Merge pull request #25661 from Luap99/common-buildah

update c/{common,buildah} + selinux upgrade fixes

Author: openshift-merge-bot[bot]

go.mod

@@ -13,8 +13,8 @@ require (
 	github.com/checkpoint-restore/checkpointctl v1.3.0
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
 	github.com/containernetworking/plugins v1.6.2
-	github.com/containers/buildah v1.39.1-0.20250321123219-bc4d7eb70fe3
-	github.com/containers/common v0.62.3-0.20250321171839-dbeb17e40c80
+	github.com/containers/buildah v1.39.1-0.20250324153001-6d9381d08265
+	github.com/containers/common v0.62.3-0.20250324121725-e360699fb3e3
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/gvisor-tap-vsock v0.8.5
 	github.com/containers/image/v5 v5.34.3-0.20250311194052-d84dbab374e7
@@ -60,7 +60,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/opencontainers/runtime-spec v1.2.1
 	github.com/opencontainers/runtime-tools v0.9.1-0.20241108202711-f7e3563b0271
-	github.com/opencontainers/selinux v1.11.1
+	github.com/opencontainers/selinux v1.12.0
 	github.com/openshift/imagebuilder v1.2.16-0.20250220150830-7ebfb09d364e
 	github.com/rootless-containers/rootlesskit/v2 v2.3.2
 	github.com/shirou/gopsutil/v4 v4.25.2
@@ -81,7 +81,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1
 	gopkg.in/yaml.v3 v3.0.1
 	sigs.k8s.io/yaml v1.4.0
-	tags.cncf.io/container-device-interface v1.0.0
+	tags.cncf.io/container-device-interface v1.0.1
 )
 
 require (
@@ -232,6 +232,5 @@ require (
 	google.golang.org/grpc v1.70.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect
 )

