Merge pull request #27806 from TomSweeneyRedHat/dev/tsweeney/runc-1.2.9-v5.4-rhel

[v5.4-rhel] Bump runc to 1.2.9, Buildah to v1.39.7
2025-12-23 22:28:30 -05:00 · 2025-12-19 10:07:44 -05:00
parent 7d8a6ba172 b12d7563f8
commit 591e60cf24
23 changed files with 273 additions and 58 deletions
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/checkpoint-restore/checkpointctl v1.3.0
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
 	github.com/containernetworking/plugins v1.5.1
-	github.com/containers/buildah v1.39.5
+	github.com/containers/buildah v1.39.7
 	github.com/containers/common v0.62.3
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.8.3
@@ -26,7 +26,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
 	github.com/crc-org/crc/v2 v2.45.0
 	github.com/crc-org/vfkit v0.6.0
-	github.com/cyphar/filepath-securejoin v0.5.1
+	github.com/cyphar/filepath-securejoin v0.5.2
 	github.com/digitalocean/go-qemu v0.0.0-20230711162256-2e3d0186973e
 	github.com/docker/distribution v2.8.3+incompatible
 	github.com/docker/docker v27.5.1+incompatible
@@ -57,7 +57,7 @@ require (
 	github.com/onsi/gomega v1.36.2
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
-	github.com/opencontainers/runc v1.2.8
+	github.com/opencontainers/runc v1.2.9
 	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/opencontainers/runtime-tools v0.9.1-0.20241108202711-f7e3563b0271
 	github.com/opencontainers/selinux v1.13.1
--- a/go.sum
+++ b/go.sum
@@ -76,8 +76,8 @@ github.com/containernetworking/cni v1.2.3 h1:hhOcjNVUQTnzdRJ6alC5XF+wd9mfGIUaj8F
 github.com/containernetworking/cni v1.2.3/go.mod h1:DuLgF+aPd3DzcTQTtp/Nvl1Kim23oFKdm2okJzBQA5M=
 github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+E5J/EcKOE4gQ=
 github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM=
-github.com/containers/buildah v1.39.5 h1:1d6V4/FGVGJy8HtqtjwpdSy47SF9FI40bCwF9Rkj0Pw=
-github.com/containers/buildah v1.39.5/go.mod h1:v2VU6vrd46ZW6h4UbODFwwMi+dx/+Y5WAvkXj9Ws1zY=
+github.com/containers/buildah v1.39.7 h1:KdNahLb9J9pZMFjXfykJEiBWxFgdtceMP4lBBN8I3uM=
+github.com/containers/buildah v1.39.7/go.mod h1:ihncEOaVw2tcOnkfyBspto2v0nXW2MHSQ3Ac7r0AeSI=
 github.com/containers/common v0.62.3 h1:aOGryqXfW6aKBbHbqOveH7zB+ihavUN03X/2pUSvWFI=
 github.com/containers/common v0.62.3/go.mod h1:3R8kDox2prC9uj/a2hmXj/YjZz5sBEUNrcDiw51S0Lo=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
@@ -115,8 +115,8 @@ github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f h1:eHnXnuK47UlSTOQexbzxAZfekVz6i+LKRdj1CU5DPaM=
 github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
-github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48=
-github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
+github.com/cyphar/filepath-securejoin v0.5.2 h1:w/T2bhKr4pgwG0SUGjU4S/Is9+zUknLh5ROTJLzWX8E=
+github.com/cyphar/filepath-securejoin v0.5.2/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -395,8 +395,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/opencontainers/runc v1.2.8 h1:RnEICeDReapbZ5lZEgHvj7E9Q3Eex9toYmaGBsbvU5Q=
-github.com/opencontainers/runc v1.2.8/go.mod h1:cC0YkmZcuvr+rtBZ6T7NBoVbMGNAdLa/21vIElJDOzI=
+github.com/opencontainers/runc v1.2.9 h1:szn/ts2m7YujxUKxGOZYWnb/PCAE+HGa3v+4MezQg7A=
+github.com/opencontainers/runc v1.2.9/go.mod h1:PVeJMb4P50vsdTkVmHmZU4Z6EhjSruje+2EFt2PJUBM=
 github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20241108202711-f7e3563b0271 h1:TPj0pMLCTy1CKwmrat3hqTxoZfqOuTy0asG0ccpGk8Q=
--- a/vendor/github.com/containers/buildah/.cirrus.yml
+++ b/vendor/github.com/containers/buildah/.cirrus.yml
@@ -22,6 +22,8 @@ env:
    IN_PODMAN: 'false'
    # root or rootless
    PRIV_NAME: root
+    # default "mention the $BUILDAH_RUNTIME in the task alias, with initial whitespace" value
+    RUNTIME_N: ""

