5 changed files with 270 additions and 99 deletions
--- a/.buildah.metadata
+++ b/.buildah.metadata
@ -1 +1 @@
-d3fcf1950a92f35210dc390cde164f6e428826d1 SOURCES/buildah-e94b4f9.tar.gz
+da35ceecbee25d37313869956f602161fc282153 SOURCES/buildah-9513cb8.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/buildah-e94b4f9.tar.gz
+SOURCES/buildah-9513cb8.tar.gz
--- a/SOURCES/1996.patch
+++ b/SOURCES/1996.patch
@ -0,0 +1,153 @@
+From f09346578021c12069b6deb9487a1462b8d28a83 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Thu, 21 Nov 2019 15:32:41 -0500
+Subject: [PATCH 1/3] bind: don't complain about missing mountpoints
+
+When we go to unmount a tree of mounts, if one of the directories isn't
+there, instead of returning an error as before, log a debug message and
+keep going.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ bind/mount.go | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/bind/mount.go b/bind/mount.go
+index e1ae323b9..adde901fd 100644
+--- a/bind/mount.go
+++ b/bind/mount.go
+@@ -264,6 +264,10 @@ func UnmountMountpoints(mountpoint string, mountpointsToRemove []string) error {
+ 		mount := getMountByID(id)
+ 		// check if this mountpoint is mounted
+ 		if err := unix.Lstat(mount.Mountpoint, &st); err != nil {
+			if os.IsNotExist(err) {
+				logrus.Debugf("mountpoint %q is not present(?), skipping", mount.Mountpoint)
+				continue
+			}
+ 			return errors.Wrapf(err, "error checking if %q is mounted", mount.Mountpoint)
+ 		}
+ 		if mount.Major != int(unix.Major(st.Dev)) || mount.Minor != int(unix.Minor(st.Dev)) {
+
+From c5fb681a6082b78c422eb3531667dc6d607a9355 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Fri, 22 Nov 2019 14:22:26 -0500
+Subject: [PATCH 2/3] chroot: Unmount with MNT_DETACH instead of
+ UnmountMountpoints()
+
+Unmounting the rootfs with MNT_DETACH should unmount everything below
+it, so we don't need to use the more exhaustive method that our bind
+package uses for its bind mounts.
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ chroot/run.go | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/chroot/run.go b/chroot/run.go
+index fbccbcdb0..76ac78d1f 100644
+--- a/chroot/run.go
+++ b/chroot/run.go
+@@ -15,6 +15,7 @@ import (
+ 	"strings"
+ 	"sync"
+ 	"syscall"
+	"time"
+ 	"unsafe"
+ 
+ 	"github.com/containers/buildah/bind"
+@@ -1002,12 +1003,19 @@ func isDevNull(dev os.FileInfo) bool {
+ // callback that will clean up its work.
+ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func() error, err error) {
+ 	var fs unix.Statfs_t
+-	removes := []string{}
+ 	undoBinds = func() error {
+-		if err2 := bind.UnmountMountpoints(spec.Root.Path, removes); err2 != nil {
+-			logrus.Warnf("pkg/chroot: error unmounting %q: %v", spec.Root.Path, err2)
+-			if err == nil {
+-				err = err2
+		if err2 := unix.Unmount(spec.Root.Path, unix.MNT_DETACH); err2 != nil {
+			retries := 0
+			for (err2 == unix.EBUSY || err2 == unix.EAGAIN) && retries < 50 {
+				time.Sleep(50 * time.Millisecond)
+				err2 = unix.Unmount(spec.Root.Path, unix.MNT_DETACH)
+				retries++
+			}
+			if err2 != nil {
+				logrus.Warnf("pkg/chroot: error unmounting %q (retried %d times): %v", spec.Root.Path, retries, err2)
+				if err == nil {
+					err = err2
+				}
+ 			}
+ 		}
+ 		return err
+@@ -1096,6 +1104,7 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 	// Add /sys/fs/selinux to the set of masked paths, to ensure that we don't have processes
+ 	// attempting to interact with labeling, when they aren't allowed to do so.
+ 	spec.Linux.MaskedPaths = append(spec.Linux.MaskedPaths, "/sys/fs/selinux")
+
+ 	// Bind mount in everything we've been asked to mount.
+ 	for _, m := range spec.Mounts {
+ 		// Skip anything that we just mounted.
+@@ -1141,13 +1150,11 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 			if !os.IsNotExist(err) {
+ 				return undoBinds, errors.Wrapf(err, "error examining %q for mounting in mount namespace", target)
+ 			}
+-			// The target isn't there yet, so create it, and make a
