vendor: update common, image, storage to main

This also then bumps github.com/opencontainers/runtime-spec to v1.3.0
which contains breaking changes of the pid type as such we had to update
all the podman callers.

And tags.cncf.io/container-device-interface also used some changed
types from it and they have been updated in main so bump to the latest
commit there as well in order to get podman to compile properly.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/containers/winquit v1.1.0
 	github.com/coreos/go-systemd/v22 v22.6.0
 	github.com/crc-org/vfkit v0.6.1
-	github.com/cyphar/filepath-securejoin v0.6.0
+	github.com/cyphar/filepath-securejoin v0.6.1
 	github.com/digitalocean/go-qemu v0.0.0-20250212194115-ee9b0668d242
 	github.com/docker/distribution v2.8.3+incompatible
 	github.com/docker/docker v28.5.2+incompatible
@@ -52,8 +52,8 @@ require (
 	github.com/opencontainers/cgroups v0.0.6
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
-	github.com/opencontainers/runtime-spec v1.2.1
-	github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2
+	github.com/opencontainers/runtime-spec v1.3.0
+	github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116
 	github.com/opencontainers/selinux v1.13.1
 	github.com/openshift/imagebuilder v1.2.19
 	github.com/rootless-containers/rootlesskit/v2 v2.3.5
@@ -64,9 +64,9 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/vbauerster/mpb/v8 v8.11.2
 	github.com/vishvananda/netlink v1.3.1
-	go.podman.io/common v0.66.1-0.20251112195944-4afce3558e66
-	go.podman.io/image/v5 v5.38.1-0.20251112195944-4afce3558e66
-	go.podman.io/storage v1.61.1-0.20251112195944-4afce3558e66
+	go.podman.io/common v0.66.1-0.20251120131032-23712697ddda
+	go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda
+	go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda
 	golang.org/x/crypto v0.45.0
 	golang.org/x/net v0.47.0
 	golang.org/x/sync v0.18.0
@@ -77,7 +77,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1
 	gopkg.in/yaml.v3 v3.0.1
 	sigs.k8s.io/yaml v1.6.0
-	tags.cncf.io/container-device-interface v1.0.1
+	tags.cncf.io/container-device-interface v1.0.2-0.20251120202831-139ffec09210
 )
 
 require (
@@ -193,5 +193,5 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
-	tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect
+	tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210 // indirect
 )

go.sum

@@ -94,8 +94,8 @@ github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 h1:uX1JmpONuD549D73r6cgnxyUu18Zb7yHAy5AYU0Pm4Q=
 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
-github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is=
-github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
+github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
+github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -108,8 +108,8 @@ github.com/disiqueira/gotree/v3 v3.0.2 h1:ik5iuLQQoufZBNPY518dXhiO5056hyNBIK9lWh
 github.com/disiqueira/gotree/v3 v3.0.2/go.mod h1:ZuyjE4+mUQZlbpkI24AmruZKhg3VHEgPLDY8Qk+uUu8=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v29.0.0+incompatible h1:KgsN2RUFMNM8wChxryicn4p46BdQWpXOA1XLGBGPGAw=
-github.com/docker/cli v29.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.0.2+incompatible h1:iLuKy2GWOSLXGp8feLYBJQVDv7m/8xoofz6lPq41x6A=
+github.com/docker/cli v29.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
@@ -316,10 +316,10 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/opencontainers/runc v1.3.3 h1:qlmBbbhu+yY0QM7jqfuat7M1H3/iXjju3VkP9lkFQr4=
 github.com/opencontainers/runc v1.3.3/go.mod h1:D7rL72gfWxVs9cJ2/AayxB0Hlvn9g0gaF1R7uunumSI=
-github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
-github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2 h1:2xZEHOdeQBV6PW8ZtimN863bIOl7OCW/X10K0cnxKeA=
-github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2/go.mod h1:MXdPzqAA8pHC58USHqNCSjyLnRQ6D+NjbpP+02Z1U/0=
+github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg=
+github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116 h1:tAKu3NkKWZYpqBSOJKwTxT1wIGueiF7gcmcNgr5pNTY=
+github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116/go.mod h1:DKDEfzxvRkoQ6n9TGhxQgg2IM1lY4aM0eaQP4e3oElw=
 github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE=
 github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg=
 github.com/openshift/imagebuilder v1.2.19 h1:Xqq36KMJgsRU2MPaLRML23Myvk+AaY8pE8VJ6m6Vmy4=
@@ -471,12 +471,12 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr
 go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
-go.podman.io/common v0.66.1-0.20251112195944-4afce3558e66 h1:C0U9hTxFs0cG6dWb1u7/IFwv2O7NEMivyPnqh/k/9Z8=
-go.podman.io/common v0.66.1-0.20251112195944-4afce3558e66/go.mod h1:H5zW6J35uvTzKtELI3lf4aj1QLxFY5wry/o78adU7+Q=
-go.podman.io/image/v5 v5.38.1-0.20251112195944-4afce3558e66 h1:YOTQaRJjUfS+LKrw31G7pF2oY/ReOV6n0fVZez5f0Ic=
-go.podman.io/image/v5 v5.38.1-0.20251112195944-4afce3558e66/go.mod h1:ycRSRkCZDb+EOojdmG67HARjAojZ/ERUNbFuORg3KZU=
-go.podman.io/storage v1.61.1-0.20251112195944-4afce3558e66 h1:u9vVRYZwZgPY8a/yxKTI4C3uwZHMa5GjXZEDHIwe9P4=
-go.podman.io/storage v1.61.1-0.20251112195944-4afce3558e66/go.mod h1:inOm1g24NqCjTY6aPC11MMHtj8Asgi+3aOvKOPldnCI=
+go.podman.io/common v0.66.1-0.20251120131032-23712697ddda h1:Ib1vIEYB5eCSz3G09sROyY/j09jztFlWRm4G52vWj3k=
+go.podman.io/common v0.66.1-0.20251120131032-23712697ddda/go.mod h1:8qbjUhjwp4i5u1O19vzwYW2qwIuPdFXIuv4nl3Z8px8=
+go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda h1:YySc/E4bpD5b5y4kFN/7ZDo5JcXnOpPfwU78kH9D+EU=
+go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda/go.mod h1:9DniP9NaGH03kzwNKYEtOXgRJwO+cQHENH+G4sOwLNc=
+go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda h1:bC4fEguil4pwVp2U2zKWUC5ouqIwRDdtyJxtX1bPY+0=
+go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda/go.mod h1:4p18A5ymiiJTllTu2Eo7CX88SO+V110TMzi31pXsb1s=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
@@ -625,7 +625,7 @@ sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
 src.elv.sh v0.16.0-rc1.0.20220116211855-fda62502ad7f h1:pjVeIo9Ba6K1Wy+rlwX91zT7A+xGEmxiNRBdN04gDTQ=
 src.elv.sh v0.16.0-rc1.0.20220116211855-fda62502ad7f/go.mod h1:kPbhv5+fBeUh85nET3wWhHGUaUQ64nZMJ8FwA5v5Olg=
-tags.cncf.io/container-device-interface v1.0.1 h1:KqQDr4vIlxwfYh0Ed/uJGVgX+CHAkahrgabg6Q8GYxc=
-tags.cncf.io/container-device-interface v1.0.1/go.mod h1:JojJIOeW3hNbcnOH2q0NrWNha/JuHoDZcmYxAZwb2i0=
-tags.cncf.io/container-device-interface/specs-go v1.0.0 h1:8gLw29hH1ZQP9K1YtAzpvkHCjjyIxHZYzBAvlQ+0vD8=
-tags.cncf.io/container-device-interface/specs-go v1.0.0/go.mod h1:u86hoFWqnh3hWz3esofRFKbI261bUlvUfLKGrDhJkgQ=
+tags.cncf.io/container-device-interface v1.0.2-0.20251120202831-139ffec09210 h1:ucIvxFr8UEFjsROkGrjxb3BKqZZpfifkRT9nLgeMD9U=
+tags.cncf.io/container-device-interface v1.0.2-0.20251120202831-139ffec09210/go.mod h1:kIlIMADdgOVbyLj4ZvEtCvHXqFXqxfbVKKKgBZt8NgQ=
+tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210 h1:SDIHrIFfJP54QHSdPS0VfwcVYodmkp6y/OPL/ceoejs=
+tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210/go.mod h1:u86hoFWqnh3hWz3esofRFKbI261bUlvUfLKGrDhJkgQ=

