Merge pull request #15987 from flouthoc/bump-common

vendor: bump c/common to `v0.49.2-0.20220929111928-2d1b45ae2423`

go.mod

@@ -12,12 +12,12 @@ require (
 	github.com/containernetworking/cni v1.1.2
 	github.com/containernetworking/plugins v1.1.1
 	github.com/containers/buildah v1.27.1-0.20220921131114-d3064796af36
-	github.com/containers/common v0.49.2-0.20220926195839-590004b80685
+	github.com/containers/common v0.49.2-0.20220929111928-2d1b45ae2423
 	github.com/containers/conmon v2.0.20+incompatible
 	github.com/containers/image/v5 v5.22.1-0.20220919112403-fe51f7ffca50
 	github.com/containers/ocicrypt v1.1.5
 	github.com/containers/psgo v1.7.3
-	github.com/containers/storage v1.42.1-0.20220919112236-8a581aac3bdf
+	github.com/containers/storage v1.43.0
 	github.com/coreos/go-systemd/v22 v22.4.0
 	github.com/coreos/stream-metadata-go v0.0.0-20210225230131-70edb9eb47b3
 	github.com/cyphar/filepath-securejoin v0.2.3
@@ -48,7 +48,7 @@ require (
 	github.com/opencontainers/runc v1.1.4
 	github.com/opencontainers/runtime-spec v1.0.3-0.20211214071223-8958f93039ab
 	github.com/opencontainers/runtime-tools v0.9.1-0.20220714195903-17b3287fafb7
-	github.com/opencontainers/selinux v1.10.1
+	github.com/opencontainers/selinux v1.10.2
 	github.com/openshift/imagebuilder v1.2.4-0.20220711175835-4151e43600df
 	github.com/rootless-containers/rootlesskit v1.0.1
 	github.com/sirupsen/logrus v1.9.0