    ####
    #### Cache-image names to test with
@@ -197,36 +199,66 @@ conformance_task:


 integration_task:
-    name: "Integration $DISTRO_NV w/ $STORAGE_DRIVER"
+    name: "Integration $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER"
    alias: integration
    skip: *not_build_docs
    depends_on: *smoke_vendor

    matrix:
        # VFS
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
        - env:
            DISTRO_NV: "${FEDORA_NAME}"
            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
            STORAGE_DRIVER: 'vfs'
-        # Disabled until we update to f40/41 as f39 does not have go 1.22
-        # - env:
-        #     DISTRO_NV: "${PRIOR_FEDORA_NAME}"
-        #     IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
-        #     STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
        - env:
            DISTRO_NV: "${DEBIAN_NAME}"
            IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
            STORAGE_DRIVER: 'vfs'
        # OVERLAY
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
        - env:
            DISTRO_NV: "${FEDORA_NAME}"
            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
            STORAGE_DRIVER: 'overlay'
-        # Disabled until we update to f40/41 as f39 does not have go 1.22
-        # - env:
-        #     DISTRO_NV: "${PRIOR_FEDORA_NAME}"
-        #     IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
-        #     STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
        - env:
            DISTRO_NV: "${DEBIAN_NAME}"
            IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
@@ -255,7 +287,7 @@ integration_task:
        golang_version_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh golang'

 integration_rootless_task:
-    name: "Integration rootless $DISTRO_NV w/ $STORAGE_DRIVER"
+    name: "Integration rootless $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER"
    alias: integration_rootless
    skip: *not_build_docs
    depends_on: *smoke_vendor
@@ -263,17 +295,34 @@ integration_rootless_task:
    matrix:
        # Running rootless tests on overlay
        # OVERLAY
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
        - env:
            DISTRO_NV: "${FEDORA_NAME}"
            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
            STORAGE_DRIVER: 'overlay'
            PRIV_NAME: rootless
-        # Disabled until we update to f40/41 as f39 does not have go 1.22
-        # - env:
-        #     DISTRO_NV: "${PRIOR_FEDORA_NAME}"
-        #     IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
-        #     STORAGE_DRIVER: 'overlay'
-        #     PRIV_NAME: rootless
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
        - env:
            DISTRO_NV: "${DEBIAN_NAME}"
            IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
--- a/vendor/github.com/containers/buildah/CHANGELOG.md
+++ b/vendor/github.com/containers/buildah/CHANGELOG.md
@@ -2,6 +2,18 @@

 # Changelog

+## v1.39.7 (2025-12-11)
+
+    [release-1.39] Bump runc to v1.2.9
+
+## v1.39.6 (2025-11-18)
+
+    CI: run integration tests on Fedora with both crun and runc
+    buildah-build(1): clarify that --cgroup-parent affects RUN instructions
+    runUsingRuntime: use named constants for runtime states
+    Add a dummy "runtime" that just dumps its config file
+    run: handle relabeling bind mounts ourselves
+
 ## v1.39.5 (2025-11-06)