libpod/container_inspect_linux.go

@@ -70,8 +70,8 @@ func (c *Container) platformInspectContainerHostConfig(ctrSpec *spec.Spec, hostC
 					hostConfig.OomKillDisable = *ctrSpec.Linux.Resources.Memory.DisableOOMKiller
 				}
 			}
-			if ctrSpec.Linux.Resources.Pids != nil {
-				hostConfig.PidsLimit = ctrSpec.Linux.Resources.Pids.Limit
+			if ctrSpec.Linux.Resources.Pids != nil && ctrSpec.Linux.Resources.Pids.Limit != nil {
+				hostConfig.PidsLimit = *ctrSpec.Linux.Resources.Pids.Limit
 			}
 			hostConfig.CgroupConf = ctrSpec.Linux.Resources.Unified
 			if ctrSpec.Linux.Resources.BlockIO != nil {

libpod/oci_conmon_linux.go

@@ -375,7 +375,7 @@ func GetLimits(resource *spec.LinuxResources) (runcconfig.Resources, error) {
 
 	// Pids
 	if resource.Pids != nil {
-		final.PidsLimit = &resource.Pids.Limit
+		final.PidsLimit = resource.Pids.Limit
 	}
 
 	// Networking

pkg/api/handlers/compat/containers.go

@@ -801,7 +801,7 @@ func UpdateContainer(w http.ResponseWriter, r *http.Request) {
 		if resources.Pids == nil {
 			resources.Pids = new(spec.LinuxPids)
 		}
-		resources.Pids.Limit = *options.PidsLimit
+		resources.Pids.Limit = options.PidsLimit
 	}
 
 	// Blkio Weight

pkg/specgen/generate/kube/kube.go

@@ -397,7 +397,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 			s.ResourceLimits = &spec.LinuxResources{}
 		}
 		s.ResourceLimits.Pids = &spec.LinuxPids{
-			Limit: pidslimitAsInt,
+			Limit: &pidslimitAsInt,
 		}
 	}
 

pkg/specgen/resources_linux.go

@@ -14,7 +14,7 @@ func (s *SpecGenerator) InitResourceLimits(rtc *config.Config) {
 					s.ResourceLimits = &spec.LinuxResources{}
 				}
 				s.ResourceLimits.Pids = &spec.LinuxPids{
-					Limit: limit,
+					Limit: &limit,
 				}
 			}
 		}

pkg/specgenutil/specgen.go

@@ -1292,7 +1292,7 @@ func GetResources(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions)
 	}
 	if c.PIDsLimit != nil {
 		pids := specs.LinuxPids{
-			Limit: *c.PIDsLimit,
+			Limit: c.PIDsLimit,
 		}
 
 		s.ResourceLimits.Pids = &pids

vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md

@@ -6,62 +6,52 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased] ##
 
+## [0.6.1] - 2025-11-19 ##
+
+> At last up jumped the cunning spider, and fiercely held her fast.
+
+### Fixed ###
+- Our logic for deciding whether to use `openat2(2)` or fallback to an `O_PATH`
+  resolver would cache the result to avoid doing needless test runs of
+  `openat2(2)`. However, this causes issues when `pathrs-lite` is being used by
+  a program that applies new seccomp-bpf filters onto itself -- if the filter
+  denies `openat2(2)` then we would return that error rather than falling back
+  to the `O_PATH` resolver. To resolve this issue, we no longer cache the
+  result if `openat2(2)` was successful, only if there was an error.
+- A file descriptor leak in our `openat2` wrapper (when doing the necessary
+  `dup` for `RESOLVE_IN_ROOT`) has been removed.
+
+## [0.5.2] - 2025-11-19 ##
+
+> "Will you walk into my parlour?" said a spider to a fly.
+
+### Fixed ###
+- Our logic for deciding whether to use `openat2(2)` or fallback to an `O_PATH`
+  resolver would cache the result to avoid doing needless test runs of
+  `openat2(2)`. However, this causes issues when `pathrs-lite` is being used by
+  a program that applies new seccomp-bpf filters onto itself -- if the filter
+  denies `openat2(2)` then we would return that error rather than falling back
+  to the `O_PATH` resolver. To resolve this issue, we no longer cache the
+  result if `openat2(2)` was successful, only if there was an error.
+- A file descriptor leak in our `openat2` wrapper (when doing the necessary
+  `dup` for `RESOLVE_IN_ROOT`) has been removed.
+
 ## [0.6.0] - 2025-11-03 ##
 
 > By the Power of Greyskull!
 
