vendor/github.com/moby/buildkit/executor/oci/spec_unix.go - third_party/github.com/docker/docker - Git at Google

 // +build !windows

 package oci

 import (
 	"github.com/containerd/containerd/contrib/seccomp"
 	"github.com/containerd/containerd/oci"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/entitlements/security"
 	"github.com/moby/buildkit/util/system"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )

 func generateMountOpts(resolvConf, hostsFile string) ([]oci.SpecOpts, error) {
 	return []oci.SpecOpts{
 		// https://github.com/moby/buildkit/issues/429
 		withRemovedMount("/run"),
 		withROBind(resolvConf, "/etc/resolv.conf"),
 		withROBind(hostsFile, "/etc/hosts"),
 		withCGroup(),
 	}, nil
 }

 // generateSecurityOpts may affect mounts, so must be called after generateMountOpts
 func generateSecurityOpts(mode pb.SecurityMode) ([]oci.SpecOpts, error) {
 	if mode == pb.SecurityMode_INSECURE {
 		return []oci.SpecOpts{
 			security.WithInsecureSpec(),
 			oci.WithWriteableCgroupfs,
 			oci.WithWriteableSysfs,
 		}, nil
 	} else if system.SeccompSupported() && mode == pb.SecurityMode_SANDBOX {
 		return []oci.SpecOpts{seccomp.WithDefaultProfile()}, nil
 	}
 	return nil, nil
 }

 // generateProcessModeOpts may affect mounts, so must be called after generateMountOpts
 func generateProcessModeOpts(mode ProcessMode) ([]oci.SpecOpts, error) {
 	if mode == NoProcessSandbox {
 		return []oci.SpecOpts{
 			oci.WithHostNamespace(specs.PIDNamespace),
 			withBoundProc(),
 		}, nil
 		// TODO(AkihiroSuda): Configure seccomp to disable ptrace (and prctl?) explicitly
 	}
 	return nil, nil
 }

 func generateIDmapOpts(idmap *idtools.IdentityMapping) ([]oci.SpecOpts, error) {
 	if idmap == nil {
 		return nil, nil
 	}
 	return []oci.SpecOpts{
 		oci.WithUserNamespace(specMapping(idmap.UIDs()), specMapping(idmap.GIDs())),
 	}, nil
 }
	// +build !windows

	package oci

	import (
	"github.com/containerd/containerd/contrib/seccomp"
	"github.com/containerd/containerd/oci"
	"github.com/docker/docker/pkg/idtools"
	"github.com/moby/buildkit/solver/pb"
	"github.com/moby/buildkit/util/entitlements/security"
	"github.com/moby/buildkit/util/system"
	specs "github.com/opencontainers/runtime-spec/specs-go"
	)

	func generateMountOpts(resolvConf, hostsFile string) ([]oci.SpecOpts, error) {
	return []oci.SpecOpts{
	// https://github.com/moby/buildkit/issues/429
	withRemovedMount("/run"),
	withROBind(resolvConf, "/etc/resolv.conf"),
	withROBind(hostsFile, "/etc/hosts"),
	withCGroup(),
	}, nil
	}

	// generateSecurityOpts may affect mounts, so must be called after generateMountOpts
	func generateSecurityOpts(mode pb.SecurityMode) ([]oci.SpecOpts, error) {
	if mode == pb.SecurityMode_INSECURE {
	return []oci.SpecOpts{
	security.WithInsecureSpec(),
	oci.WithWriteableCgroupfs,
	oci.WithWriteableSysfs,
	}, nil
	} else if system.SeccompSupported() && mode == pb.SecurityMode_SANDBOX {
	return []oci.SpecOpts{seccomp.WithDefaultProfile()}, nil
	}
	return nil, nil
	}

	// generateProcessModeOpts may affect mounts, so must be called after generateMountOpts
	func generateProcessModeOpts(mode ProcessMode) ([]oci.SpecOpts, error) {
	if mode == NoProcessSandbox {
	return []oci.SpecOpts{
	oci.WithHostNamespace(specs.PIDNamespace),
	withBoundProc(),
	}, nil
	// TODO(AkihiroSuda): Configure seccomp to disable ptrace (and prctl?) explicitly
	}
	return nil, nil
	}

	func generateIDmapOpts(idmap *idtools.IdentityMapping) ([]oci.SpecOpts, error) {
	if idmap == nil {
	return nil, nil
	}
	return []oci.SpecOpts{
	oci.WithUserNamespace(specMapping(idmap.UIDs()), specMapping(idmap.GIDs())),
	}, nil
	}