    [release-1.39] Bump runc to v1.2.8 - CVE-2025-52881
--- a/vendor/github.com/containers/buildah/Makefile
+++ b/vendor/github.com/containers/buildah/Makefile
@@ -55,7 +55,7 @@ endif
 #     Note: Uses the -N -l go compiler options to disable compiler optimizations
 #           and inlining. Using these build options allows you to subsequently
 #           use source debugging tools like delve.
-all: bin/buildah bin/imgtype bin/copy bin/inet bin/tutorial docs
+all: bin/buildah bin/imgtype bin/copy bin/inet bin/tutorial bin/dumpspec docs

 # Update nix/nixpkgs.json its latest stable commit
 .PHONY: nixpkgs
@@ -103,6 +103,9 @@ bin/buildah.%: $(SOURCES)
 	mkdir -p ./bin
 	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah

+bin/dumpspec: $(SOURCES)
+	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/dumpspec
+
 bin/imgtype: $(SOURCES)
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/imgtype/imgtype.go

--- a/vendor/github.com/containers/buildah/changelog.txt
+++ b/vendor/github.com/containers/buildah/changelog.txt
@@ -1,3 +1,13 @@
+- Changelog for v1.39.7 (2025-12-11)
+  * [release-1.39] Bump runc to v1.2.9
+
+- Changelog for v1.39.6 (2025-11-18)
+  * CI: run integration tests on Fedora with both crun and runc
+  * buildah-build(1): clarify that --cgroup-parent affects RUN instructions
+  * runUsingRuntime: use named constants for runtime states
+  * Add a dummy "runtime" that just dumps its config file
+  * run: handle relabeling bind mounts ourselves
+
 - Changelog for v1.39.5 (2025-11-06)
  * [release-1.39] Bump runc to v1.2.8 - CVE-2025-52881
  * Builder.sbomScan(): don't break non-root scanners
--- a/vendor/github.com/containers/buildah/chroot/pty_unsupported.go
+++ b/vendor/github.com/containers/buildah/chroot/pty_unsupported.go
@@ -1,11 +0,0 @@
-//go:build !linux && !(freebsd && cgo)
-
-package chroot
-
-import (
-	"errors"
-)
-
-func getPtyDescriptors() (int, int, error) {
-	return -1, -1, errors.New("getPtyDescriptors not supported on this platform")
-}
--- a/vendor/github.com/containers/buildah/chroot/run_common.go
+++ b/vendor/github.com/containers/buildah/chroot/run_common.go
@@ -18,6 +18,7 @@ import (
 	"syscall"

 	"github.com/containers/buildah/bind"
+	"github.com/containers/buildah/internal/pty"
 	"github.com/containers/buildah/util"
 	"github.com/containers/storage/pkg/ioutils"
 	"github.com/containers/storage/pkg/reexec"
@@ -217,7 +218,7 @@ func runUsingChrootMain() {
 	var stderr io.Writer
 	fdDesc := make(map[int]string)
 	if options.Spec.Process.Terminal {
-		ptyMasterFd, ptyFd, err := getPtyDescriptors()
+		ptyMasterFd, ptyFd, err := pty.GetPtyDescriptors()
 		if err != nil {
 			logrus.Errorf("error opening PTY descriptors: %v", err)
 			os.Exit(1)
--- a/vendor/github.com/containers/buildah/define/types.go
+++ b/vendor/github.com/containers/buildah/define/types.go
@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.39.5"
+	Version = "1.39.7"

 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"
--- a/vendor/github.com/containers/buildah/internal/pty/pty_posix.go
+++ b/vendor/github.com/containers/buildah/internal/pty/pty_posix.go
@@ -1,6 +1,6 @@
 //go:build freebsd && cgo

-package chroot
+package pty

 // #include <fcntl.h>
 // #include <stdlib.h>
@@ -37,7 +37,9 @@ func unlockpt(fd int) error {
 	return nil
 }

