From b12d7563f8b5a71f16578f7db4bfbd8351790e53 Mon Sep 17 00:00:00 2001 From: tomsweeneyredhat Date: Thu, 18 Dec 2025 16:50:25 -0500 Subject: [PATCH] [v5.4-rhel] Bump runc to 1.2.9, Buildah to v1.39.7 Bump runc to v1.2.9 and Buildah to v1.39.7. This fixes a number of regressions that happened with the fix for CVE-2025-52881 within the runc project. Fixes: https://issues.redhat.com/browse/RHEL-132829, https://issues.redhat.com/browse/RHEL-132824, https://issues.redhat.com/browse/OCPBUGS-66305, https://issues.redhat.com/browse/OCPBUGS-66306 Signed-off-by: tomsweeneyredhat --- go.mod | 6 +- go.sum | 12 +-- .../github.com/containers/buildah/.cirrus.yml | 85 +++++++++++++++---- .../containers/buildah/CHANGELOG.md | 12 +++ vendor/github.com/containers/buildah/Makefile | 5 +- .../containers/buildah/changelog.txt | 10 +++ .../buildah/chroot/pty_unsupported.go | 11 --- .../containers/buildah/chroot/run_common.go | 3 +- .../containers/buildah/define/types.go | 2 +- .../{chroot => internal/pty}/pty_posix.go | 6 +- .../{chroot => internal/pty}/pty_ptmx.go | 10 ++- .../buildah/internal/pty/pty_unsupported.go | 13 +++ .../containers/buildah/run_common.go | 5 +- .../containers/buildah/run_linux.go | 30 +++++++ .../cyphar/filepath-securejoin/CHANGELOG.md | 15 ++++ .../cyphar/filepath-securejoin/VERSION | 2 +- .../pathrs-lite/internal/fd/openat2_linux.go | 4 +- .../gocompat/gocompat_atomic_go119.go | 19 +++++ .../gocompat/gocompat_atomic_unsupported.go | 48 +++++++++++ .../internal/linux/openat2_linux.go | 16 +++- .../pathrs-lite/lookup_linux.go | 9 +- .../pathrs-lite/openat2_linux.go | 1 + vendor/modules.txt | 7 +- 23 files changed, 273 insertions(+), 58 deletions(-) delete mode 100644 vendor/github.com/containers/buildah/chroot/pty_unsupported.go rename vendor/github.com/containers/buildah/{chroot => internal/pty}/pty_posix.go (87%) rename vendor/github.com/containers/buildah/{chroot => internal/pty}/pty_ptmx.go (82%) create mode 100644 vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go create mode 100644 vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go diff --git a/go.mod b/go.mod index 0d288dcd03..5dc13b291d 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/checkpoint-restore/checkpointctl v1.3.0 github.com/checkpoint-restore/go-criu/v7 v7.2.0 github.com/containernetworking/plugins v1.5.1 - github.com/containers/buildah v1.39.5 + github.com/containers/buildah v1.39.7 github.com/containers/common v0.62.3 github.com/containers/conmon v2.0.20+incompatible github.com/containers/gvisor-tap-vsock v0.8.3 @@ -26,7 +26,7 @@ require ( github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 github.com/crc-org/crc/v2 v2.45.0 github.com/crc-org/vfkit v0.6.0 - github.com/cyphar/filepath-securejoin v0.5.1 + github.com/cyphar/filepath-securejoin v0.5.2 github.com/digitalocean/go-qemu v0.0.0-20230711162256-2e3d0186973e github.com/docker/distribution v2.8.3+incompatible github.com/docker/docker v27.5.1+incompatible @@ -57,7 +57,7 @@ require ( github.com/onsi/gomega v1.36.2 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 - github.com/opencontainers/runc v1.2.8 + github.com/opencontainers/runc v1.2.9 github.com/opencontainers/runtime-spec v1.2.0 github.com/opencontainers/runtime-tools v0.9.1-0.20241108202711-f7e3563b0271 github.com/opencontainers/selinux v1.13.1 diff --git a/go.sum b/go.sum index 37cebebc68..3227092496 100644 --- a/go.sum +++ b/go.sum @@ -76,8 +76,8 @@ github.com/containernetworking/cni v1.2.3 h1:hhOcjNVUQTnzdRJ6alC5XF+wd9mfGIUaj8F github.com/containernetworking/cni v1.2.3/go.mod h1:DuLgF+aPd3DzcTQTtp/Nvl1Kim23oFKdm2okJzBQA5M= github.com/containernetworking/plugins v1.5.1 h1:T5ji+LPYjjgW0QM+KyrigZbLsZ8jaX+E5J/EcKOE4gQ= github.com/containernetworking/plugins v1.5.1/go.mod h1:MIQfgMayGuHYs0XdNudf31cLLAC+i242hNm6KuDGqCM= -github.com/containers/buildah