go.sum

@@ -420,8 +420,8 @@ github.com/containernetworking/plugins v1.1.1/go.mod h1:Sr5TH/eBsGLXK/h71HeLfX19
 github.com/containers/buildah v1.27.1-0.20220921131114-d3064796af36 h1:LTSEbPUbs0slJSJ+IH6atAjYDe0IDzA0sPgBLjT1yAo=
 github.com/containers/buildah v1.27.1-0.20220921131114-d3064796af36/go.mod h1:cY3pGPyMmrNp/sEDK8ESoBOf4hoNovptZSI0oyo8eQM=
 github.com/containers/common v0.49.2-0.20220920205255-8062f81c5497/go.mod h1:ZnhOPR/07UOkfIg5bezUpBilGjxEUdaeoUpu7gRBGc0=
-github.com/containers/common v0.49.2-0.20220926195839-590004b80685 h1:rutCgIKcew85mTUO0JTnh7XDXQfaTz/qQ3HyQHb0jZE=
+github.com/containers/common v0.49.2-0.20220929111928-2d1b45ae2423 h1:2QfVh7+dAKLg9Kht5n4YtRzg5WnQger0R1Brn/6TeUs=
-github.com/containers/common v0.49.2-0.20220926195839-590004b80685/go.mod h1:ZnhOPR/07UOkfIg5bezUpBilGjxEUdaeoUpu7gRBGc0=
+github.com/containers/common v0.49.2-0.20220929111928-2d1b45ae2423/go.mod h1:sJZt3VeNeXVQT7gTLDBu2Nr8x7Fv2/pa3n9m8661gsU=
 github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6JXHGTUje2ZYobNrkg=
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/image/v5 v5.22.1-0.20220907162003-651744379993/go.mod h1:/Ruurd87C6Ap45t1PWNOD8+SGwiZbk79XCgs1iUTvYA=
@@ -441,8 +441,9 @@ github.com/containers/psgo v1.7.3/go.mod h1:PfaNzzHmMb8M9/blPgyD4BB3ZEj/0ApZIxN6
 github.com/containers/storage v1.37.0/go.mod h1:kqeJeS0b7DO2ZT1nVWs0XufrmPFbgV3c+Q/45RlH6r4=
 github.com/containers/storage v1.42.0/go.mod h1:JiUJwOgOo1dr2DdOUc1MRe2GCAXABYoYmOdPF8yvH78=
 github.com/containers/storage v1.42.1-0.20220907083030-5aff7f62e8d0/go.mod h1:nj2fW3rgwkr6toBVFzv5OqUYs1kowX+AMiPjgv2UXN0=
-github.com/containers/storage v1.42.1-0.20220919112236-8a581aac3bdf h1:CnGYVAFSZgwYdYHnJJhVnhxtrggWsgwooG/Be1LxWGI=
 github.com/containers/storage v1.42.1-0.20220919112236-8a581aac3bdf/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s=
+github.com/containers/storage v1.43.0 h1:P+zulGXA3mqe2GnYmZU0xu87Wy1M0PVHM2ucrgmvTdU=
+github.com/containers/storage v1.43.0/go.mod h1:uZ147thiIFGdVTjMmIw19knttQnUCl3y9zjreHrg11s=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
@@ -1411,8 +1412,9 @@ github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xA
 github.com/opencontainers/selinux v1.8.5/go.mod h1:HTvjPFoGMbpQsG886e3lQwnsRWtE4TC1OF3OUvG9FAo=
 github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
 github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/opencontainers/selinux v1.10.1 h1:09LIPVRP3uuZGQvgR+SgMSNBd1Eb3vlRbGqQpoHsF8w=
 github.com/opencontainers/selinux v1.10.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+github.com/opencontainers/selinux v1.10.2 h1:NFy2xCsjn7+WspbfZkUd5zyVeisV7VFbPSP96+8/ha4=
+github.com/opencontainers/selinux v1.10.2/go.mod h1:cARutUbaUrlRClyvxOICCgKixCs6L05aUsohzA3EkHQ=
 github.com/openshift/imagebuilder v1.2.4-0.20220711175835-4151e43600df h1:vf6pdI10F2Tim5a9JKiVVl4/dpNz1OEhz4EnfLdLtiA=
 github.com/openshift/imagebuilder v1.2.4-0.20220711175835-4151e43600df/go.mod h1:TRYHe4CH9U6nkDjxjBNM5klrLbJBrRbpJE5SaRwUBsQ=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=

vendor/github.com/containers/common/libimage/platform.go

@@ -6,6 +6,7 @@ import (
 	"runtime"
 
 	"github.com/containerd/containerd/platforms"
+	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sirupsen/logrus"
 )
 
@@ -20,9 +21,18 @@ const (
 )
 
 // NormalizePlatform normalizes (according to the OCI spec) the specified os,
-// arch and variant.  If left empty, the individual item will not be normalized.
+// arch and variant.  If left empty, the individual item will be normalized.
 func NormalizePlatform(rawOS, rawArch, rawVariant string) (os, arch, variant string) {
-	rawPlatform := toPlatformString(rawOS, rawArch, rawVariant)
+	platformSpec := v1.Platform{
+		OS:           rawOS,
+		Architecture: rawArch,
+		Variant:      rawVariant,
+	}
+	normalizedSpec := platforms.Normalize(platformSpec)
+	if normalizedSpec.Variant == "" && rawVariant != "" {
+		normalizedSpec.Variant = rawVariant
+	}
+	rawPlatform := toPlatformString(normalizedSpec.OS, normalizedSpec.Architecture, normalizedSpec.Variant)
 	normalizedPlatform, err := platforms.Parse(rawPlatform)
 	if err != nil {
 		logrus.Debugf("Error normalizing platform: %v", err)
@@ -38,7 +48,7 @@ func NormalizePlatform(rawOS, rawArch, rawVariant string) (os, arch, variant str
 		arch = normalizedPlatform.Architecture
 	}
 	variant = rawVariant
-	if rawVariant != "" {
+	if rawVariant != "" || (rawVariant == "" && normalizedPlatform.Variant != "") {
 		variant = normalizedPlatform.Variant
 	}
 	return os, arch, variant

vendor/github.com/containers/common/pkg/util/util_supported.go

@@ -11,6 +11,7 @@ import (
 	"sync"
 	"syscall"
 
