8 changed files with 623 additions and 168 deletions
--- a/.crun.metadata
+++ b/.crun.metadata
@ -1 +1 @@
-c79a414d0b980611ba929a7526b7b4c30c2b3b1d SOURCES/crun-0.18.tar.gz
+d2f75ee20a04208db2bbe4351b6a955425623a5e SOURCES/crun-1.23.1.tar.zst
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/crun-0.18.tar.gz
+SOURCES/crun-1.23.1.tar.zst
--- a/SOURCES/0001-revert-tests-build-init-always-statically.patch
+++ b/SOURCES/0001-revert-tests-build-init-always-statically.patch
@ -1,43 +0,0 @@
 From 320a7ec41342c95fd6bdc500cd207eb0ea5cda6a Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Fri, 19 Feb 2021 13:25:37 +0100
 Subject: [PATCH] Revert "tests: build init always statically"
 This reverts commit a0f322a49a10a014a447b505eda5923a8e6aff7c as it
 causes issues on RHEL 8.
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 ---
 Makefile.am | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/Makefile.am b/Makefile.am
 index e39dc3b..2b8e18b 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -14,7 +14,7 @@ srpm: dist-gzip rpm/crun.spec
 	$(MAKE) -C $(WD) dist-gzip
 	rpmbuild -bs --define "_sourcedir $(WD)" --define "_specdir $(WD)" --define "_builddir $(WD)" --define "_srcrpmdir $(WD)" --define "_rpmdir $(WD)" --define "_buildrootdir $(WD)/.build" rpm/crun.spec
 -CLEANFILES = crun.spec tests/init
 +CLEANFILES = crun.spec
 lib_LTLIBRARIES = libcrun.la
@@ -79,9 +79,9 @@ noinst_PROGRAMS = tests/init $(UNIT_TESTS)
 TESTS_LDADD = libcrun_testing.a $(FOUND_LIBS)
 -tests/init: tests/init.c
 -	$(CC) -static-libgcc --static -o $@ $<
 -EXTRA_DIST += tests/init.c
 +tests_init_LDADD =
 +tests_init_LDFLAGS = -static-libgcc -all-static
 +tests_init_SOURCES = tests/init.c $(UNIT_TESTS)
 tests_tests_libcrun_utils_CFLAGS = -I $(abs_top_builddir)/libocispec/src -I $(abs_top_srcdir)/libocispec/src -I $(abs_top_builddir)/src -I $(abs_top_srcdir)/src
 tests_tests_libcrun_utils_SOURCES = tests/tests_libcrun_utils.c
 -- 
 2.29.2
--- a/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
+++ b/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
@ -1,30 +0,0 @@
 From ed485db1465d67f0215c27529c57a76a1daf5135 Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Mon, 28 Feb 2022 11:05:18 +0100
 Subject: [PATCH 1/2] spec: do not set inheritable capabilities
 Closes: CVE-2022-27650
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 (cherry picked from commit b847d146d496c9d7beba166fd595488e85488562)
 ---
 src/libcrun/container.c | 3 ---
 1 file changed, 3 deletions(-)
 diff --git a/src/libcrun/container.c b/src/libcrun/container.c
 index d3fb017..1e3f3e6 100644
 --- a/src/libcrun/container.c
 +++ b/src/libcrun/container.c
@@ -128,9 +128,6 @@ static char spec_file[] = "\
 				\"CAP_NET_BIND_SERVICE\"\n\
 			],\n\
 			\"inheritable\": [\n\
 -				\"CAP_AUDIT_WRITE\",\n\
 -				\"CAP_KILL\",\n\
 -				\"CAP_NET_BIND_SERVICE\"\n\
 			],\n\
 			\"permitted\": [\n\
 				\"CAP_AUDIT_WRITE\",\n\
 -- 
 2.35.1
--- a/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch
