Update vendor containers/(common,storage,buildah,image)

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-12-02 02:58:03 +08:00 · 2022-10-27 16:26:57 -04:00
parent 26e5661c27
commit 6fe64591d6
283 changed files with 32861 additions and 4204 deletions
--- a/vendor/github.com/containers/buildah/pkg/sshagent/sshagent.go
+++ b/vendor/github.com/containers/buildah/pkg/sshagent/sshagent.go
@@ -8,6 +8,7 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"runtime"
 	"sync"
 	"time"

@@ -68,6 +69,13 @@ func newAgentServerSocket(socketPath string) (*AgentServer, error) {

 // Serve starts the SSH agent on the host and returns the path of the socket where the agent is serving
 func (a *AgentServer) Serve(processLabel string) (string, error) {
+	// Calls to `selinux.SetSocketLabel` should be wrapped in
+	// runtime.LockOSThread()/runtime.UnlockOSThread() until
+	// the the socket is created to guarantee another goroutine
+	// does not migrate to the current thread before execution
+	// is complete.
+	// Ref: https://github.com/opencontainers/selinux/blob/main/go-selinux/selinux.go#L158
+	runtime.LockOSThread()
 	err := selinux.SetSocketLabel(processLabel)
 	if err != nil {
 		return "", err
@@ -83,7 +91,12 @@ func (a *AgentServer) Serve(processLabel string) (string, error) {
 	if err != nil {
 		return "", err
 	}
+	// Reset socket label.
 	err = selinux.SetSocketLabel("")
+	// Unlock the thread only if the process label could be restored
+	// successfully.  Otherwise leave the thread locked and the Go runtime
+	// will terminate it once it returns to the threads pool.
+	runtime.UnlockOSThread()
 	if err != nil {
 		return "", err
 	}