+	"github.com/containers/storage/pkg/homedir"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/sirupsen/logrus"
 )
@@ -31,7 +32,10 @@ func GetRuntimeDir() (string, error) {
 	var rootlessRuntimeDirError error
 
 	rootlessRuntimeDirOnce.Do(func() {
-		runtimeDir := os.Getenv("XDG_RUNTIME_DIR")
+		runtimeDir, err := homedir.GetRuntimeDir()
+		if err != nil {
+			logrus.Debug(err)
+		}
 		if runtimeDir != "" {
 			st, err := os.Stat(runtimeDir)
 			if err != nil {

vendor/github.com/containers/storage/VERSION

@@ -1 +1 @@
-1.42.1-dev
+1.43.0

vendor/github.com/containers/storage/drivers/driver_linux.go

@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 
 	"github.com/containers/storage/pkg/mount"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
 
@@ -127,9 +128,14 @@ var (
 // GetFSMagic returns the filesystem id given the path.
 func GetFSMagic(rootpath string) (FsMagic, error) {
 	var buf unix.Statfs_t
-	if err := unix.Statfs(filepath.Dir(rootpath), &buf); err != nil {
+	path := filepath.Dir(rootpath)
+	if err := unix.Statfs(path, &buf); err != nil {
 		return 0, err
 	}
+
+	if _, ok := FsNames[FsMagic(buf.Type)]; !ok {
+		logrus.Debugf("Unknown filesystem type %#x reported for %s", buf.Type, path)
+	}
 	return FsMagic(buf.Type), nil
 }
 

vendor/github.com/containers/storage/layers.go

@@ -563,6 +563,8 @@ func (s *store) newLayerStore(rundir string, layerdir string, driver drivers.Dri
 		uidMap:         copyIDMap(s.uidMap),
 		gidMap:         copyIDMap(s.gidMap),
 	}
+	rlstore.Lock()
+	defer rlstore.Unlock()
 	if err := rlstore.Load(); err != nil {
 		return nil, err
 	}
@@ -584,6 +586,8 @@ func newROLayerStore(rundir string, layerdir string, driver drivers.Driver) (ROL
 		bymount:        make(map[string]*Layer),
 		byname:         make(map[string]*Layer),
 	}
+	rlstore.RLock()
+	defer rlstore.Unlock()
 	if err := rlstore.Load(); err != nil {
 		return nil, err
 	}

vendor/github.com/containers/storage/pkg/archive/archive.go

@@ -75,6 +75,7 @@ const (
 	solaris = "solaris"
 	windows = "windows"
 	darwin  = "darwin"
+	freebsd = "freebsd"
 )
 
 var xattrsToIgnore = map[string]interface{}{
@@ -671,7 +672,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L
 		if !strings.HasPrefix(targetPath, extractDir) {
 			return breakoutError(fmt.Errorf("invalid hardlink %q -> %q", targetPath, hdr.Linkname))
 		}
-		if err := os.Link(targetPath, path); err != nil {
+		if err := handleLLink(targetPath, path); err != nil {
 			return err
 		}
 

vendor/github.com/containers/storage/pkg/archive/archive_freebsd.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"path/filepath"
 	"syscall"
+	"unsafe"
 
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/system"
@@ -111,16 +112,18 @@ func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo, forceMask *
 	if forceMask != nil {
 		permissionsMask = *forceMask
 	}
-	if hdr.Typeflag == tar.TypeLink {
+	p, err := unix.BytePtrFromString(path)
-		if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
+	if err != nil {
-			if err := os.Chmod(path, permissionsMask); err != nil {
-				return err
-			}
-		}
-	} else if hdr.Typeflag != tar.TypeSymlink {
-		if err := os.Chmod(path, permissionsMask); err != nil {
 		return err
 	}
+	_, _, e1 := unix.Syscall(unix.SYS_LCHMOD, uintptr(unsafe.Pointer(p)), uintptr(permissionsMask), 0)
+	if e1 != 0 {
+		return e1
 	}
 	return nil
 }
+
+// Hardlink without following symlinks
+func handleLLink(targetPath string, path string) error {
+	return unix.Linkat(unix.AT_FDCWD, targetPath, unix.AT_FDCWD, path, 0)
+}

vendor/github.com/containers/storage/pkg/archive/archive_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows && !freebsd
 // +build !windows,!freebsd
 
 package archive
@@ -97,7 +98,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
 		mode |= unix.S_IFIFO
 	}
 