+++ b/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch
@ -1,31 +0,0 @@
 From 21cb5a8c7bcc90c42743ffd15cd11a55bf66993d Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Mon, 28 Feb 2022 11:06:50 +0100
 Subject: [PATCH 2/2] exec: --cap do not set inheritable capabilities
 Closes: CVE-2022-27650
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 (cherry picked from commit 1aeeed2e4fdeffb4875c0d0b439915894594c8c6)
 ---
 src/exec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/exec.c b/src/exec.c
 index bf6c05f..8c9862d 100644
 --- a/src/exec.c
 +++ b/src/exec.c
@@ -250,8 +250,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a
           capabilities->effective = exec_options.cap;
           capabilities->effective_len = exec_options.cap_size;
 -          capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size);
 -          capabilities->inheritable_len = exec_options.cap_size;
 +          capabilities->inheritable = NULL;
 +          capabilities->inheritable_len = 0;
           capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size);
           capabilities->bounding_len = exec_options.cap_size;
 -- 
 2.35.1
--- a/SOURCES/1859.patch
+++ b/SOURCES/1859.patch
@ -0,0 +1,233 @@
 From 1556c13f89f5db22911a4e771af9253a9b79e02c Mon Sep 17 00:00:00 2001
 From: Sohan Kunkerkar <sohank2602@gmail.com>
 Date: Thu, 28 Aug 2025 08:53:20 -0400
 Subject: [PATCH 1/2] src/libcrun: limit tmpfs memory usage for masked paths
 Replace "size=0k" (unlimited growth) with explicit block and inode limits
 for tmpfs mounts used in masked directory paths. This prevents excessive
 kernel memory consumption under high container density.
 Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
 ---
 src/libcrun/linux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
 index 75120cea37..36ed40bb5b 100644
 --- a/src/libcrun/linux.c
 +++ b/src/libcrun/linux.c
@@ -1114,7 +1114,7 @@ do_masked_or_readonly_path (libcrun_container_t *container, const char *rel_path
         return crun_make_error (err, errno, "cannot stat `%s`", rel_path);
       if ((mode & S_IFMT) == S_IFDIR)
 -        ret = do_mount (container, "tmpfs", pathfd, rel_path, "tmpfs", MS_RDONLY, "size=0k", LABEL_MOUNT, err);
 +        ret = do_mount (container, "tmpfs", pathfd, rel_path, "tmpfs", MS_RDONLY, "nr_blocks=1,nr_inodes=1", LABEL_MOUNT, err);
       else
         ret = do_mount (container, "/dev/null", pathfd, rel_path, NULL, MS_BIND | MS_RDONLY, NULL, LABEL_MOUNT, err);
       if (UNLIKELY (ret < 0))
 From 4004e5bed9ff52029a829131fbc16f9a877154b9 Mon Sep 17 00:00:00 2001
 From: Sohan Kunkerkar <sohank2602@gmail.com>
 Date: Tue, 26 Aug 2025 23:22:56 -0400
 Subject: [PATCH 2/2] linux: optimize masked paths with shared empty directory
 Optimize masked path handling by bind-mounting a shared empty directory
 (via cached /proc/self/fd) instead of creating per-path tmpfs mounts.
 This reduces kernel memory and mount syscall overhead under high container
 density.