-func getPtyDescriptors() (int, int, error) {
+// GetPtyDescriptors allocates a new pseudoterminal and returns the control and
+// pseudoterminal file descriptors.
+func GetPtyDescriptors() (int, int, error) {
 	// Create a pseudo-terminal and open the control side
 	controlFd, err := openpt()
 	if err != nil {
--- a/vendor/github.com/containers/buildah/internal/pty/pty_ptmx.go
+++ b/vendor/github.com/containers/buildah/internal/pty/pty_ptmx.go
@@ -1,6 +1,6 @@
 //go:build linux

-package chroot
+package pty

 import (
 	"fmt"
@@ -11,9 +11,11 @@ import (
 	"golang.org/x/sys/unix"
 )

-// Open a PTY using the /dev/ptmx device. The main advantage of using
-// this instead of posix_openpt is that it avoids cgo.
-func getPtyDescriptors() (int, int, error) {
+// GetPtyDescriptors allocates a new pseudoterminal and returns the control and
+// pseudoterminal file descriptors.  This implementation uses the /dev/ptmx
+// device. The main advantage of using this instead of posix_openpt is that it
+// avoids cgo.
+func GetPtyDescriptors() (int, int, error) {
 	// Create a pseudo-terminal -- open a copy of the master side.
 	controlFd, err := unix.Open("/dev/ptmx", os.O_RDWR, 0o600)
 	if err != nil {
--- a/vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go
+++ b/vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go
@@ -0,0 +1,13 @@
+//go:build !linux && !(freebsd && cgo)
+
+package pty
+
+import (
+	"errors"
+)
+
+// GetPtyDescriptors would allocate a new pseudoterminal and return the control and
+// pseudoterminal file descriptors, if only it could.
+func GetPtyDescriptors() (int, int, error) {
+	return -1, -1, errors.New("GetPtyDescriptors not supported on this platform")
+}
--- a/vendor/github.com/containers/buildah/run_common.go
+++ b/vendor/github.com/containers/buildah/run_common.go
@@ -697,8 +697,9 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, moreCreateArgs [
 			return 1, fmt.Errorf("parsing container state %q from %s: %w", string(stateOutput), runtime, err)
 		}
 		switch state.Status {
-		case "running":
-		case "stopped":
+		case specs.StateCreating, specs.StateCreated, specs.StateRunning:
+			// all fine
+		case specs.StateStopped:
 			atomic.StoreUint32(&stopped, 1)
 		default:
 			return 1, fmt.Errorf("container status unexpectedly changed to %q", state.Status)
--- a/vendor/github.com/containers/buildah/run_linux.go
+++ b/vendor/github.com/containers/buildah/run_linux.go
@@ -542,6 +542,33 @@ rootless=%d

 	defer b.cleanupTempVolumes()

+	// Handle mount flags that request that the source locations for "bind" mountpoints be
+	// relabeled, and filter those flags out of the list of mount options we pass to the
+	// runtime.
+	for i := range spec.Mounts {
+		switch spec.Mounts[i].Type {
+		default:
+			continue
+		case "bind", "rbind":
+			// all good, keep going
+		}
+		zflag := ""
+		for _, opt := range spec.Mounts[i].Options {
+			if opt == "z" || opt == "Z" {
+				zflag = opt
+			}
+		}
+		if zflag == "" {
+			continue
+		}
+		spec.Mounts[i].Options = slices.DeleteFunc(spec.Mounts[i].Options, func(opt string) bool {
+			return opt == "z" || opt == "Z"
+		})
+		if err := relabel(spec.Mounts[i].Source, b.MountLabel, zflag == "z"); err != nil {
+			return fmt.Errorf("setting file label %q on %q: %w", b.MountLabel, spec.Mounts[i].Source, err)
+		}
+	}
+
 	switch isolation {
 	case define.IsolationOCI:
 		var moreCreateArgs []string
@@ -1130,16 +1157,19 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string,
 			if err := relabel(host, mountLabel, true); err != nil {
 				return specs.Mount{}, err
 			}
+			options = slices.DeleteFunc(options, func(o string) bool { return o == "z" })
 		}
 		if foundZ {
 			if err := relabel(host, mountLabel, false); err != nil {
 				return specs.Mount{}, err
 			}
+			options = slices.DeleteFunc(options, func(o string) bool { return o == "Z" })
 		}
 		if foundU {
 			if err := chown.ChangeHostPathOwnership(host, true, idMaps.processUID, idMaps.processGID); err != nil {
 				return specs.Mount{}, err
 			}
+			options = slices.DeleteFunc(options, func(o string) bool { return o == "U" })
 		}
 		if foundO {
 			if (upperDir != "" && workDir == "") || (workDir != "" && upperDir == "") {
--- a/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
+++ b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
@@ -6,6 +6,21 @@ and this project adheres to [Semantic Versioning](http://semver.org/).