-	return system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor)))
+	return system.Mknod(path, mode, system.Mkdev(hdr.Devmajor, hdr.Devminor))
 }
 
 func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo, forceMask *os.FileMode) error {
@@ -118,3 +119,13 @@ func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo, forceMask *
 	}
 	return nil
 }
+
+// Hardlink without symlinks
+func handleLLink(targetPath, path string) error {
+	// Note: on Linux, the link syscall will not follow symlinks.
+	// This behavior is implementation-dependent since
+	// POSIX.1-2008 so to make it clear that we need non-symlink
+	// following here we use the linkat syscall which has a flags
+	// field to select symlink following or not.
+	return unix.Linkat(unix.AT_FDCWD, targetPath, unix.AT_FDCWD, path, 0)
+}

vendor/github.com/containers/storage/pkg/archive/archive_windows.go

@@ -78,3 +78,8 @@ func getFileUIDGID(stat interface{}) (idtools.IDPair, error) {
 	// no notion of file ownership mapping yet on Windows
 	return idtools.IDPair{0, 0}, nil
 }
+
+// Hardlink without following symlinks
+func handleLLink(targetPath string, path string) error {
+	return os.Link(targetPath, path)
+}

vendor/github.com/containers/storage/pkg/homedir/homedir_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package homedir
@@ -46,7 +47,7 @@ func GetShortcutString() string {
 // See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
 func GetRuntimeDir() (string, error) {
 	if xdgRuntimeDir := os.Getenv("XDG_RUNTIME_DIR"); xdgRuntimeDir != "" {
-		return xdgRuntimeDir, nil
+		return filepath.EvalSymlinks(xdgRuntimeDir)
 	}
 	return "", errors.New("could not get XDG_RUNTIME_DIR")
 }

vendor/github.com/containers/storage/pkg/system/mknod.go

@@ -1,3 +1,4 @@
+//go:build !windows && !freebsd
 // +build !windows,!freebsd
 
 package system
@@ -8,8 +9,8 @@ import (
 
 // Mknod creates a filesystem node (file, device special file or named pipe) named path
 // with attributes specified by mode and dev.
-func Mknod(path string, mode uint32, dev int) error {
+func Mknod(path string, mode uint32, dev uint32) error {
-	return unix.Mknod(path, mode, dev)
+	return unix.Mknod(path, mode, int(dev))
 }
 
 // Mkdev is used to build the value of linux devices (in /dev/) which specifies major

vendor/github.com/containers/storage/pkg/system/mknod_freebsd.go

@@ -1,3 +1,4 @@
+//go:build freebsd
 // +build freebsd
 
 package system
@@ -17,6 +18,6 @@ func Mknod(path string, mode uint32, dev uint64) error {
 // Linux device nodes are a bit weird due to backwards compat with 16 bit device nodes.
 // They are, from low to high: the lower 8 bits of the minor, then 12 bits of the major,
 // then the top 12 bits of the minor.
-func Mkdev(major int64, minor int64) uint32 {
+func Mkdev(major int64, minor int64) uint64 {
-	return uint32(((minor & 0xfff00) << 12) | ((major & 0xfff) << 8) | (minor & 0xff))
+	return uint64(((minor & 0xfff00) << 12) | ((major & 0xfff) << 8) | (minor & 0xff))
 }

vendor/github.com/containers/storage/pkg/system/rm.go

@@ -35,6 +35,9 @@ func EnsureRemoveAll(dir string) error {
 	}
 
 	for {
+		if err := resetFileFlags(dir); err != nil {
+			return fmt.Errorf("resetting file flags: %w", err)
+		}
 		err := os.RemoveAll(dir)
 		if err == nil {
 			return nil