 Signed-off-by: Sohan Kunkerkar <sohank2602@gmail.com>
 ---
 src/libcrun/linux.c  | 110 ++++++++++++++++++++++++++++++++++++++++++-
 src/libcrun/status.c |   2 +-
 src/libcrun/status.h |   1 +
 3 files changed, 111 insertions(+), 2 deletions(-)
 diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
 index 36ed40bb5b..552715f729 100644
 --- a/src/libcrun/linux.c
 +++ b/src/libcrun/linux.c
@@ -21,6 +21,7 @@
 #include <config.h>
 #include "linux.h"
 #include "utils.h"
 +#include "status.h"
 #include <string.h>
 #include <sched.h>
 #include <fcntl.h>
@@ -148,6 +149,12 @@ struct private_data_s
   /* Used to save stdin, stdout, stderr during checkpointing to descriptors.json
    * and needed during restore. */
   char *external_descriptors;
 +
 +  /* Cached shared empty directory for masked paths optimization */
 +  int maskdir_fd;
 +  char *maskdir_proc_path;
 +  bool maskdir_bind_failed;
 +  bool maskdir_warned;
 };
 struct linux_namespace_s
@@ -164,6 +171,8 @@ cleanup_private_data (void *private_data)
   if (p->rootfsfd >= 0)
     TEMP_FAILURE_RETRY (close (p->rootfsfd));
 +  if (p->maskdir_fd >= 0)
 +    TEMP_FAILURE_RETRY (close (p->maskdir_fd));
   if (p->mount_fds)
     cleanup_close_mapp (&(p->mount_fds));
   if (p->dev_fds)
@@ -173,6 +182,7 @@ cleanup_private_data (void *private_data)
   free (p->host_notify_socket_path);
   free (p->container_notify_socket_path);
   free (p->external_descriptors);
 +  free (p->maskdir_proc_path);
   free (p);
 }
@@ -185,6 +195,7 @@ get_private_data (struct libcrun_container_s *container)
       container->private_data = p;
       p->rootfsfd = -1;
       p->notify_socket_tree_fd = -1;
 +      p->maskdir_fd = -1;
       container->cleanup_private_data = cleanup_private_data;
     }
   return container->private_data;
@@ -1058,6 +1069,103 @@ has_mount_for (libcrun_container_t *container, const char *destination)
   return false;
 }
 +static void
 +warn_tmpfs_fallback_once (struct private_data_s *private_data, const char *reason)
 +{
 +  if (! private_data->maskdir_warned)
 +    {
 +      libcrun_warning ("Falling back to tmpfs for masked dirs (reason: %s)", reason);
 +      private_data->maskdir_warned = true;
 +    }
 +}
 +
 +/* Get or create the cached shared empty directory for masked paths optimization.
 + * Creates directory and FD once per container, caches /proc/self/fd path for fast mounting.
 + */
 +static int
 +get_shared_empty_dir_cached (libcrun_container_t *container, char **proc_fd_path, libcrun_error_t *err)
 +{
 +  struct private_data_s *private_data = get_private_data (container);
 +  cleanup_close int fd = -1;
 +  cleanup_free char *run_dir = NULL;
 +  cleanup_free char *empty_dir_path = NULL;
 +  int ret;
 +
 +  /* Fast path: return cached proc fd path if already set up */
 +  if (private_data->maskdir_proc_path != NULL)
 +    {
 +      *proc_fd_path = private_data->maskdir_proc_path;
 +      return 0;
 +    }
 +
 +  /* Slow path: create directory and cache everything once */
 +  ret = get_run_directory (&run_dir, container->context->state_root, err);
 +  if (UNLIKELY (ret < 0))
 +    return ret;
 +
 +  ret = append_paths (&empty_dir_path, err, run_dir, ".empty-directory", NULL);
 +  if (UNLIKELY (ret < 0))
 +    return ret;
 +
 +  /* Ensure the empty directory exists (once per container) */
 +  ret = crun_ensure_directory (empty_dir_path, 0555, false, err);
 +  if (UNLIKELY (ret < 0))
 +    return ret;
 +
 +  /* Open directory and cache FD (once per container) */
 +  fd = open (empty_dir_path, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
 +  if (fd < 0)
 +    return crun_make_error (err, errno, "open directory `%s`", empty_dir_path);
 +
 +  /* Cache the /proc/self/fd path for fast mounting */
 +  ret = xasprintf (&private_data->maskdir_proc_path, "/proc/self/fd/%d", fd);
 +  if (UNLIKELY (ret < 0))
 +    return crun_make_error (err, errno, "xasprintf failed");