v1.39.5 h1:1d6V4/FGVGJy8HtqtjwpdSy47SF9FI40bCwF9Rkj0Pw= -github.com/containers/buildah v1.39.5/go.mod h1:v2VU6vrd46ZW6h4UbODFwwMi+dx/+Y5WAvkXj9Ws1zY= +github.com/containers/buildah v1.39.7 h1:KdNahLb9J9pZMFjXfykJEiBWxFgdtceMP4lBBN8I3uM= +github.com/containers/buildah v1.39.7/go.mod h1:ihncEOaVw2tcOnkfyBspto2v0nXW2MHSQ3Ac7r0AeSI= github.com/containers/common v0.62.3 h1:aOGryqXfW6aKBbHbqOveH7zB+ihavUN03X/2pUSvWFI= github.com/containers/common v0.62.3/go.mod h1:3R8kDox2prC9uj/a2hmXj/YjZz5sBEUNrcDiw51S0Lo= github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg= @@ -115,8 +115,8 @@ github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f h1:eHnXnuK47UlSTOQexbzxAZfekVz6i+LKRdj1CU5DPaM= github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48= -github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.5.2 h1:w/T2bhKr4pgwG0SUGjU4S/Is9+zUknLh5ROTJLzWX8E= +github.com/cyphar/filepath-securejoin v0.5.2/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -395,8 +395,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= -github.com/opencontainers/runc v1.2.8 h1:RnEICeDReapbZ5lZEgHvj7E9Q3Eex9toYmaGBsbvU5Q= -github.com/opencontainers/runc v1.2.8/go.mod h1:cC0YkmZcuvr+rtBZ6T7NBoVbMGNAdLa/21vIElJDOzI= +github.com/opencontainers/runc v1.2.9 h1:szn/ts2m7YujxUKxGOZYWnb/PCAE+HGa3v+4MezQg7A= +github.com/opencontainers/runc v1.2.9/go.mod h1:PVeJMb4P50vsdTkVmHmZU4Z6EhjSruje+2EFt2PJUBM= github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.9.1-0.20241108202711-f7e3563b0271 h1:TPj0pMLCTy1CKwmrat3hqTxoZfqOuTy0asG0ccpGk8Q= diff --git a/vendor/github.com/containers/buildah/.cirrus.yml b/vendor/github.com/containers/buildah/.cirrus.yml index 121df5c49b..c538e0f88c 100644 --- a/vendor/github.com/containers/buildah/.cirrus.yml +++ b/vendor/github.com/containers/buildah/.cirrus.yml @@ -22,6 +22,8 @@ env: IN_PODMAN: 'false' # root or rootless PRIV_NAME: root + # default "mention the $BUILDAH_RUNTIME in the task alias, with initial whitespace" value + RUNTIME_N: "" #### #### Cache-image names to test with @@ -197,36 +199,66 @@ conformance_task: integration_task: - name: "Integration $DISTRO_NV w/ $STORAGE_DRIVER" + name: "Integration $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER" alias: integration skip: *not_build_docs depends_on: *smoke_vendor matrix: # VFS + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'vfs' + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" - env: DISTRO_NV: "${FEDORA_NAME}" IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" STORAGE_DRIVER: 'vfs' - # Disabled until we update to f40/41 as f39 does not have go 1.22 - # - env: - # DISTRO_NV: "${PRIOR_FEDORA_NAME}" - # IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - # STORAGE_DRIVER: 'vfs' + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'vfs' + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'vfs' + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" - env: DISTRO_NV: "${DEBIAN_NAME}" IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}" STORAGE_DRIVER: 'vfs' # OVERLAY + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" - env: DISTRO_NV: "${FEDORA_NAME}" IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" STORAGE_DRIVER: 'overlay' - # Disabled until we update to f40/41 as f39 does not have go 1.22 - # - env: - # DISTRO_NV: "${PRIOR_FEDORA_NAME}" - # IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - # STORAGE_DRIVER: 'overlay' + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" - env: DISTRO_NV: "${DEBIAN_NAME}" IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}" @@ -255,7 +287,7 @@ integration_task: golang_version_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh golang' integration_rootless_task: - name: "Integration rootless $DISTRO_NV w/ $STORAGE_DRIVER" + name: "Integration