vendor/github.com/containers/storage/pkg/system/rm_common.go

@@ -0,0 +1,10 @@
+//go:build !freebsd
+// +build !freebsd
+
+package system
+
+// Reset file flags in a directory tree. This allows EnsureRemoveAll
+// to delete trees which have the immutable flag set.
+func resetFileFlags(dir string) error {
+	return nil
+}

vendor/github.com/containers/storage/pkg/system/rm_freebsd.go

@@ -0,0 +1,32 @@
+package system
+
+import (
+	"io/fs"
+	"path/filepath"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+func lchflags(path string, flags int) (err error) {
+	p, err := unix.BytePtrFromString(path)
+	if err != nil {
+		return err
+	}
+	_, _, e1 := unix.Syscall(unix.SYS_LCHFLAGS, uintptr(unsafe.Pointer(p)), uintptr(flags), 0)
+	if e1 != 0 {
+		return e1
+	}
+	return nil
+}
+
+// Reset file flags in a directory tree. This allows EnsureRemoveAll
+// to delete trees which have the immutable flag set.
+func resetFileFlags(dir string) error {
+	return filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {
+		if err := lchflags(path, 0); err != nil {
+			return err
+		}
+		return nil
+	})
+}

vendor/github.com/containers/storage/types/options.go

@@ -38,17 +38,44 @@ var (
 )
 
 func loadDefaultStoreOptions() {
-	defaultStoreOptions.RunRoot = defaultRunRoot
-	defaultStoreOptions.GraphRoot = defaultGraphRoot
 	defaultStoreOptions.GraphDriverName = ""
 
+	setDefaults := func() {
+		// reload could set values to empty for run and graph root if config does not contains anything
+		if defaultStoreOptions.RunRoot == "" {
+			defaultStoreOptions.RunRoot = defaultRunRoot
+		}
+		if defaultStoreOptions.GraphRoot == "" {
+			defaultStoreOptions.GraphRoot = defaultGraphRoot
+		}
+	}
+	setDefaults()
+
 	if path, ok := os.LookupEnv(storageConfEnv); ok {
 		defaultOverrideConfigFile = path
 		if err := ReloadConfigurationFileIfNeeded(path, &defaultStoreOptions); err != nil {
 			loadDefaultStoreOptionsErr = err
 			return
 		}
-	} else if _, err := os.Stat(defaultOverrideConfigFile); err == nil {
+		setDefaults()
+		return
+	}
+
+	if path, ok := os.LookupEnv("XDG_CONFIG_HOME"); ok {
+		homeConfigFile := filepath.Join(path, "containers", "storage.conf")
+		if _, err := os.Stat(homeConfigFile); err == nil {
+			// user storage.conf in XDG_CONFIG_HOME if it exists
+			defaultOverrideConfigFile = homeConfigFile
+		} else {
+			if !os.IsNotExist(err) {
+				loadDefaultStoreOptionsErr = err
+				return
+			}
+		}
+	}
+
+	_, err := os.Stat(defaultOverrideConfigFile)
+	if err == nil {
 		// The DefaultConfigFile(rootless) function returns the path
 		// of the used storage.conf file, by returning defaultConfigFile
 		// If override exists containers/storage uses it by default.
@@ -57,7 +84,10 @@ func loadDefaultStoreOptions() {
 			loadDefaultStoreOptionsErr = err
 			return
 		}
-	} else {
+		setDefaults()
+		return
+	}
+
 	if !os.IsNotExist(err) {
 		logrus.Warningf("Attempting to use %s, %v", defaultConfigFile, err)
 	}
@@ -65,14 +95,7 @@ func loadDefaultStoreOptions() {
 		loadDefaultStoreOptionsErr = err
 		return
 	}
-	}
+	setDefaults()
-	// reload could set values to empty for run and graph root if config does not contains anything
-	if defaultStoreOptions.RunRoot == "" {
-		defaultStoreOptions.RunRoot = defaultRunRoot
-	}
-	if defaultStoreOptions.GraphRoot == "" {
-		defaultStoreOptions.GraphRoot = defaultGraphRoot
-	}
 }
 