 +
 +  private_data->maskdir_fd = fd;
 +  fd = -1; /* Don't auto-close */
 +
 +  *proc_fd_path = private_data->maskdir_proc_path;
 +  return 0;
 +}
 +
 +static int
 +mount_masked_dir (libcrun_container_t *container, int pathfd, const char *rel_path, libcrun_error_t *err)
 +{
 +  struct private_data_s *private_data = get_private_data (container);
 +  char *proc_fd_path = NULL;
 +  libcrun_error_t tmp_err = NULL;
 +  int ret;
 +
 +  if (private_data->maskdir_bind_failed)
 +    goto fallback_to_tmpfs;
 +
 +  /* Get cached /proc/self/fd path (fast after first call) */
 +  ret = get_shared_empty_dir_cached (container, &proc_fd_path, &tmp_err);
 +  if (ret < 0)
 +    {
 +      private_data->maskdir_bind_failed = true;
 +      warn_tmpfs_fallback_once (private_data, tmp_err->msg);
 +      crun_error_release (&tmp_err);
 +      goto fallback_to_tmpfs;
 +    }
 +
 +  ret = do_mount (container, proc_fd_path, pathfd, rel_path, NULL, MS_BIND | MS_RDONLY, NULL, LABEL_MOUNT, &tmp_err);
 +  if (LIKELY (ret >= 0))
 +    return ret;
 +
 +  /* Bind mount failed - mark as failed and fall back for all future mounts */
 +  private_data->maskdir_bind_failed = true;
 +  libcrun_warning ("bind mount failed for %s to %s: %s, falling back to tmpfs",
 +                   proc_fd_path, rel_path, tmp_err->msg);
 +  warn_tmpfs_fallback_once (private_data, tmp_err->msg);
 +  crun_error_release (&tmp_err);
 +
 +fallback_to_tmpfs:
 +  libcrun_debug ("using tmpfs fallback for %s", rel_path);
 +  return ret = do_mount (container, "tmpfs", pathfd, rel_path, "tmpfs", MS_RDONLY, "nr_blocks=1,nr_inodes=1", LABEL_MOUNT, err);
 +}
 +
 static int
 do_masked_or_readonly_path (libcrun_container_t *container, const char *rel_path, bool readonly, bool keep_flags,
                             libcrun_error_t *err)
@@ -1114,7 +1222,7 @@ do_masked_or_readonly_path (libcrun_container_t *container, const char *rel_path
         return crun_make_error (err, errno, "cannot stat `%s`", rel_path);
       if ((mode & S_IFMT) == S_IFDIR)
 -        ret = do_mount (container, "tmpfs", pathfd, rel_path, "tmpfs", MS_RDONLY, "nr_blocks=1,nr_inodes=1", LABEL_MOUNT, err);
 +        ret = mount_masked_dir (container, pathfd, rel_path, err);
       else
         ret = do_mount (container, "/dev/null", pathfd, rel_path, NULL, MS_BIND | MS_RDONLY, NULL, LABEL_MOUNT, err);
       if (UNLIKELY (ret < 0))
 diff --git a/src/libcrun/status.c b/src/libcrun/status.c
 index 714a31adc7..c786ef6ea9 100644
 --- a/src/libcrun/status.c
 +++ b/src/libcrun/status.c
@@ -55,7 +55,7 @@ validate_id (const char *id, libcrun_error_t *err)
   return 0;
 }
 -static int
 +int
 get_run_directory (char **out, const char *state_root, libcrun_error_t *err)
 {
   int ret;
 diff --git a/src/libcrun/status.h b/src/libcrun/status.h
 index cd6c0ced16..72a94348a5 100644
 --- a/src/libcrun/status.h
 +++ b/src/libcrun/status.h
@@ -65,6 +65,7 @@ int libcrun_status_create_exec_fifo (const char *state_root, const char *id, lib
 int libcrun_status_write_exec_fifo (const char *state_root, const char *id, libcrun_error_t *err);
 int libcrun_status_has_read_exec_fifo (const char *state_root, const char *id, libcrun_error_t *err);
 int libcrun_check_pid_valid (libcrun_container_status_t *status, libcrun_error_t *err);
 +int get_run_directory (char **out, const char *state_root, libcrun_error_t *err);
 static inline void
 libcrun_free_container_listp (void *p)
--- a/SOURCES/d8a88c0620882fbc989f29ba83d1c46fab3bca09.patch
+++ b/SOURCES/d8a88c0620882fbc989f29ba83d1c46fab3bca09.patch
@ -0,0 +1,237 @@
 From d8a88c0620882fbc989f29ba83d1c46fab3bca09 Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Tue, 9 Sep 2025 18:16:34 +0200
 Subject: [PATCH] criu: checkpoint correctly the shared empty directory path
 commit 4004e5bed9ff52029a829131fbc16f9a877154b9 introduced the
 regression.  It is not part of any release.