go.sum

@@ -76,10 +76,10 @@ github.com/containernetworking/cni v1.2.3 h1:hhOcjNVUQTnzdRJ6alC5XF+wd9mfGIUaj8F
 github.com/containernetworking/cni v1.2.3/go.mod h1:DuLgF+aPd3DzcTQTtp/Nvl1Kim23oFKdm2okJzBQA5M=
 github.com/containernetworking/plugins v1.6.2 h1:pqP8Mq923TLyef5g97XfJ/xpDeVek4yF8A4mzy9Tc4U=
 github.com/containernetworking/plugins v1.6.2/go.mod h1:SP5UG3jDO9LtmfbBJdP+nl3A1atOtbj2MBOYsnaxy64=
-github.com/containers/buildah v1.39.1-0.20250321123219-bc4d7eb70fe3 h1:F5qpz8HsQ/nxhArveDEgskbyOjFuSsEahevt4JHAePQ=
-github.com/containers/buildah v1.39.1-0.20250321123219-bc4d7eb70fe3/go.mod h1:kCk5Le5CiMazPfGhF8yg43LQa1YLKqBZNnI4PTq+W/U=
-github.com/containers/common v0.62.3-0.20250321171839-dbeb17e40c80 h1:U605lFaEyA0zsy4+gqZxth9V2Dl1UXBfcamA3cnQ33E=
-github.com/containers/common v0.62.3-0.20250321171839-dbeb17e40c80/go.mod h1:IW8fUkTIwJkeclyROeASOV5FvFBpHjtQj/XBXffhuBk=
+github.com/containers/buildah v1.39.1-0.20250324153001-6d9381d08265 h1:3cFRoMP4Up4sN/f2TOcCKSxiX/mbHCN5FwqHc+rw2B8=
+github.com/containers/buildah v1.39.1-0.20250324153001-6d9381d08265/go.mod h1:8DuzWORynpU4q7coSL0aElpPVMDZFoCOnz9gzqU8Ics=
+github.com/containers/common v0.62.3-0.20250324121725-e360699fb3e3 h1:+bpRXBlU6CBT1PeA5CJ0Yvc6M6jDyWb6Szja+wN3KBo=
+github.com/containers/common v0.62.3-0.20250324121725-e360699fb3e3/go.mod h1:n5C1/ox2S2r/5fcklbCkSV7Y++je/Rz+953Ecmhrnv4=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/gvisor-tap-vsock v0.8.5 h1:s7PA8znsZ4mamev5nNLsQqduYSlz1Ze5TWjfXnAfpEs=
@@ -404,8 +404,8 @@ github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU
 github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20241108202711-f7e3563b0271 h1:TPj0pMLCTy1CKwmrat3hqTxoZfqOuTy0asG0ccpGk8Q=
 github.com/opencontainers/runtime-tools v0.9.1-0.20241108202711-f7e3563b0271/go.mod h1:oIH6VwKkaDOO+SIYZpdwrC/0wKYqrfO6E1sG1j3UVws=
-github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
-github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
+github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/openshift/imagebuilder v1.2.16-0.20250220150830-7ebfb09d364e h1:yKNaeGlH4+h06lkADFa5rAIG7ifxOiV04kLRCL0rct8=
 github.com/openshift/imagebuilder v1.2.16-0.20250220150830-7ebfb09d364e/go.mod h1:cK6MLyBl1IHmIYGLY/2SLOG6p0PtEDUOC7khxsFYUXE=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
@@ -754,8 +754,6 @@ gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -771,7 +769,7 @@ sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 src.elv.sh v0.16.0-rc1.0.20220116211855-fda62502ad7f h1:pjVeIo9Ba6K1Wy+rlwX91zT7A+xGEmxiNRBdN04gDTQ=
 src.elv.sh v0.16.0-rc1.0.20220116211855-fda62502ad7f/go.mod h1:kPbhv5+fBeUh85nET3wWhHGUaUQ64nZMJ8FwA5v5Olg=
-tags.cncf.io/container-device-interface v1.0.0 h1:fbwPQiWZNpXUb9Os6t6JW52rsOppTFUbeJOpNtN1TmI=
-tags.cncf.io/container-device-interface v1.0.0/go.mod h1:mmi2aRGmOjK/6NR3TXjLpEIarOJ9qwgZjQ3nTIRwAaA=
+tags.cncf.io/container-device-interface v1.0.1 h1:KqQDr4vIlxwfYh0Ed/uJGVgX+CHAkahrgabg6Q8GYxc=
+tags.cncf.io/container-device-interface v1.0.1/go.mod h1:JojJIOeW3hNbcnOH2q0NrWNha/JuHoDZcmYxAZwb2i0=
 tags.cncf.io/container-device-interface/specs-go v1.0.0 h1:8gLw29hH1ZQP9K1YtAzpvkHCjjyIxHZYzBAvlQ+0vD8=
 tags.cncf.io/container-device-interface/specs-go v1.0.0/go.mod h1:u86hoFWqnh3hWz3esofRFKbI261bUlvUfLKGrDhJkgQ=

libpod/container_internal_common.go

@@ -3081,7 +3081,7 @@ func (c *Container) relabel(src, mountLabel string, shared bool) error {
 	}
 	// only relabel on initial creation of container
 	if !c.ensureState(define.ContainerStateConfigured, define.ContainerStateUnknown) {
-		label, err := label.FileLabel(src)
+		label, err := selinux.FileLabel(src)
 		if err != nil {
 			return err
 		}

libpod/oci_conmon_linux.go

@@ -22,7 +22,7 @@ import (
 	runcconfig "github.com/opencontainers/cgroups"
 	devices "github.com/opencontainers/cgroups/devices/config"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
@@ -147,13 +147,13 @@ func (r *ConmonOCIRuntime) createRootlessContainer(ctr *Container, restoreOption
 // Run the closure with the container's socket label set
 func (r *ConmonOCIRuntime) withContainerSocketLabel(ctr *Container, closure func() error) error {
 	runtime.LockOSThread()
-	if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil {
+	if err := selinux.SetSocketLabel(ctr.ProcessLabel()); err != nil {
 		return err
 	}
 	err := closure()
 	// Ignore error returned from SetSocketLabel("") call,
 	// can't recover.
-	if labelErr := label.SetSocketLabel(""); labelErr == nil {
+	if labelErr := selinux.SetSocketLabel(""); labelErr == nil {
 		// Unlock the thread only if the process label could be restored
 		// successfully.  Otherwise leave the thread locked and the Go runtime
 		// will terminate it once it returns to the threads pool.