 // defaultStoreOptionsIsolated is an internal implementation detail of DefaultStoreOptions to allow testing.

vendor/github.com/opencontainers/selinux/go-selinux/doc.go

@@ -9,6 +9,5 @@ Usage:
 	if selinux.EnforceMode() != selinux.Enforcing {
 		selinux.SetEnforceMode(selinux.Enforcing)
 	}
-
 */
 package selinux

vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go

@@ -3,8 +3,6 @@ package label
 import (
 	"errors"
 	"fmt"
-	"os"
-	"os/user"
 	"strings"
 
 	"github.com/opencontainers/selinux/go-selinux"
@@ -113,50 +111,6 @@ func Relabel(path string, fileLabel string, shared bool) error {
 		return nil
 	}
 
-	exclude_paths := map[string]bool{
-		"/":           true,
-		"/bin":        true,
-		"/boot":       true,
-		"/dev":        true,
-		"/etc":        true,
-		"/etc/passwd": true,
-		"/etc/pki":    true,
-		"/etc/shadow": true,
-		"/home":       true,
-		"/lib":        true,
-		"/lib64":      true,
-		"/media":      true,
-		"/opt":        true,
-		"/proc":       true,
-		"/root":       true,
-		"/run":        true,
-		"/sbin":       true,
-		"/srv":        true,
-		"/sys":        true,
-		"/tmp":        true,
-		"/usr":        true,
-		"/var":        true,
-		"/var/lib":    true,
-		"/var/log":    true,
-	}
-
-	if home := os.Getenv("HOME"); home != "" {
-		exclude_paths[home] = true
-	}
-
-	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
-		if usr, err := user.Lookup(sudoUser); err == nil {
-			exclude_paths[usr.HomeDir] = true
-		}
-	}
-
-	if path != "/" {
-		path = strings.TrimSuffix(path, "/")
-	}
-	if exclude_paths[path] {
-		return fmt.Errorf("SELinux relabeling of %s is not allowed", path)
-	}
-
 	if shared {
 		c, err := selinux.NewContext(fileLabel)
 		if err != nil {

vendor/github.com/opencontainers/selinux/go-selinux/label/label_stub.go

@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux
 
 package label

vendor/github.com/opencontainers/selinux/go-selinux/rchcon.go

@@ -1,3 +1,4 @@
+//go:build linux && go1.16
 // +build linux,go1.16
 
 package selinux
@@ -11,7 +12,18 @@ import (
 )
 
 func rchcon(fpath, label string) error {
+	fastMode := false
+	// If the current label matches the new label, assume
+	// other labels are correct.
+	if cLabel, err := lFileLabel(fpath); err == nil && cLabel == label {
+		fastMode = true
+	}
 	return pwalkdir.Walk(fpath, func(p string, _ fs.DirEntry, _ error) error {
+		if fastMode {
+			if cLabel, err := lFileLabel(fpath); err == nil && cLabel == label {
+				return nil
+			}
+		}
 		e := lSetFileLabel(p, label)
 		// Walk a file tree can race with removal, so ignore ENOENT.
 		if errors.Is(e, os.ErrNotExist) {

vendor/github.com/opencontainers/selinux/go-selinux/rchcon_go115.go

@@ -1,3 +1,4 @@
+//go:build linux && !go1.16
 // +build linux,!go1.16
 
 package selinux

vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go

@@ -11,6 +11,7 @@ import (
 	"io/ioutil"
 	"math/big"
 	"os"
+	"os/user"
 	"path"
 	"path/filepath"
 	"strconv"
@@ -1072,21 +1073,6 @@ func copyLevel(src, dest string) (string, error) {
 	return tcon.Get(), nil
 }
 