 ## [Unreleased 0.5.z] ##

+## [0.5.2] - 2025-11-19 ##
+
+> "Will you walk into my parlour?" said a spider to a fly.
+
+### Fixed ###
+- Our logic for deciding whether to use `openat2(2)` or fallback to an `O_PATH`
+  resolver would cache the result to avoid doing needless test runs of
+  `openat2(2)`. However, this causes issues when `pathrs-lite` is being used by
+  a program that applies new seccomp-bpf filters onto itself -- if the filter
+  denies `openat2(2)` then we would return that error rather than falling back
+  to the `O_PATH` resolver. To resolve this issue, we no longer cache the
+  result if `openat2(2)` was successful, only if there was an error.
+- A file descriptor leak in our `openat2` wrapper (when doing the necessary
+  `dup` for `RESOLVE_IN_ROOT`) has been removed.
+
 ## [0.5.1] - 2025-10-31 ##

 > Spooky scary skeletons send shivers down your spine!
--- a/vendor/github.com/cyphar/filepath-securejoin/VERSION
+++ b/vendor/github.com/cyphar/filepath-securejoin/VERSION
@@ -1 +1 @@
-0.5.1
+0.5.2
--- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go
@@ -39,7 +39,9 @@ const scopedLookupMaxRetries = 128

 // Openat2 is an [Fd]-based wrapper around unix.Openat2, but with some retry
 // logic in case of EAGAIN errors.
-func Openat2(dir Fd, path string, how *unix.OpenHow) (*os.File, error) {
+//
+// NOTE: This is a variable so that the lookup tests can force openat2 to fail.
+var Openat2 = func(dir Fd, path string, how *unix.OpenHow) (*os.File, error) {
 	dirFd, fullPath := prepareAt(dir, path)
 	// Make sure we always set O_CLOEXEC.
 	how.Flags |= unix.O_CLOEXEC
--- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go
@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && go1.19
+
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocompat
+
+import (
+	"sync/atomic"
+)
+
+// A Bool is an atomic boolean value.
+// The zero value is false.
+//
+// Bool must not be copied after first use.
+type Bool = atomic.Bool
--- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go
@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && !go1.19
+
+// Copyright (C) 2024-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocompat
+
+import (
+	"sync/atomic"
+)
+
+// noCopy may be added to structs which must not be copied
+// after the first use.
+//
+// See https://golang.org/issues/8005#issuecomment-190753527
+// for details.
+//
+// Note that it must not be embedded, due to the Lock and Unlock methods.
+type noCopy struct{}
+
+// Lock is a no-op used by -copylocks checker from `go vet`.
+func (*noCopy) Lock() {}
+
+// b32 returns a uint32 0 or 1 representing b.
+func b32(b bool) uint32 {
+	if b {
+		return 1
+	}
+	return 0
+}
+
+// A Bool is an atomic boolean value.
+// The zero value is false.
+//
+// Bool must not be copied after first use.
+type Bool struct {
+	_ noCopy
+	v uint32
+}
+
+// Load atomically loads and returns the value stored in x.
+func (x *Bool) Load() bool { return atomic.LoadUint32(&x.v) != 0 }
+
+// Store atomically stores val into x.
+func (x *Bool) Store(val bool) { atomic.StoreUint32(&x.v, b32(val)) }
--- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go
@@ -17,15 +17,27 @@ import (
 	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
 )

