From 033521fec2f5c84d7c9b1fb4443ead9caa103380 Mon Sep 17 00:00:00 2001
From: Jindrich Novy <jnovy@redhat.com>
Date: Wed, 11 Jun 2025 16:28:20 +0200
Subject: [PATCH] containers-common-0.63.0-1.el10

- update vendored components
- Related: RHEL-80817

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
---
 containers-common.spec      | 12 ++++++++----
 containers-policy.json.5.md | 27 ++++++++++++++++++++++++++-
 containers-transports.5.md  |  1 -
 containers.conf             | 24 +++++++++++++-----------
 containers.conf.5.md        | 25 +++++++++++++++++--------
 seccomp.json                |  3 +--
 shortnames.conf             |  2 ++
 7 files changed, 67 insertions(+), 27 deletions(-)

diff --git a/containers-common.spec b/containers-common.spec
index c058891..6171e5a 100644
--- a/containers-common.spec
+++ b/containers-common.spec
@@ -7,17 +7,17 @@
 # Packit will automatically update the image and storage versions on Fedora and
 # CentOS Stream dist-git PRs.
 %global skopeo_branch main
-%global image_branch v5.34.0
-%global storage_branch v1.57.1
+%global image_branch v5.35.0
+%global storage_branch v1.58.0
 %global shortnames_branch main
-%global common_branch v0.62.0
+%global common_branch v0.63.0
 
 %global common_version %(v=%{common_branch}; echo ${v:1})
 
 Name: containers-common
 Epoch: 5
 Version: %{common_version}
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: Apache-2.0
 BuildArch: noarch
 # for BuildRequires: go-md2man
@@ -203,6 +203,10 @@ ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/
 %files extra
 