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 ---
 src/libcrun/criu.c    | 76 ++++++++++++++++++++++++++++++-------------
 src/libcrun/linux.c   | 20 ++++--------
 src/libcrun/seccomp.c |  4 +--
 src/libcrun/status.c  | 22 +++++++++++++
 src/libcrun/status.h  |  1 +
 5 files changed, 86 insertions(+), 37 deletions(-)
 diff --git a/src/libcrun/criu.c b/src/libcrun/criu.c
 index f94c243d6e..45c1cce81b 100644
 --- a/src/libcrun/criu.c
 +++ b/src/libcrun/criu.c
@@ -267,6 +267,54 @@ criu_check_mem_track (char *work_path, libcrun_error_t *err)
 #  endif
 +static int
 +register_masked_paths_mounts (runtime_spec_schema_config_schema *def, libcrun_container_t *container,
 +                              struct libcriu_wrapper_s *libcriu_wrapper, bool is_restore, libcrun_error_t *err)
 +{
 +  cleanup_free char *empty_dir_path = NULL;
 +  bool shared_dir_registered = false;
 +  size_t i;
 +  int ret;
 +
 +  for (i = 0; i < def->linux->masked_paths_len; i++)
 +    {
 +      struct stat statbuf;
 +      ret = stat (def->linux->masked_paths[i], &statbuf);
 +      if (ret != 0)
 +        continue;
 +
 +      if (S_ISDIR (statbuf.st_mode))
 +        {
 +          if (! shared_dir_registered)
 +            {
 +              ret = get_shared_empty_directory_path (&empty_dir_path,
 +                                                     (container->context ? container->context->state_root : NULL), err);
 +              if (UNLIKELY (ret < 0))
 +                return ret;
 +
 +              ret = libcriu_wrapper->criu_add_ext_mount (empty_dir_path, empty_dir_path);
 +              if (UNLIKELY (ret < 0))
 +                return crun_make_error (err, -ret, "CRIU: failed adding external mount for shared empty directory `%s`", empty_dir_path);
 +
 +              shared_dir_registered = true;
 +            }
 +
 +          ret = libcriu_wrapper->criu_add_ext_mount (def->linux->masked_paths[i], empty_dir_path);
 +          if (UNLIKELY (ret < 0))
 +            return crun_make_error (err, -ret, "CRIU: failed adding external mount for masked directory `%s`", def->linux->masked_paths[i]);
 +        }
 +      else if (S_ISREG (statbuf.st_mode))
 +        {
 +          const char *bind_target = is_restore ? "/dev/null" : def->linux->masked_paths[i];
 +          ret = libcriu_wrapper->criu_add_ext_mount (def->linux->masked_paths[i], bind_target);
 +          if (UNLIKELY (ret < 0))
 +            return crun_make_error (err, -ret, "CRIU: failed adding external mount to `%s`", bind_target);
 +        }
 +    }
 +
 +  return 0;
 +}
 +
 static int
 restore_cgroup_v1_mount (runtime_spec_schema_config_schema *def, libcrun_error_t *err)
 {
@@ -609,17 +657,9 @@ libcrun_container_checkpoint_linux_criu (libcrun_container_status_t *status, lib
         }
     }
 -  for (i = 0; i < def->linux->masked_paths_len; i++)
 -    {
 -      struct stat statbuf;
 -      ret = stat (def->linux->masked_paths[i], &statbuf);
 -      if (ret == 0 && S_ISREG (statbuf.st_mode))
 -        {
 -          ret = libcriu_wrapper->criu_add_ext_mount (def->linux->masked_paths[i], def->linux->masked_paths[i]);
 -          if (UNLIKELY (ret < 0))
 -            return crun_make_error (err, -ret, "CRIU: failed adding external mount to `%s`", def->linux->masked_paths[i]);
 -        }
 -    }
 +  ret = register_masked_paths_mounts (def, container, libcriu_wrapper, false, err);
 +  if (UNLIKELY (ret < 0))
 +    return ret;
   /* CRIU tries to checkpoint and restore all namespaces. However,
    * namespaces could be shared between containers in a pod.