-While quite small code-wise, this release marks a very key point in the
-development of filepath-securejoin.
-
-filepath-securejoin was originally intended (back in 2017) to simply be a
-single-purpose library that would take some common code used in container
-runtimes (specifically, Docker's `FollowSymlinksInScope`) and make it more
-general-purpose (with the eventual goals of it ending up in the Go stdlib).
-
-Of course, I quickly discovered that this problem was actually far more
-complicated to solve when dealing with racing attackers, which lead to me
-developing `openat2(2)` and [libpathrs][]. I had originally planned for
-libpathrs to completely replace filepath-securejoin "once it was ready" but in
-the interim we needed to fix several race attacks in runc as part of security
-advisories. Obviously we couldn't require the usage of a pre-0.1 Rust library
-in runc so it was necessary to port bits of libpathrs into filepath-securejoin.
-(Ironically the first prototypes of libpathrs were originally written in Go and
-then rewritten to Rust, so the code in filepath-securejoin is actually Go code
-that was rewritten to Rust then re-rewritten to Go.)
-
-It then became clear that pure-Go libraries will likely not be willing to
-require CGo for all of their builds, so it was necessary to accept that
-filepath-securejoin will need to stay. As such, in v0.5.0 we provided more
-pure-Go implementations of features from libpathrs but moved them into
-`pathrs-lite` subpackage to clarify what purpose these helpers serve.
-
-This release finally closes the loop and makes it so that pathrs-lite can
-transparently use libpathrs (via a `libpathrs` build-tag). This means that
-upstream libraries can use the pure Go version if they prefer, but downstreams
-(either downstream library users or even downstream distributions) are able to
-migrate to libpathrs for all usages of pathrs-lite in an entire Go binary.
-
-I should make it clear that I do not plan to port the rest of libpathrs to Go,
-as I do not wish to maintain two copies of the same codebase. pathrs-lite
-already provides the core essentials necessary to operate on paths safely for
-most modern systems. Users who want additional hardening or more ergonomic APIs
-are free to use [`cyphar.com/go-pathrs`][go-pathrs] (libpathrs's Go bindings).
-
-[libpathrs]: https://github.com/cyphar/libpathrs
-[go-pathrs]: https://cyphar.com/go-pathrs
-
 ### Breaking ###
 - The deprecated `MkdirAll`, `MkdirAllHandle`, `OpenInRoot`, `OpenatInRoot` and
   `Reopen` wrappers have been removed. Please switch to using `pathrs-lite`
   directly.
 
 ### Added ###
-- `pathrs-lite` now has support for using [libpathrs][libpathrs] as a backend.
-  This is opt-in and can be enabled at build time with the `libpathrs` build
-  tag. The intention is to allow for downstream libraries and other projects to
-  make use of the pure-Go `github.com/cyphar/filepath-securejoin/pathrs-lite`
-  package and distributors can then opt-in to using `libpathrs` for the entire
-  binary if they wish.
+- `pathrs-lite` now has support for using libpathrs as a backend. This is
+  opt-in and can be enabled at build time with the `libpathrs` build tag. The
+  intention is to allow for downstream libraries and other projects to make use
+  of the pure-Go `github.com/cyphar/filepath-securejoin/pathrs-lite` package
+  and distributors can then opt-in to using `libpathrs` for the entire binary
+  if they wish.
 
 ## [0.5.1] - 2025-10-31 ##
 
@@ -440,8 +430,10 @@ This is our first release of `github.com/cyphar/filepath-securejoin`,
 containing a full implementation with a coverage of 93.5% (the only missing
 cases are the error cases, which are hard to mocktest at the moment).
 
-[Unreleased]: https://github.com/cyphar/filepath-securejoin/compare/v0.6.0...HEAD
-[0.6.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.5.1...v0.6.0
+[Unreleased]: https://github.com/cyphar/filepath-securejoin/compare/v0.6.1...HEAD
+[0.6.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.6.0...v0.6.1
+[0.6.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.5.0...v0.6.0
+[0.5.2]: https://github.com/cyphar/filepath-securejoin/compare/v0.5.1...v0.5.2
 [0.5.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.5.0...v0.5.1
 [0.5.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.1...v0.5.0
 [0.4.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.0...v0.4.1

vendor/github.com/cyphar/filepath-securejoin/VERSION

@@ -1 +1 @@
-0.6.0
+0.6.1

vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go

@@ -39,7 +39,9 @@ const scopedLookupMaxRetries = 128
 
 // Openat2 is an [Fd]-based wrapper around unix.Openat2, but with some retry
 // logic in case of EAGAIN errors.
-func Openat2(dir Fd, path string, how *unix.OpenHow) (*os.File, error) {
+//
+// NOTE: This is a variable so that the lookup tests can force openat2 to fail.
+var Openat2 = func(dir Fd, path string, how *unix.OpenHow) (*os.File, error) {
 	dirFd, fullPath := prepareAt(dir, path)
 	// Make sure we always set O_CLOEXEC.
 	how.Flags |= unix.O_CLOEXEC

vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_go119.go

@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && go1.19
+
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocompat
+
+import (
+	"sync/atomic"
+)
+
+// A Bool is an atomic boolean value.
+// The zero value is false.
+//
+// Bool must not be copied after first use.
+type Bool = atomic.Bool

vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat/gocompat_atomic_unsupported.go

@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux && !go1.19
+
+// Copyright (C) 2024-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package gocompat
+
+import (
+	"sync/atomic"
+)
+
+// noCopy may be added to structs which must not be copied
+// after the first use.
+//
+// See https://golang.org/issues/8005#issuecomment-190753527
+// for details.
+//
+// Note that it must not be embedded, due to the Lock and Unlock methods.
+type noCopy struct{}
+
+// Lock is a no-op used by -copylocks checker from `go vet`.
+func (*noCopy) Lock() {}
+
+// b32 returns a uint32 0 or 1 representing b.
+func b32(b bool) uint32 {
+	if b {
+		return 1
+	}
+	return 0
+}
+
+// A Bool is an atomic boolean value.
+// The zero value is false.
+//
+// Bool must not be copied after first use.
+type Bool struct {
+	_ noCopy
+	v uint32
+}
+
+// Load atomically loads and returns the value stored in x.
+func (x *Bool) Load() bool { return atomic.LoadUint32(&x.v) != 0 }
+
+// Store atomically stores val into x.
+func (x *Bool) Store(val bool) { atomic.StoreUint32(&x.v, b32(val)) }

vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/lookup_linux.go

@@ -193,8 +193,13 @@ func lookupInRoot(root fd.Fd, unsafePath string, partial bool) (Handle *os.File,
 	// managed open, along with the remaining path components not opened.
 
 	// Try to use openat2 if possible.
-	if linux.HasOpenat2() {
-		return lookupOpenat2(root, unsafePath, partial)
+	//
+	// NOTE: If openat2(2) works normally but fails for this lookup, it is
+	// probably not a good idea to fall-back to the O_PATH resolver. An
+	// attacker could find a bug in the O_PATH resolver and uncontionally
+	// falling back to the O_PATH resolver would form a downgrade attack.
+	if handle, remainingPath, err := lookupOpenat2(root, unsafePath, partial); err == nil || linux.HasOpenat2() {
+		return handle, remainingPath, err
 	}
 
 	// Get the "actual" root path from /proc/self/fd. This is necessary if the

vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gopathrs/openat2_linux.go

@@ -41,6 +41,7 @@ func openat2(dir fd.Fd, path string, how *unix.OpenHow) (*os.File, error) {
 			if err != nil {
 				return nil, err
 			}
+			_ = file.Close()
 			file = newFile
 		}
 	}

vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/linux/openat2_linux.go

@@ -17,15 +17,27 @@ import (
 	"github.com/cyphar/filepath-securejoin/pathrs-lite/internal/gocompat"
 )
 
