Skip to content

Update github.com/cyphar/filepath-securejoin to v0.6.0 and github.com/opencontainers/runc to v1.3.3 #448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 10, 2025
Merged

Update github.com/cyphar/filepath-securejoin to v0.6.0 and github.com/opencontainers/runc to v1.3.3 #448

merged 4 commits into from
Nov 10, 2025
+5,918 −1,154

Conversation

@mtrmac
Copy link
Contributor

@mtrmac mtrmac commented Nov 7, 2025

This is a replacement for #432 , also updating the users of removed functions.

Do note the licensing conversation in #432 — and how #446 needs an updated filepath-securejoin (does not matter for container-libs, but needed e.g. in containers/podman#27466 ).

Cc: @TomSweeneyRedHat . FYI @mheon

@mtrmac mtrmac changed the title Update ithub.com/cyphar/filepath-securejoin to v0.6.0 Update github.com/cyphar/filepath-securejoin to v0.6.0 Nov 7, 2025
@github-actions github-actions bot added storage Related to "storage" package common Related to "common" package image Related to "image" package labels Nov 7, 2025
This was referenced Nov 7, 2025
Closed
Open
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Nov 7, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#448
6d2e581
@podmanbot
Copy link

podmanbot commented Nov 7, 2025

✅ A new PR has been created in buildah to vendor these changes: containers/buildah#6487

@podmanbot podmanbot mentioned this pull request Nov 7, 2025
Draft
@Luap99
Copy link
Member

Luap99 commented Nov 7, 2025

Looks like you need to bump runc here at the same time, really annoying that the 0.6.0 update introduces breaking changes which means every users must be updates in the right dependency order first. This will be gigantic PITA if the selinux chnage (containers/podman#27466) must be backported.

Looking at it closer I doubt we use the selinux code to write labels in untrusted namespaces so maybe we are good without it.

@mtrmac
Copy link
Contributor Author

mtrmac commented Nov 7, 2025

Yes

  • Podman wants github.com/opencontainers/selinux v1.13.0 (not part of this PR)
  • That requires github.com/cyphar/filepath-securejoin v0.6.0
  • That removed API and thus needs an update to github.com/opencontainers/runc v1.3.3

@mtrmac
Update to github.com/opencontainers/runc v1.3.3
7376fb1 
This is necessary to allow the update to
github.com/cyphar/filepath-securejoin v0.6.0 .

Signed-off-by: Miloslav Trmač <[email protected]>
@mtrmac
Copy link
Contributor Author

mtrmac commented Nov 7, 2025

Looking at it closer I doubt we use the selinux code to write labels in untrusted namespaces so maybe we are good without it.

All of this is making me wonder whether there shouldn’t be some way to solve the overmounts within runc, without adding all the /proc complexity and overhead to all other simpler users. But I’m not going to try.

@mtrmac mtrmac changed the title Update github.com/cyphar/filepath-securejoin to v0.6.0 Update github.com/cyphar/filepath-securejoin to v0.6.0 and github.com/opencontainers/runc to v1.3.3 Nov 7, 2025
podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Nov 7, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#448
e68f838
lsm5
lsm5 approved these changes Nov 7, 2025
View reviewed changes
Copy link
Member

@lsm5 lsm5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mheon
Copy link
Member

mheon commented Nov 7, 2025

LGTM once tests are green

@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Nov 7, 2025

LGTM
with happy tests

@mtrmac mtrmac merged commit 09de135 into containers:main Nov 10, 2025
36 of 37 checks passed
@mtrmac mtrmac deleted the securejoin branch November 10, 2025 13:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@lsm5 lsm5 lsm5 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

common Related to "common" package image Related to "image" package storage Related to "storage" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mtrmac @podmanbot @Luap99 @mheon @TomSweeneyRedHat @lsm5