+-			// note to remove it later.
+			// The target isn't there yet, so create it.
+ 			if srcinfo.IsDir() {
+ 				if err = os.MkdirAll(target, 0111); err != nil {
+ 					return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
+ 				}
+-				removes = append(removes, target)
+ 			} else {
+ 				if err = os.MkdirAll(filepath.Dir(target), 0111); err != nil {
+ 					return undoBinds, errors.Wrapf(err, "error ensuring parent of mountpoint %q (%q) is present in mount namespace", target, filepath.Dir(target))
+@@ -1157,7 +1164,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 					return undoBinds, errors.Wrapf(err, "error creating mountpoint %q in mount namespace", target)
+ 				}
+ 				file.Close()
+-				removes = append(removes, target)
+ 			}
+ 		}
+ 		requestFlags := bindFlags
+@@ -1266,7 +1272,6 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
+ 		if err := os.Mkdir(roEmptyDir, 0700); err != nil {
+ 			return undoBinds, errors.Wrapf(err, "error creating empty directory %q", roEmptyDir)
+ 		}
+-		removes = append(removes, roEmptyDir)
+ 	}
+ 
+ 	// Set up any masked paths that we need to.  If we're running inside of
+
+From ec1be6a51941e10b5316c911ef97c88940f7c095 Mon Sep 17 00:00:00 2001
+From: Nalin Dahyabhai <nalin@redhat.com>
+Date: Fri, 22 Nov 2019 14:52:25 -0500
+Subject: [PATCH 3/3] overlay.bats typo: fuse-overlays should be fuse-overlayfs
+
+Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
+---
+ tests/overlay.bats | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/overlay.bats b/tests/overlay.bats
+index 04056f680..7cc2d0c62 100644
+--- a/tests/overlay.bats
+++ b/tests/overlay.bats
+@@ -3,14 +3,14 @@
+ load helpers
+ 
+ @test "overlay specific level" {
+-  if test \! -e /usr/bin/fuse-overlays -a  "$BUILDAH_ISOLATION" = "rootless"; then
+  if test \! -e /usr/bin/fuse-overlayfs -a "$BUILDAH_ISOLATION" = "rootless"; then
+     skip "BUILDAH_ISOLATION = $BUILDAH_ISOLATION" and no /usr/bin/fuse-overlayfs present
+   fi
+   image=alpine
+   mkdir ${TESTDIR}/lower
+   touch ${TESTDIR}/lower/foo
+ 
+-cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image)
+  cid=$(buildah --log-level=error from -v ${TESTDIR}/lower:/lower:O --quiet --signature-policy ${TESTSDIR}/policy.json $image)
+ 
+   # This should succeed
+   run_buildah --log-level=error run $cid ls /lower/foo
--- a/SOURCES/buildah-CVE-2020-10696.patch
+++ b/SOURCES/buildah-CVE-2020-10696.patch
@ -1,48 +0,0 @@
-From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
-From: TomSweeneyRedHat <tsweeney@redhat.com>
-Date: Tue, 24 Mar 2020 20:10:22 -0400
-Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
-
-Stealing @nalind 's workaround to avoid refetching
-content after a file read failure.  Under the right
-circumstances that could be a symlink to a file meant
-to overwrite a good file with bad data.
-
-Testing:
-```
-goodstuff
-
-[1] 14901
-
-127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
-127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
-no FROM statement found
-
-goodstuff
-```
-
-Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
---
- imagebuildah/util.go | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
--- a/imagebuildah/util.go.CVE-2020-10696
-+++ b/imagebuildah/util.go
-@@ -12,6 +12,7 @@ import (
- 
- 	"github.com/containers/buildah"
- 	"github.com/containers/storage/pkg/chrootarchive"
-+	"github.com/containers/storage/pkg/ioutils"
- 	"github.com/pkg/errors"
- 	"github.com/sirupsen/logrus"
- )
-@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
- 		}
- 		dockerfile := filepath.Join(dir, "Dockerfile")
- 		// Assume this is a Dockerfile
-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
-+		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
- 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
- 		}
- 	}
--- a/SPECS/buildah.spec
+++ b/SPECS/buildah.spec
@ -5,50 +5,48 @@
 %global _find_debuginfo_dwz_opts %{nil}
 %global _dwz_low_mem_die_limit 0
 %else
-%global debug_package   %{nil}
+%global debug_package %{nil}
 %endif