+// sawOpenat2Error stores whether we have seen an error from HasOpenat2. This
+// is a one-way toggle, so as soon as we see an error we "lock" into that mode.
+// We cannot use sync.OnceValue to store the success/fail state once because it
+// is possible for the program we are running in to apply a seccomp-bpf filter
+// and thus disable openat2 during execution.
+var sawOpenat2Error gocompat.Bool
+
 // HasOpenat2 returns whether openat2(2) is supported on the running kernel.
-var HasOpenat2 = gocompat.SyncOnceValue(func() bool {
+var HasOpenat2 = func() bool {
+	if sawOpenat2Error.Load() {
+		return false
+	}
+
 	fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{
 		Flags:   unix.O_PATH | unix.O_CLOEXEC,
 		Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT,
 	})
 	if err != nil {
+		sawOpenat2Error.Store(true) // doesn't matter if we race here
 		return false
 	}
 	_ = unix.Close(fd)
 	return true
-})
+}

vendor/github.com/opencontainers/runtime-spec/specs-go/config.go

@@ -31,6 +31,8 @@ type Spec struct {
 	VM *VM `json:"vm,omitempty" platform:"vm"`
 	// ZOS is platform-specific configuration for z/OS based containers.
 	ZOS *ZOS `json:"zos,omitempty" platform:"zos"`
+	// FreeBSD is platform-specific configuration for FreeBSD based containers.
+	FreeBSD *FreeBSD `json:"freebsd,omitempty" platform:"freebsd"`
 }
 
 // Scheduler represents the scheduling attributes for a process. It is based on
@@ -170,7 +172,7 @@ type Mount struct {
 	// Destination is the absolute path where the mount will be placed in the container.
 	Destination string `json:"destination"`
 	// Type specifies the mount kind.
-	Type string `json:"type,omitempty" platform:"linux,solaris,zos"`
+	Type string `json:"type,omitempty" platform:"linux,solaris,zos,freebsd"`
 	// Source specifies the source path of the mount.
 	Source string `json:"source,omitempty"`
 	// Options are fstab style mount options.
@@ -236,6 +238,8 @@ type Linux struct {
 	Namespaces []LinuxNamespace `json:"namespaces,omitempty"`
 	// Devices are a list of device nodes that are created for the container
 	Devices []LinuxDevice `json:"devices,omitempty"`
+	// NetDevices are key-value pairs, keyed by network device name on the host, moved to the container's network namespace.
+	NetDevices map[string]LinuxNetDevice `json:"netDevices,omitempty"`
 	// Seccomp specifies the seccomp security settings for the container.
 	Seccomp *LinuxSeccomp `json:"seccomp,omitempty"`
 	// RootfsPropagation is the rootfs mount propagation mode for the container.
@@ -249,6 +253,8 @@ type Linux struct {
 	// IntelRdt contains Intel Resource Director Technology (RDT) information for
 	// handling resource constraints and monitoring metrics (e.g., L3 cache, memory bandwidth) for the container
 	IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
+	// MemoryPolicy contains NUMA memory policy for the container.
+	MemoryPolicy *LinuxMemoryPolicy `json:"memoryPolicy,omitempty"`
 	// Personality contains configuration for the Linux personality syscall
 	Personality *LinuxPersonality `json:"personality,omitempty"`
 	// TimeOffsets specifies the offset for supporting time namespaces.
@@ -430,7 +436,7 @@ type LinuxCPU struct {
 // LinuxPids for Linux cgroup 'pids' resource management (Linux 4.3)
 type LinuxPids struct {
 	// Maximum number of PIDs. Default is "no limit".
-	Limit int64 `json:"limit"`
+	Limit *int64 `json:"limit,omitempty"`
 }
 
 // LinuxNetwork identification and priority configuration
@@ -491,6 +497,12 @@ type LinuxDevice struct {
 	GID *uint32 `json:"gid,omitempty"`
 }
 
+// LinuxNetDevice represents a single network device to be added to the container's network namespace
+type LinuxNetDevice struct {
+	// Name of the device in the container namespace
+	Name string `json:"name,omitempty"`
+}
+
 // LinuxDeviceCgroup represents a device rule for the devices specified to
 // the device controller
 type LinuxDeviceCgroup struct {
@@ -678,6 +690,32 @@ type WindowsHyperV struct {
 	UtilityVMPath string `json:"utilityVMPath,omitempty"`
 }
 
+// IOMems contains information about iomem addresses that should be passed to the VM.
+type IOMems struct {
+	// Guest Frame Number to map the iomem range. If GFN is not specified, the mapping will be done to the same Frame Number as was provided in FirstMFN.
+	FirstGFN *uint64 `json:"firstGFN,omitempty"`
+	// Physical page number of iomem regions.
+	FirstMFN *uint64 `json:"firstMFN"`
+	// Number of pages to be mapped.
+	NrMFNs *uint64 `json:"nrMFNs"`
+}
+
+// Hardware configuration for the VM image
+type HWConfig struct {
+	// Path to the container device-tree file that should be passed to the VM configuration.
+	DeviceTree string `json:"deviceTree,omitempty"`
+	// Number of virtual cpus for the VM.
+	VCPUs *uint32 `json:"vcpus,omitempty"`
+	// Maximum memory in bytes allocated to the VM.
+	Memory *uint64 `json:"memory,omitempty"`
+	// Host device tree nodes to passthrough to the VM.
+	DtDevs []string `json:"dtdevs,omitempty"`
+	// Allow auto-translated domains to access specific hardware I/O memory pages.
+	IOMems []IOMems `json:"iomems,omitempty"`
+	// Allows VM to access specific physical IRQs.
+	Irqs []uint32 `json:"irqs,omitempty"`
+}
+
 // VM contains information for virtual-machine-based containers.
 type VM struct {
 	// Hypervisor specifies hypervisor-related configuration for virtual-machine-based containers.
@@ -686,6 +724,8 @@ type VM struct {
 	Kernel VMKernel `json:"kernel"`
 	// Image specifies guest image related configuration for virtual-machine-based containers.
 	Image VMImage `json:"image,omitempty"`
+	// Hardware configuration that should be passed to the VM.
+	HwConfig *HWConfig `json:"hwconfig,omitempty"`
 }
 
 // VMHypervisor contains information about the hypervisor to use for a virtual machine.
@@ -828,23 +868,41 @@ type LinuxSyscall struct {
 type LinuxIntelRdt struct {
 	// The identity for RDT Class of Service
 	ClosID string `json:"closID,omitempty"`
+
+	// Schemata specifies the complete schemata to be written as is to the
+	// schemata file in resctrl fs. Each element represents a single line in the schemata file.
+	// NOTE: This will overwrite schemas specified in the L3CacheSchema and/or
+	// MemBwSchema fields.
+	Schemata []string `json:"schemata,omitempty"`
+
 	// The schema for L3 cache id and capacity bitmask (CBM)
 	// Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
+	// NOTE: Should not be specified if Schemata is non-empty.
 	L3CacheSchema string `json:"l3CacheSchema,omitempty"`
 
 	// The schema of memory bandwidth per L3 cache id
 	// Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..."
 	// The unit of memory bandwidth is specified in "percentages" by
 	// default, and in "MBps" if MBA Software Controller is enabled.
+	// NOTE: Should not be specified if Schemata is non-empty.
 	MemBwSchema string `json:"memBwSchema,omitempty"`
 