 %changelog
+* Wed Jun 11 2025 Jindrich Novy <jnovy@redhat.com> - 5:0.63.0-1
+- update vendored components
+- Related: RHEL-80817
+
 * Sun Jun 08 2025 Lokesh Mandvekar <lsm5@redhat.com> - 5:0.62.0-2
 - fetch TMT podman revdep tests from podman dist-git
 - needs at least podman 5.4.0-7.el10
diff --git a/containers-policy.json.5.md b/containers-policy.json.5.md
index ad3a1f5..2dedd6d 100644
--- a/containers-policy.json.5.md
+++ b/containers-policy.json.5.md
@@ -329,6 +329,14 @@ This requirement requires an image to be signed using a sigstore signature with
         "oidcIssuer": "https://expected.OIDC.issuer/",
         "subjectEmail", "expected-signing-user@example.com",
     },
+    "pki": {
+        "caRootsPath": "/path/to/local/CARoots/file",
+        "caRootsData": "base64-encoded-CARoots-data",
+        "caIntermediatesPath": "/path/to/local/CAIntermediates/file",
+        "caIntermediatesData": "base64-encoded-CAIntermediates-data",
+        "subjectHostname": "expected-signing-hostname.example.com",
+        "subjectEmail": "expected-signing-user@example.com"
+    },
     "rekorPublicKeyPath": "/path/to/local/public/key/file",
     "rekorPublicKeyPaths": ["/path/to/local/public/key/one","/path/to/local/public/key/two"],
     "rekorPublicKeyData": "base64-encoded-public-key-data",
@@ -336,7 +344,7 @@ This requirement requires an image to be signed using a sigstore signature with
     "signedIdentity": identity_requirement
 }
 ```
-Exactly one of `keyPath`, `keyPaths`, `keyData`, `keyDatas` and `fulcio` must be present.
+Exactly one of `keyPath`, `keyPaths`, `keyData`, `keyDatas`, `fulcio` and `pki` must be present.
 
 If `keyPath` or `keyData` is present, it contains a sigstore public key.
 Only signatures made by this key are accepted.
@@ -350,6 +358,11 @@ Both `oidcIssuer` and `subjectEmail` are mandatory,
 exactly specifying the expected identity provider,
 and the identity of the user obtaining the Fulcio certificate.
 
+If `pki` is present, the signature must be based on a non-Fulcio X.509 certificate.
+One of `caRootsPath` and `caRootsData` must be specified, containing certificates of the CAs.
+Only one of `caIntermediatesPath` and `caIntermediatesData` can be present, containing certificates of the intermediate CAs.
+One of `subjectEmail` and `subjectHostname` must be specified, exactly specifying the expected identity to which the certificate was issued.
+
 At most one of `rekorPublicKeyPath`, `rekorPublicKeyPaths`, `rekorPublicKeyData` and `rekorPublicKeyDatas` can be present;
 it is mandatory if `fulcio` is specified.
 If a Rekor public key is specified,
@@ -407,6 +420,18 @@ selectively allow individual transports and scopes as desired.
                     "rekorPublicKeyPath": "/path/to/rekor.pub",
                 }
             ],
+            /* A Sigstore-signed repository using a certificate generated by a custom public-key infrastructure.*/
+            "hostname:5000/myns/sigstore-signed-byopki": [
+                {
+                    "type": "sigstoreSigned",
+                    "pki": {
+                        "caRootsPath": "/path/to/pki_root_crts.pem",
+                        "caIntermediatesPath": "/path/to/pki_intermediate_crts.pem",
+                        "subjectHostname": "test-user.example.com"
+                        "subjectEmail": "test-user@example.com"
+                    }
+                }
+            ],
             /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
             "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
                 {
diff --git a/containers-transports.5.md b/containers-transports.5.md
index 8073c1c..1312d44 100644
--- a/containers-transports.5.md
+++ b/containers-transports.5.md
@@ -77,7 +77,6 @@ An image in a directory structure compliant with the "Open Container Image Layou
 
 The _path_ value terminates at the first `:` character; any further `:` characters are not separators, but a part of _reference_.
 The _reference_ is used to set, or match, the `org.opencontainers.image.ref.name` annotation in the top-level index.
-If _reference_ is not specified when reading an image, the directory must contain exactly one image.
 For reading images, @_source-index_ is a zero-based index in manifest (to access untagged images).
 If neither reference nor @_source_index is specified when reading an image, the path must contain exactly one image.
 
diff --git a/containers.conf b/containers.conf
index 3020583..d5cf1a2 100644
--- a/containers.conf
+++ b/containers.conf
@@ -236,13 +236,12 @@ default_sysctls = [
 #
 #mounts = []
 
-# Default way to to create a Network namespace for the container
-# Options are:
-# `private` Create private Network Namespace for the container.
-# `host`    Share host Network Namespace with the container.
-# `none`    Containers do not use the network
+# Default way to create a NET namespace for the container.
+# The option is mapped to the **--network** argument for the podman commands, it accepts the same values as that option.
+# For example it can be set to `bridge`, `host`, `none`, `pasta` and more, see the podman-create(1)