 %if 0%{?rhel} > 7 && ! 0%{?fedora}
 %define gobuild(o:) \
-go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
 %endif

-%global provider        github
-%global provider_tld    com
-%global project         containers
-%global repo            buildah
-# https://github.com/projectatomic/buildah
-%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
-%global import_path     %{provider_prefix}
-%global commit          e94b4f98048e7371685731b97eefd6265e2f1fb3
-%global shortcommit     %(c=%{commit}; echo ${c:0:7})
+%global provider github
+%global provider_tld com
+%global project containers
+%global repo buildah
+# https://github.com/containers/buildah
+%global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
+%global git0 https://%{import_path}
+%global commit0 9513cb8c7bec0f7789c696aee4d252ebf85194cc
+%global shortcommit0 %(c=%{commit0}; echo ${c:0:7})

-Name:           %{repo}
-Version:        1.5
-Release:        8.git%{shortcommit}%{?dist}
-Summary:        A command line tool used for creating OCI Images
-License:        ASL 2.0
-URL:            https://%{provider_prefix}
-Source0:        https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
-# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
-# backported:  https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
-Patch0: buildah-CVE-2020-10696.patch
-ExclusiveArch:  x86_64 %{arm} aarch64 ppc64le s390x
-# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
-BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
-BuildRequires:  git
-BuildRequires:  glib2-devel
-BuildRequires:  ostree-devel
-BuildRequires:  glibc-static
-BuildRequires:  go-md2man
-BuildRequires:  gpgme-devel
-BuildRequires:  device-mapper-devel
-BuildRequires:  libassuan-devel
-BuildRequires:  libseccomp-devel
-Requires:       runc >= 1.0.0-26
-Requires:       containers-common
-Requires:       container-selinux
-Provides:       %{repo} = %{version}-%{release}
+Name: %{repo}
+Version: 1.11.6
+Release: 4%{?dist}
+Summary: A command line tool used for creating OCI Images
+License: ASL 2.0
+URL: https://%{name}.io
+Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
+Patch0: https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/1996.patch
+
+BuildRequires: golang >= 1.12.12-4
+BuildRequires: git
+BuildRequires: glib2-devel
+BuildRequires: libseccomp-devel
+BuildRequires: ostree-devel
+BuildRequires: glibc-static
+BuildRequires: go-md2man
+BuildRequires: gpgme-devel
+BuildRequires: device-mapper-devel
+BuildRequires: libassuan-devel
+BuildRequires: make
+Requires: runc >= 1.0.0-26
+Requires: containers-common
+Requires: container-selinux
+Requires: slirp4netns >= 0.3-0

 %description
 The %{name} package provides a command line tool which can be used to
@ -59,8 +57,22 @@ or
 * save container's root file system layer to create a new image
 * delete a working container or an image

+%package tests
+Summary: Tests for %{name}
+Requires: %{name} = %{version}-%{release}
+Requires: bzip2
+Requires: podman
+Requires: golang
+
+%description tests
+%{summary}
+
+This package contains system tests for %{name}
+
 %prep
-%autosetup -Sgit -n %{name}-%{commit}
+%autosetup -Sgit -n %{name}-%{commit0}
+sed -i 's/GOMD2MAN =/GOMD2MAN ?=/' docs/Makefile
+sed -i '/docs install/d' Makefile