@@ -947,17 +987,9 @@ libcrun_container_restore_linux_criu (libcrun_container_status_t *status, libcru
         }
     }
 -  for (i = 0; i < def->linux->masked_paths_len; i++)
 -    {
 -      struct stat statbuf;
 -      ret = stat (def->linux->masked_paths[i], &statbuf);
 -      if (ret == 0 && S_ISREG (statbuf.st_mode))
 -        {
 -          ret = libcriu_wrapper->criu_add_ext_mount (def->linux->masked_paths[i], "/dev/null");
 -          if (UNLIKELY (ret < 0))
 -            return crun_make_error (err, -ret, "CRIU: failed adding external mount to `%s`", "/dev/null");
 -        }
 -    }
 +  ret = register_masked_paths_mounts (def, container, libcriu_wrapper, true, err);
 +  if (UNLIKELY (ret < 0))
 +    return ret;
   /* do realpath on root */
   bundle_cleanup = realpath (status->bundle, NULL);
 diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
 index ce7faa5b24..ed0d888794 100644
 --- a/src/libcrun/linux.c
 +++ b/src/libcrun/linux.c
@@ -1087,7 +1087,6 @@ get_shared_empty_dir_cached (libcrun_container_t *container, char **proc_fd_path
 {
   struct private_data_s *private_data = get_private_data (container);
   cleanup_close int fd = -1;
 -  cleanup_free char *run_dir = NULL;
   cleanup_free char *empty_dir_path = NULL;
   int ret;
@@ -1099,16 +1098,7 @@ get_shared_empty_dir_cached (libcrun_container_t *container, char **proc_fd_path
     }
   /* Slow path: create directory and cache everything once */
 -  ret = get_run_directory (&run_dir, container->context->state_root, err);
 -  if (UNLIKELY (ret < 0))
 -    return ret;
 -
 -  ret = append_paths (&empty_dir_path, err, run_dir, ".empty-directory", NULL);
 -  if (UNLIKELY (ret < 0))
 -    return ret;
 -
 -  /* Ensure the empty directory exists (once per container) */
 -  ret = crun_ensure_directory (empty_dir_path, 0555, false, err);
 +  ret = get_shared_empty_directory_path (&empty_dir_path, container->context->state_root, err);
   if (UNLIKELY (ret < 0))
     return ret;
@@ -2674,7 +2664,9 @@ do_notify_socket (libcrun_container_t *container, const char *rootfs, libcrun_er
   if (notify_socket == NULL)
     return 0;
 -  ret = libcrun_get_state_directory (&state_dir, container->context->state_root, container->context->id, err);
 +  ret = libcrun_get_state_directory (&state_dir,
 +                                     (container->context ? container->context->state_root : NULL),
 +                                     container->context->id, err);
   if (UNLIKELY (ret < 0))
     return ret;
@@ -4637,7 +4629,9 @@ prepare_and_send_dev_mounts (libcrun_container_t *container, int sync_socket_hos
   if (! has_userns || is_empty_string (container->context->id) || geteuid () > 0)
     return send_mounts (sync_socket_host, dev_fds, how_many, def->linux->devices_len, err);
 -  ret = libcrun_get_state_directory (&state_dir, container->context->state_root, container->context->id, err);
 +  ret = libcrun_get_state_directory (&state_dir,
 +                                     (container->context ? container->context->state_root : NULL),
 +                                     container->context->id, err);
   if (UNLIKELY (ret < 0))
     return ret;
 diff --git a/src/libcrun/seccomp.c b/src/libcrun/seccomp.c
 index 6075c87dff..7d769093c8 100644
 --- a/src/libcrun/seccomp.c
 +++ b/src/libcrun/seccomp.c
@@ -589,7 +589,7 @@ store_seccomp_cache (struct libcrun_seccomp_gen_ctx_s *ctx, libcrun_error_t *err
   if (is_empty_string (ctx->checksum))