+# manual for all available options.
 #
-#netns = "private"
+#netns = ""
 
 # Do not modify the `/etc/hosts` file in the container. Podman assumes control
 # over the container's `/etc/hosts` file by default; refer to the `--add-host`
@@ -381,14 +380,17 @@ default_sysctls = [
 #firewall_driver = ""
 
 
-# The network name of the default network to attach pods to.
+# The name of the default network as seen in `podman network ls`. This option only effects the network assignment when
+# the bridge network mode is selected, i.e. `--network bridge`. It is the default for rootful containers but not as
+# rootless. To change the default network mode use the **netns** option under the `[containers]` table.
+#
+# Note: This should not be changed while you have any containers using this network.
 #
 #default_network = "podman"
 
 # The default subnet for the default network given in default_network.
-# If a network with that name does not exist, a new network using that name and
-# this subnet will be created.
-# Must be a valid IPv4 CIDR prefix.
+#
+# Note: This should not be changed if any containers are currently running on the default network.
 #
 #default_subnet = "10.88.0.0/16"
 
@@ -898,7 +900,7 @@ runtime = "crun"
 # Linux:
 #    qemu    - Open source machine emulator and virtualizer. (Default)
 # Windows: there are currently two options:
-#    wsl     - Windows Subsystem for Linux (Default) 
+#    wsl     - Windows Subsystem for Linux (Default)
 #    hyperv  - Windows Server Virtualization
 # Mac: there are currently two options:
 #    applehv - Default Apple Hypervisor (Default)
diff --git a/containers.conf.5.md b/containers.conf.5.md
index 1c3a246..8551cb9 100644
--- a/containers.conf.5.md
+++ b/containers.conf.5.md
@@ -199,7 +199,12 @@ container. The special value “none” can be specified to disable creation of
 **env**=["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
 
 Environment variable list for the container process, used for passing
-environment variables to the container.
+environment variables to the container. If a variable is listed without a value,
+the value is copied from the host environment.
+
+Note that this is only used when a container is created, not with subsequent
+commands like `podman exec`. This prevents variables in the config file from
+overwriting values specified on the command line when the container was created.
 
 **env_host**=false
 
@@ -304,13 +309,12 @@ Specified as "type=TYPE,source=<directory-on-host>,destination=<directory-in-con
 
 Example:  [ "type=bind,source=/var/lib/foobar,destination=/var/lib/foobar,ro", ]
 
-**netns**="private"
+**netns**=""
 
 Default way to create a NET namespace for the container.
-Options are:
-  `private` Create private NET Namespace for the container.
-  `host`    Share host NET Namespace with the container.
-  `none`    Containers do not use the network.
+The option is mapped to the **--network** argument for the podman commands, it accepts the same values as that option.
+For example it can be set to `bridge`, `host`, `none`, `pasta` and more, see the [podman-create(1)](https://docs.podman.io/en/latest/markdown/podman-create.1.html#network-mode-net)
+manual for all available options.
 
 **no_hosts**=false
 
@@ -442,12 +446,17 @@ netavark_plugin_dirs = [
 
 **default_network**="podman"
 
-The network name of the default network to attach pods to.
+The name of the default network as seen in `podman network ls`. This option only effects the network assignment when
+the bridge network mode is selected, i.e. `--network bridge`. It is the default for rootful containers but not as
+rootless. To change the default network mode use the **netns** option under the `[containers]` table.
+
+Note: This should not be changed while you have any containers using this network.
 
 **default_subnet**="10.88.0.0/16"
 
 The subnet to use for the default network (named above in **default_network**).
-If the default network does not exist, it will be automatically created the first time a tool is run using this subnet.
+
+Note: This should not be changed if any containers are currently running on the default network.
 
 **default_subnet_pools**=[]
 
diff --git a/seccomp.json b/seccomp.json
index 03bcd3f..68c4b7e 100644
--- a/seccomp.json
+++ b/seccomp.json
@@ -152,6 +152,7 @@
 				"fadvise64",
 				"fadvise64_64",
 				"fallocate",
+				"fanotify_init",
 				"fanotify_mark",
 				"fchdir",
 				"fchmod",
@@ -692,7 +693,6 @@
 		{
 			"names": [
 				"bpf",
-				"fanotify_init",
 				"lookup_dcookie",
 				"quotactl",
 				"quotactl_fd",
@@ -712,7 +712,6 @@
 		},
 		{
 			"names": [
-				"fanotify_init",
 				"lookup_dcookie",
 				"perf_event_open",
 				"quotactl",
diff --git a/shortnames.conf b/shortnames.conf
index b84fee3..55bbf85 100644
--- a/shortnames.conf
+++ b/shortnames.conf
@@ -155,3 +155,5 @@
   "grafana/oncall" = "docker.io/grafana/oncall"
   "grafana/pyroscope" = "docker.io/grafana/pyroscope"
   "grafana/tempo" = "docker.io/grafana/tempo"
+  # curl
+  "curl" = "quay.io/curl/curl"