rootless $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER" alias: integration_rootless skip: *not_build_docs depends_on: *smoke_vendor @@ -263,17 +295,34 @@ integration_rootless_task: matrix: # Running rootless tests on overlay # OVERLAY + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + PRIV_NAME: rootless + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" - env: DISTRO_NV: "${FEDORA_NAME}" IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}" STORAGE_DRIVER: 'overlay' PRIV_NAME: rootless - # Disabled until we update to f40/41 as f39 does not have go 1.22 - # - env: - # DISTRO_NV: "${PRIOR_FEDORA_NAME}" - # IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" - # STORAGE_DRIVER: 'overlay' - # PRIV_NAME: rootless + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + PRIV_NAME: rootless + BUILDAH_RUNTIME: runc + RUNTIME_N: " using runc" + - env: + DISTRO_NV: "${PRIOR_FEDORA_NAME}" + IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}" + STORAGE_DRIVER: 'overlay' + PRIV_NAME: rootless + BUILDAH_RUNTIME: crun + RUNTIME_N: " using crun" - env: DISTRO_NV: "${DEBIAN_NAME}" IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}" diff --git a/vendor/github.com/containers/buildah/CHANGELOG.md b/vendor/github.com/containers/buildah/CHANGELOG.md index e69d8162c8..30e7f18260 100644 --- a/vendor/github.com/containers/buildah/CHANGELOG.md +++ b/vendor/github.com/containers/buildah/CHANGELOG.md @@ -2,6 +2,18 @@ # Changelog +## v1.39.7 (2025-12-11) + + [release-1.39] Bump runc to v1.2.9 + +## v1.39.6 (2025-11-18) + + CI: run integration tests on Fedora with both crun and runc + buildah-build(1): clarify that --cgroup-parent affects RUN instructions + runUsingRuntime: use named constants for runtime states + Add a dummy "runtime" that just dumps its config file + run: handle relabeling bind mounts ourselves + ## v1.39.5 (2025-11-06) [release-1.39] Bump runc to v1.2.8 - CVE-2025-52881 diff --git a/vendor/github.com/containers/buildah/Makefile b/vendor/github.com/containers/buildah/Makefile index 1032ef9a70..c34bf850bb 100644 --- a/vendor/github.com/containers/buildah/Makefile +++ b/vendor/github.com/containers/buildah/Makefile @@ -55,7 +55,7 @@ endif # Note: Uses the -N -l go compiler options to disable compiler optimizations # and inlining. Using these build options allows you to subsequently # use source debugging tools like delve. -all: bin/buildah bin/imgtype bin/copy bin/inet bin/tutorial docs +all: bin/buildah bin/imgtype bin/copy bin/inet bin/tutorial bin/dumpspec docs # Update nix/nixpkgs.json its latest stable commit .PHONY: nixpkgs @@ -103,6 +103,9 @@ bin/buildah.%: $(SOURCES) mkdir -p ./bin GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah +bin/dumpspec: $(SOURCES) + $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/dumpspec + bin/imgtype: $(SOURCES) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/imgtype/imgtype.go diff --git a/vendor/github.com/containers/buildah/changelog.txt b/vendor/github.com/containers/buildah/changelog.txt index 6f230f06bb..4e76b44862 100644 --- a/vendor/github.com/containers/buildah/changelog.txt +++ b/vendor/github.com/containers/buildah/changelog.txt @@ -1,3 +1,13 @@ +- Changelog for v1.39.7 (2025-12-11) + * [release-1.39] Bump runc to v1.2.9 + +- Changelog for v1.39.6 (2025-11-18) + * CI: run integration tests on Fedora with both crun and runc + * buildah-build(1): clarify that --cgroup-parent affects RUN instructions + * runUsingRuntime: use named constants for runtime states + * Add a dummy "runtime" that just dumps its config file + * run: handle relabeling bind mounts ourselves + - Changelog for v1.39.5 (2025-11-06) * [release-1.39] Bump runc to v1.2.8 - CVE-2025-52881 * Builder.sbomScan(): don't break non-root scanners diff --git a/vendor/github.com/containers/buildah/chroot/pty_unsupported.go b/vendor/github.com/containers/buildah/chroot/pty_unsupported.go deleted file mode 100644 index 5b6a67d582..0000000000 --- a/vendor/github.com/containers/buildah/chroot/pty_unsupported.go +++ /dev/null @@ -1,11 +0,0 @@ -//go:build !linux && !