-	// EnableCMT is the flag to indicate if the Intel RDT CMT is enabled. CMT (Cache Monitoring Technology) supports monitoring of
-	// the last-level cache (LLC) occupancy for the container.
-	EnableCMT bool `json:"enableCMT,omitempty"`
+	// EnableMonitoring enables resctrl monitoring for the container. This will
+	// create a dedicated resctrl monitoring group for the container.
+	EnableMonitoring bool `json:"enableMonitoring,omitempty"`
+}
 
-	// EnableMBM is the flag to indicate if the Intel RDT MBM is enabled. MBM (Memory Bandwidth Monitoring) supports monitoring of
-	// total and local memory bandwidth for the container.
-	EnableMBM bool `json:"enableMBM,omitempty"`
+// LinuxMemoryPolicy represents input for the set_mempolicy syscall.
+type LinuxMemoryPolicy struct {
+	// Mode for the set_mempolicy syscall.
+	Mode MemoryPolicyModeType `json:"mode"`
+
+	// Nodes representing the nodemask for the set_mempolicy syscall in comma separated ranges format.
+	// Format: "<node0>-<node1>,<node2>,<node3>-<node4>,..."
+	Nodes string `json:"nodes"`
+
+	// Flags for the set_mempolicy syscall.
+	Flags []MemoryPolicyFlagType `json:"flags,omitempty"`
 }
 
 // ZOS contains platform-specific configuration for z/OS based containers.
@@ -876,6 +934,26 @@ const (
 	ZOSUTSNamespace ZOSNamespaceType = "uts"
 )
 
+type MemoryPolicyModeType string
+
+const (
+	MpolDefault            MemoryPolicyModeType = "MPOL_DEFAULT"
+	MpolBind               MemoryPolicyModeType = "MPOL_BIND"
+	MpolInterleave         MemoryPolicyModeType = "MPOL_INTERLEAVE"
+	MpolWeightedInterleave MemoryPolicyModeType = "MPOL_WEIGHTED_INTERLEAVE"
+	MpolPreferred          MemoryPolicyModeType = "MPOL_PREFERRED"
+	MpolPreferredMany      MemoryPolicyModeType = "MPOL_PREFERRED_MANY"
+	MpolLocal              MemoryPolicyModeType = "MPOL_LOCAL"
+)
+
+type MemoryPolicyFlagType string
+
+const (
+	MpolFNumaBalancing MemoryPolicyFlagType = "MPOL_F_NUMA_BALANCING"
+	MpolFRelativeNodes MemoryPolicyFlagType = "MPOL_F_RELATIVE_NODES"
+	MpolFStaticNodes   MemoryPolicyFlagType = "MPOL_F_STATIC_NODES"
+)
+
 // LinuxSchedulerPolicy represents different scheduling policies used with the Linux Scheduler
 type LinuxSchedulerPolicy string
 
@@ -915,3 +993,75 @@ const (
 	// SchedFlagUtilClampMin represents the utilization clamp maximum scheduling flag
 	SchedFlagUtilClampMax LinuxSchedulerFlag = "SCHED_FLAG_UTIL_CLAMP_MAX"
 )
+
+// FreeBSD contains platform-specific configuration for FreeBSD based containers.
+type FreeBSD struct {
+	// Devices which are accessible in the container
+	Devices []FreeBSDDevice `json:"devices,omitempty"`
+	// Jail definition for this container
+	Jail *FreeBSDJail `json:"jail,omitempty"`
+}
+
+type FreeBSDDevice struct {
+	// Path to the device, relative to /dev.
+	Path string `json:"path"`
+	// FileMode permission bits for the device.
+	Mode *os.FileMode `json:"mode,omitempty"`
+}
+
+// FreeBSDJail describes how to configure the container's jail
+type FreeBSDJail struct {
+	// Parent jail name - this can be used to share a single vnet
+	// across several containers
+	Parent string `json:"parent,omitempty"`
+	// Whether to use parent UTS names or override in the container
+	Host FreeBSDSharing `json:"host,omitempty"`
+	// IPv4 address sharing for the container
+	Ip4 FreeBSDSharing `json:"ip4,omitempty"`
+	// IPv4 addresses for the container
+	Ip4Addr []string `json:"ip4Addr,omitempty"`
+	// IPv6 address sharing for the container
+	Ip6 FreeBSDSharing `json:"ip6,omitempty"`
+	// IPv6 addresses for the container
+	Ip6Addr []string `json:"ip6Addr,omitempty"`
+	// Which network stack to use for the container
+	Vnet FreeBSDSharing `json:"vnet,omitempty"`
+	// If set, Ip4Addr and Ip6Addr addresses will be added to this interface
+	Interface string `json:"interface,omitempty"`
+	// List interfaces to be moved to the container's vnet
+	VnetInterfaces []string `json:"vnetInterfaces,omitempty"`
+	// SystemV IPC message sharing for the container
+	SysVMsg FreeBSDSharing `json:"sysvmsg,omitempty"`
+	// SystemV semaphore message sharing for the container
+	SysVSem FreeBSDSharing `json:"sysvsem,omitempty"`
+	// SystemV memory sharing for the container
+	SysVShm FreeBSDSharing `json:"sysvshm,omitempty"`
+	// Mount visibility (see jail(8) for details)
+	EnforceStatfs *int `json:"enforceStatfs,omitempty"`
+	// Jail capabilities
+	Allow *FreeBSDJailAllow `json:"allow,omitempty"`
+}
+
+// These values are used to control access to features in the container, either
+// disabling the feature, sharing state with the parent or creating new private
+// state in the container.
+type FreeBSDSharing string
+
+const (
+	FreeBSDShareDisable FreeBSDSharing = "disable"
+	FreeBSDShareNew     FreeBSDSharing = "new"
+	FreeBSDShareInherit FreeBSDSharing = "inherit"
+)
+
+// FreeBSDJailAllow describes jail capabilities
+type FreeBSDJailAllow struct {
+	SetHostname   bool     `json:"setHostname,omitempty"`
+	RawSockets    bool     `json:"rawSockets,omitempty"`
+	Chflags       bool     `json:"chflags,omitempty"`
+	Mount         []string `json:"mount,omitempty"`
+	Quotas        bool     `json:"quotas,omitempty"`
+	SocketAf      bool     `json:"socketAf,omitempty"`
+	Mlock         bool     `json:"mlock,omitempty"`
+	ReservedPorts bool     `json:"reservedPorts,omitempty"`
+	Suser         bool     `json:"suser,omitempty"`
+}

vendor/github.com/opencontainers/runtime-spec/specs-go/version.go

@@ -6,9 +6,9 @@ const (
 	// VersionMajor is for an API incompatible changes
 	VersionMajor = 1
 	// VersionMinor is for functionality in a backwards-compatible manner
-	VersionMinor = 2
+	VersionMinor = 3
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 1
+	VersionPatch = 0
 
 	// VersionDev indicates development branch. Releases will be empty string.
 	VersionDev = ""

vendor/github.com/opencontainers/runtime-tools/generate/generate.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"slices"
 	"strings"
 
 	"github.com/moby/sys/capability"
@@ -25,6 +26,12 @@ var (
 	}
 )
 