 %build
 mkdir _build
@ -71,14 +83,21 @@ popd

 mv vendor src

-export GOPATH=$(pwd)/_build:$(pwd):%{gopath}
-export BUILDTAGS='seccomp exclude_graphdriver_btrfs'
+export GOPATH=$(pwd)/_build:$(pwd)
+export BUILDTAGS='seccomp selinux btrfs_noversion exclude_graphdriver_btrfs'
+export GO111MODULE=off
+rm -f src/github.com/containers/storage/drivers/register/register_btrfs.go
 %gobuild -o %{name} %{import_path}/cmd/%{name}
-make docs
+%gobuild -o imgtype %{import_path}/tests/imgtype
+GOMD2MAN=go-md2man %{__make} -C docs

 %install
 export GOPATH=$(pwd)/_build:$(pwd):%{gopath}
 make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
+install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
+cp -pav tests/. %{buildroot}/%{_datadir}/%{name}/test/system
+cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
+make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install

 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
@ -92,14 +111,61 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 %dir %{_datadir}/bash-completion/completions
 %{_datadir}/bash-completion/completions/%{name}

-%changelog
-* Thu Jun 25 2020 Jindrich Novy <jnovy@redhat.com> - 1.5-8.gite94b4f9
- bump release to preserve upgrade path
- Related: #1821193
+%files tests
+%license LICENSE
+%{_bindir}/%{name}-imgtype
+%{_datadir}/%{name}/test

-* Fri Apr 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.5-4.gite94b4f9
- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
- Resolves: #1818127
+%changelog
+* Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-4
+- compile in FIPS mode
+- Related: RHELPLAN-25139
+
+* Mon Dec 09 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-3
+- be sure to use golang >= 1.12.12-4
+- Related: RHELPLAN-25139
+
+* Sat Dec 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-2
+- fix chroot: unmount with MNT_DETACH instead of UnmountMountpoints()
+- bug reference 1772179
+- Related: RHELPLAN-25139
+
+* Thu Dec 05 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.6-1
+- update to buildah 1.11.6
+- Related: RHELPLAN-25139
+
+* Thu Nov 21 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.5-1
+- update to buildah 1.11.5
+- Related: RHELPLAN-25139
+
+* Thu Nov 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.4-2
+- fix %%gobuild macro to not to ignore BUILDTAGS
+- Related: RHELPLAN-25139
+
+* Thu Nov 07 2019 Jindrich Novy <jnovy@redhat.com> - 1.11.4-1
+- update to 1.11.4
+- Related: RHELPLAN-25139
+
+* Tue Sep 17 2019 Jindrich Novy <jnovy@redhat.com> - 1.9.0-5
+- Use autosetup macro again.
+
+* Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.9.0-4
+- Fix CVE-2019-10214 (#1734653).
+
+* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-3
+- Resolves: #1721247 - enable fips mode
+
+* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-2
+- Resolves: #1720654 - tests subpackage depends on golang explicitly
+
+* Sat Jun 15 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.9.0-1
+- Resolves: #1720654 - rebase to v1.9.0
+
+* Fri Jun 14 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.8.3-1
+- Resolves: #1720654 - rebase to v1.8.3
+
+* Tue Apr  9 2019 Eduardo Santiago <santiago@redhat.com> - 1.8-0.git021d607
+- package system tests

 * Tue Dec 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-3.gite94b4f9
 - re-enable debuginfo
@ -619,7 +685,7 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 - Bump for inclusion of OCI 1.0 Runtime and Image Spec

 * Tue Jul 18 2017 Dan Walsh <dwalsh@redhat.com> 0.2.0-1.gitac2aad6
-   buildah run: Add support for -- ending options parsing 
+-   buildah run: Add support for -- ending options parsing
 -   buildah Add/Copy support for glob syntax
 -   buildah commit: Add flag to remove containers on commit
 -   buildah push: Improve man page and help information