(freebsd && cgo) - -package chroot - -import ( - "errors" -) - -func getPtyDescriptors() (int, int, error) { - return -1, -1, errors.New("getPtyDescriptors not supported on this platform") -} diff --git a/vendor/github.com/containers/buildah/chroot/run_common.go b/vendor/github.com/containers/buildah/chroot/run_common.go index 895b4065ba..8e94ff73d7 100644 --- a/vendor/github.com/containers/buildah/chroot/run_common.go +++ b/vendor/github.com/containers/buildah/chroot/run_common.go @@ -18,6 +18,7 @@ import ( "syscall" "github.com/containers/buildah/bind" + "github.com/containers/buildah/internal/pty" "github.com/containers/buildah/util" "github.com/containers/storage/pkg/ioutils" "github.com/containers/storage/pkg/reexec" @@ -217,7 +218,7 @@ func runUsingChrootMain() { var stderr io.Writer fdDesc := make(map[int]string) if options.Spec.Process.Terminal { - ptyMasterFd, ptyFd, err := getPtyDescriptors() + ptyMasterFd, ptyFd, err := pty.GetPtyDescriptors() if err != nil { logrus.Errorf("error opening PTY descriptors: %v", err) os.Exit(1) diff --git a/vendor/github.com/containers/buildah/define/types.go b/vendor/github.com/containers/buildah/define/types.go index 2c3ca5031e..bc7ca93368 100644 --- a/vendor/github.com/containers/buildah/define/types.go +++ b/vendor/github.com/containers/buildah/define/types.go @@ -29,7 +29,7 @@ const ( // identify working containers. Package = "buildah" // Version for the Package. Also used by .packit.sh for Packit builds. - Version = "1.39.5" + Version = "1.39.7" // DefaultRuntime if containers.conf fails. DefaultRuntime = "runc" diff --git a/vendor/github.com/containers/buildah/chroot/pty_posix.go b/vendor/github.com/containers/buildah/internal/pty/pty_posix.go similarity index 87% rename from vendor/github.com/containers/buildah/chroot/pty_posix.go rename to vendor/github.com/containers/buildah/internal/pty/pty_posix.go index 827ed97471..56383da478 100644 --- a/vendor/github.com/containers/buildah/chroot/pty_posix.go +++ b/vendor/github.com/containers/buildah/internal/pty/pty_posix.go @@ -1,6 +1,6 @@ //go:build freebsd && cgo -package chroot +package pty // #include // #include @@ -37,7 +37,9 @@ func unlockpt(fd int) error { return nil } -func getPtyDescriptors() (int, int, error) { +// GetPtyDescriptors allocates a new pseudoterminal and returns the control and +// pseudoterminal file descriptors. +func GetPtyDescriptors() (int, int, error) { // Create a pseudo-terminal and open the control side controlFd, err := openpt() if err != nil { diff --git a/vendor/github.com/containers/buildah/chroot/pty_ptmx.go b/vendor/github.com/containers/buildah/internal/pty/pty_ptmx.go similarity index 82% rename from vendor/github.com/containers/buildah/chroot/pty_ptmx.go rename to vendor/github.com/containers/buildah/internal/pty/pty_ptmx.go index 53b35760b3..d60d2d814f 100644 --- a/vendor/github.com/containers/buildah/chroot/pty_ptmx.go +++ b/vendor/github.com/containers/buildah/internal/pty/pty_ptmx.go @@ -1,6 +1,6 @@ //go:build linux -package chroot +package pty import ( "fmt" @@ -11,9 +11,11 @@ import ( "golang.org/x/sys/unix" ) -// Open a PTY using the /dev/ptmx device. The main advantage of using -// this instead of posix_openpt is that it avoids cgo. -func getPtyDescriptors() (int, int, error) { +// GetPtyDescriptors allocates a new pseudoterminal and returns the control and +// pseudoterminal file descriptors. This implementation uses the /dev/ptmx +// device. The main advantage of using this instead of posix_openpt is that it +// avoids cgo. +func GetPtyDescriptors() (int, int, error) { // Create a pseudo-terminal -- open a copy of the master side. controlFd, err := unix.Open("/dev/ptmx", os.O_RDWR, 0o600) if err != nil { diff --git a/vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go b/vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go new file mode 100644 index 0000000000..1041639439 --- /dev/null +++ b/vendor/github.com/containers/buildah/internal/pty/pty_unsupported.go @@ -0,0 +1,13 @@ +//go:build !linux && !