     return 0;
 -  dirfd = open_rundir_dirfd (container->context->state_root, err);
 +  dirfd = open_rundir_dirfd ((container->context ? container->context->state_root : NULL), err);
   if (UNLIKELY (dirfd < 0))
     return dirfd;
@@ -874,7 +874,7 @@ libcrun_open_seccomp_bpf (struct libcrun_seccomp_gen_ctx_s *ctx, int *fd, libcru
   if (container == NULL || container->context == NULL)
     return crun_make_error (err, EINVAL, "invalid internal state");
 -  dirfd = open_rundir_dirfd (container->context->state_root, err);
 +  dirfd = open_rundir_dirfd ((container->context ? container->context->state_root : NULL), err);
   if (UNLIKELY (dirfd < 0))
     return dirfd;
 diff --git a/src/libcrun/status.c b/src/libcrun/status.c
 index 5e6dd63594..d57e7a3fbe 100644
 --- a/src/libcrun/status.c
 +++ b/src/libcrun/status.c
@@ -85,6 +85,28 @@ get_run_directory (char **out, const char *state_root, libcrun_error_t *err)
   return 0;
 }
 +int
 +get_shared_empty_directory_path (char **out, const char *state_root, libcrun_error_t *err)
 +{
 +  cleanup_free char *run_dir = NULL;
 +  int ret;
 +
 +  ret = get_run_directory (&run_dir, state_root, err);
 +  if (UNLIKELY (ret < 0))
 +    return ret;
 +
 +  ret = append_paths (out, err, run_dir, ".empty-directory", NULL);
 +  if (UNLIKELY (ret < 0))
 +    return ret;
 +
 +  /* Ensure the empty directory exists */
 +  ret = crun_ensure_directory (*out, 0555, false, err);
 +  if (UNLIKELY (ret < 0))
 +    return ret;
 +
 +  return 0;
 +}
 +
 int
 libcrun_get_state_directory (char **out, const char *state_root, const char *id, libcrun_error_t *err)
 {
 diff --git a/src/libcrun/status.h b/src/libcrun/status.h
 index 994624e416..d37a8d2a02 100644
 --- a/src/libcrun/status.h
 +++ b/src/libcrun/status.h
@@ -65,6 +65,7 @@ int libcrun_status_write_exec_fifo (const char *state_root, const char *id, libc
 int libcrun_status_has_read_exec_fifo (const char *state_root, const char *id, libcrun_error_t *err);
 int libcrun_check_pid_valid (libcrun_container_status_t *status, libcrun_error_t *err);
 int get_run_directory (char **out, const char *state_root, libcrun_error_t *err);
 +int get_shared_empty_directory_path (char **out, const char *state_root, libcrun_error_t *err);
 static inline void
 libcrun_free_container_listp (void *p)
--- a/SPECS/crun.spec
+++ b/SPECS/crun.spec
@ -1,101 +1,190 @@
 %global krun_opts %{nil}
 %global wasmedge_opts %{nil}
 %global yajl_opts %{nil}
 %if %{defined copr_username}
 %define copr_build 1
 %endif
 # krun and wasm support only on aarch64 and x86_64
 %ifarch aarch64 || x86_64
 # Disable wasmedge on rhel 10 until EPEL10 is in place, otherwise it causes
 # build issues on copr
 %if %{defined fedora} || (%{defined copr_build} && %{defined rhel} && 0%{?rhel} < 10)
 %global wasm_support 1
 %global wasmedge_support 1
 %global wasmedge_opts --with-wasmedge
 %endif
 # krun only exists on fedora
 %if %{defined fedora}
 %global krun_support 1
 %global krun_opts --with-libkrun
 %endif
 %endif
 %if %{defined fedora} || (%{defined rhel} && 0%{?rhel} < 10)
 %global system_yajl 1
 %else
 %global yajl_opts --enable-embedded-yajl
 %endif
 Summary: OCI runtime written in C
 Name: crun
-Version: 0.18
+%if %{defined copr_build}
-Release: 3%{?dist}
+Epoch: 102
-Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
+%endif
-Patch0: 0001-revert-tests-build-init-always-statically.patch
+# DO NOT TOUCH the Version string!