-// Prevent users from relabeling system files
-func badPrefix(fpath string) error {
-	if fpath == "" {
-		return ErrEmptyPath
-	}
-
-	badPrefixes := []string{"/usr"}
-	for _, prefix := range badPrefixes {
-		if strings.HasPrefix(fpath, prefix) {
-			return fmt.Errorf("relabeling content in %s is not allowed", prefix)
-		}
-	}
-	return nil
-}
-
 // chcon changes the fpath file object to the SELinux label label.
 // If fpath is a directory and recurse is true, then chcon walks the
 // directory tree setting the label.
@@ -1097,12 +1083,70 @@ func chcon(fpath string, label string, recurse bool) error {
 	if label == "" {
 		return nil
 	}
-	if err := badPrefix(fpath); err != nil {
+
-		return err
+	exclude_paths := map[string]bool{
+		"/":           true,
+		"/bin":        true,
+		"/boot":       true,
+		"/dev":        true,
+		"/etc":        true,
+		"/etc/passwd": true,
+		"/etc/pki":    true,
+		"/etc/shadow": true,
+		"/home":       true,
+		"/lib":        true,
+		"/lib64":      true,
+		"/media":      true,
+		"/opt":        true,
+		"/proc":       true,
+		"/root":       true,
+		"/run":        true,
+		"/sbin":       true,
+		"/srv":        true,
+		"/sys":        true,
+		"/tmp":        true,
+		"/usr":        true,
+		"/var":        true,
+		"/var/lib":    true,
+		"/var/log":    true,
+	}
+
+	if home := os.Getenv("HOME"); home != "" {
+		exclude_paths[home] = true
+	}
+
+	if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+		if usr, err := user.Lookup(sudoUser); err == nil {
+			exclude_paths[usr.HomeDir] = true
+		}
+	}
+
+	if fpath != "/" {
+		fpath = strings.TrimSuffix(fpath, "/")
+	}
+	if exclude_paths[fpath] {
+		return fmt.Errorf("SELinux relabeling of %s is not allowed", fpath)
 	}
 
 	if !recurse {
-		return setFileLabel(fpath, label)
+		err := lSetFileLabel(fpath, label)
+		if err != nil {
+			// Check if file doesn't exist, must have been removed
+			if errors.Is(err, os.ErrNotExist) {
+				return nil
+			}
+			// Check if current label is correct on disk
+			flabel, nerr := lFileLabel(fpath)
+			if nerr == nil && flabel == label {
+				return nil
+			}
+			// Check if file doesn't exist, must have been removed
+			if errors.Is(nerr, os.ErrNotExist) {
+				return nil
+			}
+			return err
+		}
+		return nil
 	}
 
 	return rchcon(fpath, label)

vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go

@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux
 
 package selinux

vendor/modules.txt

@@ -120,7 +120,7 @@ github.com/containers/buildah/pkg/rusage
 github.com/containers/buildah/pkg/sshagent
 github.com/containers/buildah/pkg/util
 github.com/containers/buildah/util
-# github.com/containers/common v0.49.2-0.20220926195839-590004b80685
+# github.com/containers/common v0.49.2-0.20220929111928-2d1b45ae2423
 ## explicit; go 1.17
 github.com/containers/common/libimage
 github.com/containers/common/libimage/define
@@ -266,7 +266,7 @@ github.com/containers/psgo/internal/dev
 github.com/containers/psgo/internal/host
 github.com/containers/psgo/internal/proc
 github.com/containers/psgo/internal/process
-# github.com/containers/storage v1.42.1-0.20220919112236-8a581aac3bdf
+# github.com/containers/storage v1.43.0
 ## explicit; go 1.16
 github.com/containers/storage
 github.com/containers/storage/drivers
@@ -638,7 +638,7 @@ github.com/opencontainers/runtime-tools/generate
 github.com/opencontainers/runtime-tools/generate/seccomp
 github.com/opencontainers/runtime-tools/specerror
 github.com/opencontainers/runtime-tools/validate
-# github.com/opencontainers/selinux v1.10.1
+# github.com/opencontainers/selinux v1.10.2
 ## explicit; go 1.13
 github.com/opencontainers/selinux/go-selinux
 github.com/opencontainers/selinux/go-selinux/label