(freebsd && cgo) + +package pty + +import ( + "errors" +) + +// GetPtyDescriptors would allocate a new pseudoterminal and return the control and +// pseudoterminal file descriptors, if only it could. +func GetPtyDescriptors() (int, int, error) { + return -1, -1, errors.New("GetPtyDescriptors not supported on this platform") +} diff --git a/vendor/github.com/containers/buildah/run_common.go b/vendor/github.com/containers/buildah/run_common.go index 80569e3299..f568ee8462 100644 --- a/vendor/github.com/containers/buildah/run_common.go +++ b/vendor/github.com/containers/buildah/run_common.go @@ -697,8 +697,9 @@ func runUsingRuntime(options RunOptions, configureNetwork bool, moreCreateArgs [ return 1, fmt.Errorf("parsing container state %q from %s: %w", string(stateOutput), runtime, err) } switch state.Status { - case "running": - case "stopped": + case specs.StateCreating, specs.StateCreated, specs.StateRunning: + // all fine + case specs.StateStopped: atomic.StoreUint32(&stopped, 1) default: return 1, fmt.Errorf("container status unexpectedly changed to %q", state.Status) diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go index 5d040cbb99..e3e65102bc 100644 --- a/vendor/github.com/containers/buildah/run_linux.go +++ b/vendor/github.com/containers/buildah/run_linux.go @@ -542,6 +542,33 @@ rootless=%d defer b.cleanupTempVolumes() + // Handle mount flags that request that the source locations for "bind" mountpoints be + // relabeled, and filter those flags out of the list of mount options we pass to the + // runtime. + for i := range spec.Mounts { + switch spec.Mounts[i].Type { + default: + continue + case "bind", "rbind": + // all good, keep going + } + zflag := "" + for _, opt := range spec.Mounts[i].Options { + if opt == "z" || opt == "Z" { + zflag = opt + } + } + if zflag == "" { + continue + } + spec.Mounts[i].Options = slices.DeleteFunc(spec.Mounts[i].Options, func(opt string) bool { + return opt == "z" || opt == "Z" + }) + if err := relabel(spec.Mounts[i].Source, b.MountLabel, zflag == "z"); err != nil { + return fmt.Errorf("setting file label %q on %q: %w", b.MountLabel, spec.Mounts[i].Source, err) + } + } + switch isolation { case define.IsolationOCI: var moreCreateArgs []string @@ -1130,16 +1157,19 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string, if err := relabel(host, mountLabel, true); err != nil { return specs.Mount{}, err } + options = slices.DeleteFunc(options, func(o string) bool { return o == "z" }) } if foundZ { if err := relabel(host, mountLabel, false); err != nil { return specs.Mount{}, err } + options = slices.DeleteFunc(options, func(o string) bool { return o == "Z" }) } if foundU { if err := chown.ChangeHostPathOwnership(host, true, idMaps.processUID, idMaps.processGID); err != nil { return specs.Mount{}, err } + options = slices.DeleteFunc(options, func(o string) bool { return o == "U" }) } if foundO { if (upperDir != "" && workDir == "") || (workDir != "" && upperDir == "") { diff --git a/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md index 3faee0bc55..1fc7eeb069 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md +++ b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md @@ -6,6 +6,21 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ## [Unreleased 0.5.z] ## +## [0.5.2] - 2025-11-19 ## + +> "Will you walk into my parlour?" said a spider to a fly. + +### Fixed ### +- Our logic for deciding whether to use `openat2(2)` or fallback to an `O_PATH` + resolver would cache the result to avoid doing needless test runs of + `openat2(2)`. However, this causes issues when `pathrs-lite` is being used by + a program that applies new seccomp-bpf filters onto itself -- if the filter + denies `openat2(2)` then we would return that error rather than falling back + to the `O_PATH` resolver. To resolve this issue, we no longer cache the + result if `openat2(2)` was successful, only if there was an error. +- A file descriptor leak in our `openat2` wrapper (when doing the necessary + `dup` for `RESOLVE_IN_ROOT`) has been removed. + ## [0.5.1] - 2025-10-31 ## > Spooky scary skeletons send shivers down your spine! diff --git a/vendor/github.com/cyphar/filepath-securejoin/VERSION b/vendor/github.com/cyphar/filepath-securejoin/VERSION index 4b9fcbec10..cb0c939a93 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/VERSION +++ b/vendor/github.com/cyphar/filepath-securejoin/VERSION @@ -1 +1 @@ -0.5.1 +0.5.2 diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go index 3e937fe3c1..63863647d5 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go @@ -39,7 +39,9 @@ const scopedLookupMaxRetries = 128 // Openat2 is an [Fd]-based wrapper around unix.Openat2, but with some retry // logic in case of EAGAIN errors. -func Openat2(dir Fd, path string, how *unix.OpenHow) (*os.File, error) { +// +// NOTE: This is a variable so that the lookup tests can force openat2 to fail. +var Openat2 = func(dir Fd, path string, how *unix.OpenHow) (*os.File, error) { dirFd, fullPath := prepareAt(dir, path) // Make sure we always set O_CLOEXEC. how.Flags |= unix.O_CLOEXEC diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go new file mode 100644 index 0000000000..ac93cb045e --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go @@ -0,0 +1,19 @@ +// SPDX-License-Identifier: BSD-3-Clause + +//go:build linux && go1.19 + +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gocompat + +import ( + "sync/atomic" +) + +// A Bool is an atomic boolean value. +// The zero value is false. +// +// Bool must not be copied after first use. +type Bool = atomic.Bool diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go new file mode 100644 index 0000000000..21b5b29ada --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: BSD-3-Clause + +//go:build linux && !go1.19 + +// Copyright (C) 2024-2025 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gocompat + +import ( + "sync/atomic" +) + +// noCopy may be added to structs which must not be copied +// after the first use. +// +// See https://golang.org/issues/8005#issuecomment-190753527 +// for details. +// +// Note that it must not be embedded, due to the Lock and Unlock methods. +type noCopy struct{} + +// Lock is a no-op used by -copylocks checker from `go vet`. +func (*noCopy) Lock() {} + +// b32 returns a uint32 0 or 1 representing b. +func b32(b bool) uint32 { + if b { + return 1 + } + return 0 +} + +// A Bool is an atomic boolean value. +// The zero value is false. +// +// Bool must not be copied after first use. +type Bool struct { + _ noCopy + v uint32 +} + +// Load atomically loads and returns the value stored in x. +func (x *Bool) Load() bool { return atomic.LoadUint32(&x.v) != 0 } + +// Store atomically stores val into x. +func (x *Bool) Store(val bool) { atomic.StoreUint32(&x.v, b32(val)) } diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go index 399609dc36..dc5f65cef7 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go @@ -17,15 +17,27 @@ import ( "github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat" ) +// sawOpenat2Error stores whether we have seen an error from HasOpenat2. This +// is a one-way toggle, so as soon as we see an error we "lock" into that mode. +// We cannot use sync.OnceValue to store the success/fail state once because it +// is possible for the program we are running in to apply a seccomp-bpf filter +// and thus disable openat2 during execution. +var sawOpenat2Error gocompat.Bool + // HasOpenat2 returns whether openat2(2) is supported on the running kernel. -var HasOpenat2 = gocompat.SyncOnceValue(func() bool { +var HasOpenat2 = func() bool { + if sawOpenat2Error.Load() { + return false + } + fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{ Flags: unix.O_PATH | unix.O_CLOEXEC, Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT, }) if err != nil { + sawOpenat2Error.Store(true) // doesn't matter if we race here return false } _ = unix.Close(fd) return true -}) +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go index f47504e663..05d7dbcc11 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go @@ -193,8 +193,13 @@ func lookupInRoot(root fd.Fd, unsafePath string, partial bool) (Handle *os.File, // managed open, along with the remaining path components not opened. // Try to use openat2 if possible. - if linux.HasOpenat2() { - return lookupOpenat2(root, unsafePath, partial) + // + // NOTE: If openat2(2) works normally but fails for this lookup, it is + // probably not a good idea to fall-back to the O_PATH resolver. An + // attacker could find a bug in the O_PATH resolver and uncontionally + // falling back to the O_PATH resolver would form a downgrade attack. + if handle, remainingPath, err := lookupOpenat2(root, unsafePath, partial); err == nil || linux.HasOpenat2() { + return handle, remainingPath, err } // Get the "actual" root path from /proc/self/fd. This is necessary if the diff --git a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go index 937bc435f2..dbbb88c23f 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go +++ b/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/openat2_linux.go @@ -41,6 +41,7 @@ func openat2(dir fd.Fd, path string, how *unix.OpenHow) (*os.File, error) { if err != nil { return nil, err } + _ = file.Close() file = newFile } } diff --git a/vendor/modules.txt b/vendor/modules.txt index 04f037d788..78685a3e55 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -147,7 +147,7 @@ github.com/containernetworking/cni/pkg/version # github.com/containernetworking/plugins v1.5.1 ## explicit; go 1.20 github.com/containernetworking/plugins/pkg/ns -# github.com/containers/buildah v1.39.5 +# github.com/containers/buildah v1.39.7 ## explicit; go 1.22.8 github.com/containers/buildah github.com/containers/buildah/bind @@ -162,6 +162,7 @@ github.com/containers/buildah/internal/mkcw github.com/containers/buildah/internal/mkcw/types github.com/containers/buildah/internal/open github.com/containers/buildah/internal/parse +github.com/containers/buildah/internal/pty github.com/containers/buildah/internal/sbom github.com/containers/buildah/internal/tmpdir github.com/containers/buildah/internal/util @@ -445,7 +446,7 @@ github.com/crc-org/vfkit/pkg/util # github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f ## explicit github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer -# github.com/cyphar/filepath-securejoin v0.5.1 +# github.com/cyphar/filepath-securejoin v0.5.2 ## explicit; go 1.18 github.com/cyphar/filepath-securejoin github.com/cyphar/filepath-securejoin/internal/consts @@ -915,7 +916,7 @@ github.com/opencontainers/go-digest ## explicit; go 1.18 github.com/opencontainers/image-spec/specs-go github.com/opencontainers/image-spec/specs-go/v1 -# github.com/opencontainers/runc v1.2.8 +# github.com/opencontainers/runc v1.2.9 ## explicit; go 1.22 github.com/opencontainers/runc/internal/pathrs github.com/opencontainers/runc/libcontainer/apparmor