volume,container: chroot to source before exporting content

* Utils must support higher level API to create Tar with chrooted into
  directory
* Volume export: use TarwithChroot instead of Tar so we can make sure no
  symlink can be exported by tar if it exists outside of the source
directory.
* container export: use chroot and Tar instead of Tar so we can make sure no
  symlink can be exported by tar if it exists outside of the mointPoint.

[NO NEW TESTS NEEDED]
[NO TESTS NEEDED]
Race needs combination of external/in-container mechanism which is hard to repro in CI.

CVE: https://access.redhat.com/security/cve/CVE-2023-0778

Signed-off-by: Aditya R <arajan@redhat.com>

MH: Cherry-pick to v4.4.1-rhel per RHBZ 2169618

Signed-off-by: Matt Heon <mheon@redhat.com>

libpod/container_internal.go

@@ -34,7 +34,7 @@ import (
 	"github.com/containers/podman/v4/pkg/systemd/notifyproxy"
 	"github.com/containers/podman/v4/pkg/util"
 	"github.com/containers/storage"
-	"github.com/containers/storage/pkg/archive"
+	"github.com/containers/storage/pkg/chrootarchive"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/lockfile"
 	"github.com/containers/storage/pkg/mount"
@@ -763,7 +763,7 @@ func (c *Container) export(out io.Writer) error {
 		}()
 	}
 
-	input, err := archive.Tar(mountPoint, archive.Uncompressed)
+	input, err := chrootarchive.Tar(mountPoint, nil, mountPoint)
 	if err != nil {
 		return fmt.Errorf("reading container directory %q: %w", c.ID(), err)
 	}