libpod/util_linux.go

@@ -14,6 +14,7 @@ import (
 	"github.com/containers/podman/v5/pkg/rootless"
 	"github.com/containers/storage/pkg/fileutils"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -128,7 +129,7 @@ func assembleSystemdCgroupName(baseSlice, newSlice string) (string, string, erro
 
 var lvpRelabel = label.Relabel
 var lvpInitLabels = label.InitLabels
-var lvpReleaseLabel = label.ReleaseLabel
+var lvpReleaseLabel = selinux.ReleaseLabel
 
 // LabelVolumePath takes a mount path for a volume and gives it an
 // selinux label of either shared or not
@@ -139,9 +140,7 @@ func LabelVolumePath(path, mountLabel string) error {
 		if err != nil {
 			return fmt.Errorf("getting default mountlabels: %w", err)
 		}
-		if err := lvpReleaseLabel(mountLabel); err != nil {
-			return fmt.Errorf("releasing label %q: %w", mountLabel, err)
-		}
+		lvpReleaseLabel(mountLabel)
 	}
 
 	if err := lvpRelabel(path, mountLabel, true); err != nil {

libpod/util_linux_test.go

@@ -31,9 +31,7 @@ func TestLabelVolumePath(t *testing.T) {
 		mLabel := "system_u:object_r:container_file_t:s0:c1,c2"
 		return pLabel, mLabel, nil
 	}
-	lvpReleaseLabel = func(label string) error {
-		return nil
-	}
+	lvpReleaseLabel = func(label string) {}
 
 	// LabelVolumePath should not return an error if the operation is unsupported.
 	err := LabelVolumePath("/foo/bar", "")

pkg/specgen/generate/container_create.go

@@ -22,7 +22,7 @@ import (
 	"github.com/containers/podman/v5/pkg/specgenutil"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 	"tags.cncf.io/container-device-interface/pkg/parser"
 )
@@ -578,7 +578,7 @@ func createContainerOptions(rt *libpod.Runtime, s *specgen.SpecGenerator, pod *l
 			return nil, err
 		}
 		if processLabel != "" {
-			selinuxOpts, err := label.DupSecOpt(processLabel)
+			selinuxOpts, err := selinux.DupSecOpt(processLabel)
 			if err != nil {
 				return nil, err
 			}

pkg/specgen/generate/security_linux.go

@@ -16,41 +16,41 @@ import (
 	"github.com/containers/podman/v5/pkg/specgen"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/opencontainers/runtime-tools/generate"
-	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 )
 
 // setLabelOpts sets the label options of the SecurityConfig according to the
 // input.
 func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig specgen.Namespace, ipcConfig specgen.Namespace) error {
 	if !runtime.EnableLabeling() || s.IsPrivileged() {
-		s.SelinuxOpts = label.DisableSecOpt()
+		s.SelinuxOpts = selinux.DisableSecOpt()
 		return nil
 	}
 
 	var labelOpts []string
 	if pidConfig.IsHost() {
-		labelOpts = append(labelOpts, label.DisableSecOpt()...)
+		labelOpts = append(labelOpts, selinux.DisableSecOpt()...)
 	} else if pidConfig.IsContainer() {
 		ctr, err := runtime.LookupContainer(pidConfig.Value)
 		if err != nil {
 			return fmt.Errorf("container %q not found: %w", pidConfig.Value, err)
 		}
-		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+		secopts, err := selinux.DupSecOpt(ctr.ProcessLabel())
 		if err != nil {
 			return fmt.Errorf("failed to duplicate label %q : %w", ctr.ProcessLabel(), err)
 		}
 		labelOpts = append(labelOpts, secopts...)
 	}
 
 	if ipcConfig.IsHost() {
-		labelOpts = append(labelOpts, label.DisableSecOpt()...)
+		labelOpts = append(labelOpts, selinux.DisableSecOpt()...)
 	} else if ipcConfig.IsContainer() {
 		ctr, err := runtime.LookupContainer(ipcConfig.Value)
 		if err != nil {
 			return fmt.Errorf("container %q not found: %w", ipcConfig.Value, err)
 		}
-		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+		secopts, err := selinux.DupSecOpt(ctr.ProcessLabel())
 		if err != nil {
 			return fmt.Errorf("failed to duplicate label %q : %w", ctr.ProcessLabel(), err)
 		}