freebsd,!windows
+
 package system // import "github.com/docker/docker/pkg/system"
 
 import (

vendor/github.com/docker/docker/profiles/seccomp/default.json

@@ -474,7 +474,8 @@
 		},
 		{
 			"names": [
-				"sync_file_range2"
+				"sync_file_range2",
+				"swapcontext"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"includes": {

vendor/github.com/docker/docker/profiles/seccomp/default_linux.go

@@ -474,6 +474,7 @@ func DefaultProfile() *Seccomp {
 			LinuxSyscall: specs.LinuxSyscall{
 				Names: []string{
 					"sync_file_range2",
+					"swapcontext",
 				},
 				Action: specs.ActAllow,
 			},

vendor/github.com/tonistiigi/fsutil/walker.go

@@ -55,18 +55,41 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 			includePatterns = dedupePaths(includePatterns)
 		}
 	}
+
+	patternChars := "*[]?^"
+	if os.PathSeparator != '\\' {
+		patternChars += `\`
+	}
+
+	onlyPrefixIncludes := true
 	if len(includePatterns) != 0 {
 		includeMatcher, err = fileutils.NewPatternMatcher(includePatterns)
 		if err != nil {
 			return errors.Wrapf(err, "invalid includepatterns: %s", opt.IncludePatterns)
 		}
+
+		for _, p := range includeMatcher.Patterns() {
+			if !p.Exclusion() && strings.ContainsAny(patternWithoutTrailingGlob(p), patternChars) {
+				onlyPrefixIncludes = false
+				break
+			}
 		}
 
+	}
+
+	onlyPrefixExcludeExceptions := true
 	if opt != nil && opt.ExcludePatterns != nil {
 		excludeMatcher, err = fileutils.NewPatternMatcher(opt.ExcludePatterns)
 		if err != nil {
 			return errors.Wrapf(err, "invalid excludepatterns: %s", opt.ExcludePatterns)
 		}
+
+		for _, p := range excludeMatcher.Patterns() {
+			if p.Exclusion() && strings.ContainsAny(patternWithoutTrailingGlob(p), patternChars) {
+				onlyPrefixExcludeExceptions = false
+				break
+			}
+		}
 	}
 
 	type visitedDir struct {
@@ -83,15 +106,12 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 	var parentDirs []visitedDir
 
 	seenFiles := make(map[uint64]string)
-	return filepath.Walk(root, func(path string, fi os.FileInfo, err error) (retErr error) {
+	return filepath.Walk(root, func(path string, fi os.FileInfo, walkErr error) (retErr error) {
 		defer func() {
 			if retErr != nil && isNotExist(retErr) {
 				retErr = filepath.SkipDir
 			}
 		}()
-		if err != nil {
-			return err
-		}
 
 		origpath := path
 		path, err = filepath.Rel(root, path)
@@ -141,6 +161,22 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 			}
 
 			if !m {
+				if fi.IsDir() && onlyPrefixIncludes {
+					// Optimization: we can skip walking this dir if no include
+					// patterns could match anything inside it.
+					dirSlash := path + string(filepath.Separator)
+					for _, pat := range includeMatcher.Patterns() {
+						if pat.Exclusion() {
+							continue
+						}
+						patStr := patternWithoutTrailingGlob(pat) + string(filepath.Separator)
+						if strings.HasPrefix(patStr, dirSlash) {
+							goto passedIncludeFilter
+						}
+					}
+					return filepath.SkipDir
+				}
+			passedIncludeFilter:
 				skip = true
 			}
 		}
@@ -160,13 +196,38 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 			}
 
 			if m {
-				if fi.IsDir() && !excludeMatcher.Exclusions() {
+				if fi.IsDir() && onlyPrefixExcludeExceptions {
+					// Optimization: we can skip walking this dir if no
+					// exceptions to exclude patterns could match anything
+					// inside it.
+					if !excludeMatcher.Exclusions() {
 						return filepath.SkipDir
 					}
+
+					dirSlash := path + string(filepath.Separator)
+					for _, pat := range excludeMatcher.Patterns() {
+						if !pat.Exclusion() {
+							continue
+						}
+						patStr := patternWithoutTrailingGlob(pat) + string(filepath.Separator)
+						if strings.HasPrefix(patStr, dirSlash) {
+							goto passedExcludeFilter
+						}
+					}
+					return filepath.SkipDir
+				}
+			passedExcludeFilter:
 				skip = true
 			}
 		}
 
+		if walkErr != nil {
+			if skip && errors.Is(walkErr, os.ErrPermission) {
+				return nil
+			}
+			return walkErr
+		}
+
 		if includeMatcher != nil || excludeMatcher != nil {
 			defer func() {
 				if fi.IsDir() {
@@ -228,6 +289,16 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 	})
 }
 
+func patternWithoutTrailingGlob(p *fileutils.Pattern) string {
+	patStr := p.String()
+	// We use filepath.Separator here because fileutils.Pattern patterns
+	// get transformed to use the native path separator:
+	// https://github.com/moby/moby/blob/79651b7a979b40e26af353ad283ca7ea5d67a855/pkg/fileutils/fileutils.go#L54
+	patStr = strings.TrimSuffix(patStr, string(filepath.Separator)+"**")
+	patStr = strings.TrimSuffix(patStr, string(filepath.Separator)+"*")
+	return patStr
+}
+
 type StatInfo struct {
 	*types.Stat
 }

vendor/modules.txt

@@ -219,7 +219,7 @@ github.com/docker/cli/cli/connhelper/commandconn
 github.com/docker/distribution/digestset
 github.com/docker/distribution/reference
 github.com/docker/distribution/registry/api/errcode
-# github.com/docker/docker v20.10.7+incompatible => github.com/docker/docker v20.10.3-0.20211208011758-87521affb077+incompatible
+# github.com/docker/docker v20.10.7+incompatible => github.com/docker/docker v20.10.3-0.20220121014307-40bb9831756f+incompatible
 ## explicit
 github.com/docker/docker/api
 github.com/docker/docker/api/types
@@ -466,7 +466,7 @@ github.com/sirupsen/logrus
 ## explicit; go 1.13
 github.com/stretchr/testify/assert
 github.com/stretchr/testify/require
-# github.com/tonistiigi/fsutil v0.0.0-20211208180946-61a57076b9b0
+# github.com/tonistiigi/fsutil v0.0.0-20220115021204-b19f7f9cb274
 ## explicit; go 1.13
 github.com/tonistiigi/fsutil
 github.com/tonistiigi/fsutil/copy
@@ -716,4 +716,4 @@ gotest.tools/v3/internal/difflib
 gotest.tools/v3/internal/format
 gotest.tools/v3/internal/source
 gotest.tools/v3/poll
-# github.com/docker/docker => github.com/docker/docker v20.10.3-0.20211208011758-87521affb077+incompatible
+# github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220121014307-40bb9831756f+incompatible