+// sawOpenat2Error stores whether we have seen an error from HasOpenat2. This
+// is a one-way toggle, so as soon as we see an error we "lock" into that mode.
+// We cannot use sync.OnceValue to store the success/fail state once because it
+// is possible for the program we are running in to apply a seccomp-bpf filter
+// and thus disable openat2 during execution.
+var sawOpenat2Error gocompat.Bool
+
 // HasOpenat2 returns whether openat2(2) is supported on the running kernel.
-var HasOpenat2 = gocompat.SyncOnceValue(func() bool {
+var HasOpenat2 = func() bool {
+	if sawOpenat2Error.Load() {
+		return false
+	}
+
 	fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{
 		Flags:   unix.O_PATH | unix.O_CLOEXEC,
 		Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT,
 	})
 	if err != nil {
+		sawOpenat2Error.Store(true) // doesn't matter if we race here
 		return false
 	}
 	_ = unix.Close(fd)
 	return true
-})
+}
--- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go
@@ -193,8 +193,13 @@ func lookupInRoot(root fd.Fd, unsafePath string, partial bool) (Handle *os.File,
 	// managed open, along with the remaining path components not opened.

 	// Try to use openat2 if possible.
-	if linux.HasOpenat2() {
-		return lookupOpenat2(root, unsafePath, partial)
+	//
+	// NOTE: If openat2(2) works normally but fails for this lookup, it is
+	// probably not a good idea to fall-back to the O_PATH resolver. An
+	// attacker could find a bug in the O_PATH resolver and uncontionally
+	// falling back to the O_PATH resolver would form a downgrade attack.
+	if handle, remainingPath, err := lookupOpenat2(root, unsafePath, partial); err == nil || linux.HasOpenat2() {
+		return handle, remainingPath, err
 	}

 	// Get the "actual" root path from /proc/self/fd. This is necessary if the
--- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go
@@ -41,6 +41,7 @@ func openat2(dir fd.Fd, path string, how *unix.OpenHow) (*os.File, error) {
 			if err != nil {
 				return nil, err
 			}
+			_ = file.Close()
 			file = newFile
 		}
 	}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -147,7 +147,7 @@ github.com/containernetworking/cni/pkg/version
 # github.com/containernetworking/plugins v1.5.1
 ## explicit; go 1.20
 github.com/containernetworking/plugins/pkg/ns
-# github.com/containers/buildah v1.39.5
+# github.com/containers/buildah v1.39.7
 ## explicit; go 1.22.8
 github.com/containers/buildah
 github.com/containers/buildah/bind
@@ -162,6 +162,7 @@ github.com/containers/buildah/internal/mkcw
 github.com/containers/buildah/internal/mkcw/types
 github.com/containers/buildah/internal/open
 github.com/containers/buildah/internal/parse
+github.com/containers/buildah/internal/pty
 github.com/containers/buildah/internal/sbom
 github.com/containers/buildah/internal/tmpdir
 github.com/containers/buildah/internal/util
@@ -445,7 +446,7 @@ github.com/crc-org/vfkit/pkg/util
 # github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f
 ## explicit
 github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
-# github.com/cyphar/filepath-securejoin v0.5.1
+# github.com/cyphar/filepath-securejoin v0.5.2
 ## explicit; go 1.18
 github.com/cyphar/filepath-securejoin
 github.com/cyphar/filepath-securejoin/internal/consts
@@ -915,7 +916,7 @@ github.com/opencontainers/go-digest
 ## explicit; go 1.18
 github.com/opencontainers/image-spec/specs-go
 github.com/opencontainers/image-spec/specs-go/v1
-# github.com/opencontainers/runc v1.2.8
+# github.com/opencontainers/runc v1.2.9
 ## explicit; go 1.22
 github.com/opencontainers/runc/internal/pathrs
 github.com/opencontainers/runc/libcontainer/apparmor
@@ -1 +1 @@
 .5.1
 .5.2