+const (
+	// UnlimitedPidsLimit can be passed to SetLinuxResourcesPidsLimit to
+	// request unlimited PIDs.
+	UnlimitedPidsLimit int64 = -1
+)
+
 // Generator represents a generator for a container config.
 type Generator struct {
 	Config       *rspec.Spec
@@ -88,7 +95,8 @@ func New(os string) (generator Generator, err error) {
 		}
 	}
 
-	if os == "linux" {
+	switch os {
+	case "linux":
 		config.Process.Capabilities = &rspec.LinuxCapabilities{
 			Bounding: []string{
 				"CAP_CHOWN",
@@ -237,7 +245,7 @@ func New(os string) (generator Generator, err error) {
 			},
 			Seccomp: seccomp.DefaultProfile(&config),
 		}
-	} else if os == "freebsd" {
+	case "freebsd":
 		config.Mounts = []rspec.Mount{
 			{
 				Destination: "/dev",
@@ -593,13 +601,11 @@ func (g *Generator) ClearProcessAdditionalGids() {
 }
 
 // AddProcessAdditionalGid adds an additional gid into g.Config.Process.AdditionalGids.
-func (g *Generator) AddProcessAdditionalGid(gid uint32) {
+func (g *Generator) AddProcessAdditionalGid(gid uint32) { //nolint:staticcheck // Ignore ST1003: method AddProcessAdditionalGid should be AddProcessAdditionalGID
 	g.initConfigProcess()
-	for _, group := range g.Config.Process.User.AdditionalGids {
-		if group == gid {
+	if slices.Contains(g.Config.Process.User.AdditionalGids, gid) {
 		return
 	}
-	}
 	g.Config.Process.User.AdditionalGids = append(g.Config.Process.User.AdditionalGids, gid)
 }
 
@@ -868,7 +874,7 @@ func (g *Generator) DropLinuxResourcesHugepageLimit(pageSize string) {
 	}
 }
 
-// AddLinuxResourcesUnified sets the g.Config.Linux.Resources.Unified
+// SetLinuxResourcesUnified sets the g.Config.Linux.Resources.Unified.
 func (g *Generator) SetLinuxResourcesUnified(unified map[string]string) {
 	g.initConfigLinuxResourcesUnified()
 	for k, v := range unified {
@@ -911,7 +917,7 @@ func (g *Generator) SetLinuxResourcesMemorySwap(swap int64) {
 // SetLinuxResourcesMemoryKernel sets g.Config.Linux.Resources.Memory.Kernel.
 func (g *Generator) SetLinuxResourcesMemoryKernel(kernel int64) {
 	g.initConfigLinuxResourcesMemory()
-	g.Config.Linux.Resources.Memory.Kernel = &kernel
+	g.Config.Linux.Resources.Memory.Kernel = &kernel //nolint:staticcheck // Ignore SA1019: g.Config.Linux.Resources.Memory.Kernel is deprecated
 }
 
 // SetLinuxResourcesMemoryKernelTCP sets g.Config.Linux.Resources.Memory.KernelTCP.
@@ -970,7 +976,7 @@ func (g *Generator) DropLinuxResourcesNetworkPriorities(name string) {
 // SetLinuxResourcesPidsLimit sets g.Config.Linux.Resources.Pids.Limit.
 func (g *Generator) SetLinuxResourcesPidsLimit(limit int64) {
 	g.initConfigLinuxResourcesPids()
-	g.Config.Linux.Resources.Pids.Limit = limit
+	g.Config.Linux.Resources.Pids.Limit = &limit
 }
 
 // ClearLinuxSysctl clears g.Config.Linux.Sysctl.
@@ -1060,13 +1066,13 @@ func (g *Generator) ClearPreStartHooks() {
 	if g.Config == nil || g.Config.Hooks == nil {
 		return
 	}
-	g.Config.Hooks.Prestart = []rspec.Hook{}
+	g.Config.Hooks.Prestart = []rspec.Hook{} //nolint:staticcheck // Ignore SA1019: g.Config.Hooks.Prestart is deprecated
 }
 
 // AddPreStartHook add a prestart hook into g.Config.Hooks.Prestart.
 func (g *Generator) AddPreStartHook(preStartHook rspec.Hook) {
 	g.initConfigHooks()
-	g.Config.Hooks.Prestart = append(g.Config.Hooks.Prestart, preStartHook)
+	g.Config.Hooks.Prestart = append(g.Config.Hooks.Prestart, preStartHook) //nolint:staticcheck // Ignore SA1019: g.Config.Hooks.Prestart is deprecated
 }
 
 // ClearPostStopHooks clear g.Config.Hooks.Poststop.

vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go

@@ -3,7 +3,6 @@ package seccomp
 import (
 	"runtime"
 
-	"github.com/opencontainers/runtime-spec/specs-go"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -31,7 +30,7 @@ func arches() []rspec.Arch {
 }
 
 // DefaultProfile defines the whitelist for the default seccomp profile.
-func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
+func DefaultProfile(rs *rspec.Spec) *rspec.LinuxSeccomp {
 	syscalls := []rspec.LinuxSyscall{
 		{
 			Names: []string{

vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package seccomp
 

vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go

@@ -1,5 +1,4 @@
 //go:build !linux
-// +build !linux
 
 package seccomp
 

vendor/go.podman.io/image/v5/signature/internal/sequoia/gosequoia.c

@@ -1,8 +1,12 @@
 /*
- * Copying and distribution of this file, with or without modification,
- * are permitted in any medium without royalty provided the copyright
- * notice and this notice are preserved.  This file is offered as-is,
- * without any warranty.
+ * SPDX-License-Identifier: Apache-2.0 OR FSFAP
+ * SPDX-FileCopyrightText: 2025 Daiki Ueno
+ *
+ * You can redistribute and/or modify this file under the terms of either
+ * Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html), or
+ * FSF All Permissive License
+ * (https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html),
+ * or both in parallel, as here.
  */
 
 #ifdef HAVE_CONFIG_H

vendor/go.podman.io/image/v5/signature/internal/sequoia/gosequoia.h

@@ -1,8 +1,12 @@
 /*
- * Copying and distribution of this file, with or without modification,
- * are permitted in any medium without royalty provided the copyright
- * notice and this notice are preserved.  This file is offered as-is,
- * without any warranty.
+ * SPDX-License-Identifier: Apache-2.0 OR FSFAP
+ * SPDX-FileCopyrightText: 2025 Daiki Ueno
+ *
+ * You can redistribute and/or modify this file under the terms of either
+ * Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html), or
+ * FSF All Permissive License
+ * (https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html),
+ * or both in parallel, as here.
  */
 
 #ifndef GO_SEQUOIA_H_

vendor/go.podman.io/image/v5/signature/policy_eval.go

@@ -65,6 +65,10 @@ type PolicyRequirement interface {
 	// WARNING: This validates signatures and the manifest, but does not download or validate the
 	// layers. Users must validate that the layers match their expected digests.
 	isRunningImageAllowed(ctx context.Context, image private.UnparsedImage) (bool, error)
+
+	// verifiesSignatures returns true if and only if the requirement performs cryptographic
+	// signature verification on the entire contents of the image before allowing it.
+	verifiesSignatures() bool
 }
 
 // PolicyReferenceMatch specifies a set of image identities accepted in PolicyRequirement.
@@ -81,6 +85,7 @@ type PolicyReferenceMatch interface {
 type PolicyContext struct {
 	Policy        *Policy
 	state         policyContextState // Internal consistency checking
+	requireSigned bool
 }
 
 // policyContextState is used internally to verify the users are not misusing a PolicyContext.
@@ -132,6 +137,13 @@ func policyIdentityLogName(ref types.ImageReference) string {
 	return ref.Transport().Name() + ":" + ref.PolicyConfigurationIdentity()
 }
 
+// RequireSignatureVerification modifies policy requirement handling. If passed
+// `true`, at least one policy requirement which performs signature verification
+// on the entire image contents must be present.
+func (pc *PolicyContext) RequireSignatureVerification(val bool) {
+	pc.requireSigned = val
+}
+
 // requirementsForImageRef selects the appropriate requirements for ref.
 func (pc *PolicyContext) requirementsForImageRef(ref types.ImageReference) PolicyRequirements {
 	// Do we have a PolicyTransportScopes for this transport?
@@ -278,6 +290,7 @@ func (pc *PolicyContext) IsRunningImageAllowed(ctx context.Context, publicImage
 		return false, PolicyRequirementError("List of verification policy requirements must not be empty")
 	}
 
+	wasSignatureVerified := false
 	for reqNumber, req := range reqs {
 		// FIXME: supply state
 		allowed, err := req.isRunningImageAllowed(ctx, image)
@@ -286,7 +299,15 @@ func (pc *PolicyContext) IsRunningImageAllowed(ctx context.Context, publicImage
 			return false, err
 		}
 		logrus.Debugf(" Requirement %d: allowed", reqNumber)
+		if req.verifiesSignatures() {
+			wasSignatureVerified = true
 		}
+	}
+
+	if pc.requireSigned && !wasSignatureVerified {
+		return false, PolicyRequirementError(fmt.Sprintf("No signature verification policy found for image %s", policyIdentityLogName(image.Reference())))
+	}
+
 	// We have tested that len(reqs) != 0, so at least one req must have explicitly allowed this image.
 	logrus.Debugf("Overall: allowed")
 	return true, nil

vendor/go.podman.io/image/v5/signature/policy_eval_baselayer.go

@@ -18,3 +18,7 @@ func (pr *prSignedBaseLayer) isRunningImageAllowed(ctx context.Context, image pr
 	logrus.Errorf("signedBaseLayer not implemented yet!")
 	return false, PolicyRequirementError("signedBaseLayer not implemented yet!")
 }
+
+func (pr *prSignedBaseLayer) verifiesSignatures() bool {
+	return false
+}

vendor/go.podman.io/image/v5/signature/policy_eval_signedby.go

@@ -114,3 +114,7 @@ func (pr *prSignedBy) isRunningImageAllowed(ctx context.Context, image private.U
 	}
 	return false, summary
 }
+
+func (pr *prSignedBy) verifiesSignatures() bool {
+	return true
+}

vendor/go.podman.io/image/v5/signature/policy_eval_sigstore.go

@@ -432,3 +432,7 @@ func (pr *prSigstoreSigned) isRunningImageAllowed(ctx context.Context, image pri
 	}
 	return false, summary
 }
+
+func (pr *prSigstoreSigned) verifiesSignatures() bool {
+	return true
+}

vendor/go.podman.io/image/v5/signature/policy_eval_simple.go

@@ -20,6 +20,10 @@ func (pr *prInsecureAcceptAnything) isRunningImageAllowed(ctx context.Context, i
 	return true, nil
 }
 
+func (pr *prInsecureAcceptAnything) verifiesSignatures() bool {
+	return false
+}
+
 func (pr *prReject) isSignatureAuthorAccepted(ctx context.Context, image private.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {
 	return sarRejected, nil, PolicyRequirementError(fmt.Sprintf("Any signatures for image %s are rejected by policy.", transports.ImageName(image.Reference())))
 }
@@ -27,3 +31,7 @@ func (pr *prReject) isSignatureAuthorAccepted(ctx context.Context, image private
 func (pr *prReject) isRunningImageAllowed(ctx context.Context, image private.UnparsedImage) (bool, error) {
 	return false, PolicyRequirementError(fmt.Sprintf("Running image %s is rejected by policy.", transports.ImageName(image.Reference())))
 }
+
+func (pr *prReject) verifiesSignatures() bool {
+	return false
+}

vendor/modules.txt

@@ -197,7 +197,7 @@ github.com/crc-org/vfkit/pkg/util
 # github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467
 ## explicit
 github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
-# github.com/cyphar/filepath-securejoin v0.6.0
+# github.com/cyphar/filepath-securejoin v0.6.1
 ## explicit; go 1.18
 github.com/cyphar/filepath-securejoin
 github.com/cyphar/filepath-securejoin/internal/consts
@@ -589,10 +589,10 @@ github.com/opencontainers/runc/internal/pathrs
 github.com/opencontainers/runc/libcontainer/apparmor
 github.com/opencontainers/runc/libcontainer/devices
 github.com/opencontainers/runc/libcontainer/utils
-# github.com/opencontainers/runtime-spec v1.2.1
+# github.com/opencontainers/runtime-spec v1.3.0
 ## explicit
 github.com/opencontainers/runtime-spec/specs-go
-# github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2
+# github.com/opencontainers/runtime-tools v0.9.1-0.20251114084447-edf4cb3d2116
 ## explicit; go 1.21
 github.com/opencontainers/runtime-tools/generate
 github.com/opencontainers/runtime-tools/generate/seccomp
@@ -787,7 +787,7 @@ go.opentelemetry.io/otel/trace
 go.opentelemetry.io/otel/trace/embedded
 go.opentelemetry.io/otel/trace/internal/telemetry
 go.opentelemetry.io/otel/trace/noop
-# go.podman.io/common v0.66.1-0.20251112195944-4afce3558e66
+# go.podman.io/common v0.66.1-0.20251120131032-23712697ddda
 ## explicit; go 1.24.2
 go.podman.io/common/internal
 go.podman.io/common/internal/attributedstring
@@ -857,7 +857,7 @@ go.podman.io/common/pkg/umask
 go.podman.io/common/pkg/util
 go.podman.io/common/pkg/version
 go.podman.io/common/version
-# go.podman.io/image/v5 v5.38.1-0.20251112195944-4afce3558e66
+# go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda
 ## explicit; go 1.24.0
 go.podman.io/image/v5/copy
 go.podman.io/image/v5/directory
@@ -931,7 +931,7 @@ go.podman.io/image/v5/transports
 go.podman.io/image/v5/transports/alltransports
 go.podman.io/image/v5/types
 go.podman.io/image/v5/version
-# go.podman.io/storage v1.61.1-0.20251112195944-4afce3558e66
+# go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda
 ## explicit; go 1.24.0
 go.podman.io/storage
 go.podman.io/storage/drivers
@@ -1225,12 +1225,12 @@ gopkg.in/yaml.v3
 # sigs.k8s.io/yaml v1.6.0
 ## explicit; go 1.22
 sigs.k8s.io/yaml
-# tags.cncf.io/container-device-interface v1.0.1
-## explicit; go 1.20
+# tags.cncf.io/container-device-interface v1.0.2-0.20251120202831-139ffec09210
+## explicit; go 1.21
 tags.cncf.io/container-device-interface/internal/validation
 tags.cncf.io/container-device-interface/internal/validation/k8s
 tags.cncf.io/container-device-interface/pkg/cdi
 tags.cncf.io/container-device-interface/pkg/parser
-# tags.cncf.io/container-device-interface/specs-go v1.0.0
+# tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210
 ## explicit; go 1.19
 tags.cncf.io/container-device-interface/specs-go

vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go

@@ -520,7 +520,7 @@ func (w *watch) stop() {
 		return
 	}
 
-	w.watcher.Close()
+	_ = w.watcher.Close()
 	w.tracked = nil
 }
 

vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_darwin.go

@@ -1,26 +0,0 @@
-//go:build darwin
-// +build darwin
-
-/*
-   Copyright © 2021 The CDI Authors
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package cdi
-
-import "syscall"
-
-func osSync() {
-	_ = syscall.Sync()
-}

vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_unix.go

@@ -1,26 +0,0 @@
-//go:build !windows && !darwin
-// +build !windows,!darwin
-
-/*
-   Copyright © 2021 The CDI Authors
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package cdi
-
-import "syscall"
-
-func osSync() {
-	syscall.Sync()
-}

vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache_test_windows.go

@@ -1,22 +0,0 @@
-//go:build windows
-// +build windows
-
-/*
-   Copyright © 2021 The CDI Authors
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package cdi
-
-func osSync() {}

vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go

@@ -337,8 +337,10 @@ func ValidateIntelRdt(i *cdi.IntelRdt) error {
 
 // Validate validates the IntelRdt configuration.
 func (i *IntelRdt) Validate() error {
-	// ClosID must be a valid Linux filename
-	if len(i.ClosID) >= 4096 || i.ClosID == "." || i.ClosID == ".." || strings.ContainsAny(i.ClosID, "/\n") {
+	// ClosID must be a valid Linux filename. Exception: "/" refers to the root CLOS.
+	switch c := i.ClosID; {
+	case c == "/":
+	case len(c) >= 4096, c == ".", c == "..", strings.ContainsAny(c, "/\n"):
 		return errors.New("invalid ClosID")
 	}
 	return nil

vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_unix.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 /*
    Copyright © 2021 The CDI Authors

vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits_windows.go

@@ -1,5 +1,4 @@
 //go:build windows
-// +build windows
 
 /*
    Copyright © 2021 The CDI Authors

vendor/tags.cncf.io/container-device-interface/pkg/cdi/oci.go

@@ -59,7 +59,7 @@ func (i *IntelRdt) toOCI() *spec.LinuxIntelRdt {
 		ClosID:           i.ClosID,
 		L3CacheSchema:    i.L3CacheSchema,
 		MemBwSchema:      i.MemBwSchema,
-		EnableCMT:     i.EnableCMT,
-		EnableMBM:     i.EnableMBM,
+		Schemata:         i.Schemata,
+		EnableMonitoring: i.EnableMonitoring,
 	}
 }

vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec.go

@@ -156,7 +156,7 @@ func (s *Spec) write(overwrite bool) error {
 		return fmt.Errorf("failed to create Spec file: %w", err)
 	}
 	_, err = tmp.Write(data)
-	tmp.Close()
+	_ = tmp.Close()
 	if err != nil {
 		return fmt.Errorf("failed to write Spec file: %w", err)
 	}
@@ -164,7 +164,7 @@ func (s *Spec) write(overwrite bool) error {
 	err = renameIn(dir, filepath.Base(tmp.Name()), filepath.Base(s.path), overwrite)
 
 	if err != nil {
-		os.Remove(tmp.Name())
+		_ = os.Remove(tmp.Name())
 		err = fmt.Errorf("failed to write Spec file: %w", err)
 	}
 

vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec_linux.go

@@ -32,7 +32,9 @@ func renameIn(dir, src, dst string, overwrite bool) error {
 	if err != nil {
 		return fmt.Errorf("rename failed: %w", err)
 	}
-	defer dirf.Close()
+	defer func() {
+		_ = dirf.Close()
+	}()
 
 	if !overwrite {
 		flags = unix.RENAME_NOREPLACE

vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec_other.go

@@ -1,5 +1,4 @@
 //go:build !linux
-// +build !linux
 
 /*
    Copyright © 2022 The CDI Authors

vendor/tags.cncf.io/container-device-interface/specs-go/config.go

@@ -67,6 +67,6 @@ type IntelRdt struct {
 	ClosID           string   `json:"closID,omitempty"           yaml:"closID,omitempty"`
 	L3CacheSchema    string   `json:"l3CacheSchema,omitempty"    yaml:"l3CacheSchema,omitempty"`
 	MemBwSchema      string   `json:"memBwSchema,omitempty"      yaml:"memBwSchema,omitempty"`
-	EnableCMT     bool   `json:"enableCMT,omitempty"     yaml:"enableCMT,omitempty"`
-	EnableMBM     bool   `json:"enableMBM,omitempty"     yaml:"enableMBM,omitempty"`
+	Schemata         []string `json:"schemata,omitempty"         yaml:"schemata,omitempty"`
+	EnableMonitoring bool     `json:"enableMonitoring,omitempty" yaml:"enableMonitoring,omitempty"`
 }

vendor/tags.cncf.io/container-device-interface/specs-go/version.go

@@ -40,6 +40,7 @@ const (
 	v070 version = "v0.7.0"
 	v080 version = "v0.8.0"
 	v100 version = "v1.0.0"
+	v110 version = "v1.1.0"
 
 	// vEarliest is the earliest supported version of the CDI specification
 	vEarliest version = v030
@@ -58,6 +59,7 @@ var validSpecVersions = requiredVersionMap{
 	v070: requiresV070,
 	v080: requiresV080,
 	v100: requiresV100,
+	v110: requiresV110,
 }
 
 // ValidateVersion checks whether the specified spec version is valid.
@@ -140,6 +142,25 @@ func (r requiredVersionMap) requiredVersion(spec *Spec) version {
 	return minVersion
 }
 
+// requiresV110 returns true if the spec uses v1.1.0 features.
+func requiresV110(spec *Spec) bool {
+	if i := spec.ContainerEdits.IntelRdt; i != nil {
+		if i.Schemata != nil || i.EnableMonitoring {
+			return true
+		}
+	}
+
+	for _, dev := range spec.Devices {
+		if i := dev.ContainerEdits.IntelRdt; i != nil {
+			if i.Schemata != nil || i.EnableMonitoring {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 // requiresV100 returns true if the spec uses v1.0.0 features.
 // Since the v1.0.0 spec bump was due to moving the minimum version checks to
 // the spec package, there are no explicit spec changes.