-Patch1: 0001-spec-do-not-set-inheritable-capabilities.patch
+# The TRUE source of this specfile is:
-Patch2: 0002-exec-cap-do-not-set-inheritable-capabilities.patch
+# https://github.com/containers/crun/blob/main/rpm/crun.spec
-License: GPLv2+
+# If that's what you're reading, Version must be 0, and will be updated by Packit for
-URL: https://github.com/containers/crun
+# copr and koji builds.
-# https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
+# If you're reading this on dist-git, the version is automatically filled in by Packit.
-ExclusiveArch: %{go_arches}
+Version: 1.23.1
-# We always run autogen.sh
+Release: 2%{?dist}
 URL: https://github.com/containers/%{name}
 Source0: %{url}/releases/download/%{version}/%{name}-%{version}.tar.zst
 Patch0: https://github.com/containers/crun/pull/1859.patch
 Patch1: https://github.com/containers/crun/commit/d8a88c0620882fbc989f29ba83d1c46fab3bca09.patch
 License: GPL-2.0-only
 %if %{defined golang_arches_future}
 ExclusiveArch: %{golang_arches_future}
 %else
 ExclusiveArch: aarch64 ppc64le riscv64 s390x x86_64
 %endif
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: gcc
-BuildRequires: python3
+BuildRequires: git-core
-BuildRequires: git
+BuildRequires: gperf
 BuildRequires: libcap-devel
 %if %{defined krun_support}
 BuildRequires: libkrun-devel
 %endif
 BuildRequires: systemd-devel
 %if %{defined system_yajl}
 BuildRequires: yajl-devel
 %endif
 BuildRequires: libseccomp-devel
 BuildRequires: libselinux-devel
 BuildRequires: python3-libmount
 BuildRequires: libtool
-BuildRequires: go-md2man
+BuildRequires: protobuf-c-devel
-Provides: oci-runtime = 2
+BuildRequires: criu-devel >= 3.17.1-2
 Recommends: criu >= 3.17.1
 Recommends: criu-libs
 %if %{defined wasmedge_support}
 BuildRequires: wasmedge-devel
 %endif
 BuildRequires: python
 Provides: oci-runtime
 %description
-crun is a runtime for running OCI containers
+%{name} is a OCI runtime
 %if %{defined krun_support}
 %package krun
 Summary: %{name} with libkrun support
 Requires: libkrun
 Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
 Provides: krun = %{?epoch:%{epoch}:}%{version}-%{release}
 %description krun
 krun is a symlink to the %{name} binary, with libkrun as an additional dependency.
 %endif
 %if %{defined wasm_support}
 %package wasm
 Summary: %{name} with wasm support
 Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
 # wasm packages are not present on RHEL yet and are currently a PITA to test
 # Best to only include wasmedge as weak dep on rhel
 %if %{defined fedora}
 Requires: wasm-library
 %endif
 Recommends: wasmedge
 %description wasm
 %{name}-wasm is a symlink to the %{name} binary, with wasm as an additional dependency.
 %endif
 %prep
 %autosetup -Sgit -n %{name}-%{version}
 %build
 export CFLAGS="%{optflags} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
 export LDFLAGS="%{build_ldflags}"
 ./autogen.sh
-%configure --disable-silent-rules
+./configure --disable-silent-rules %{krun_opts} %{wasmedge_opts} %{yajl_opts}
 %make_build
 %install
-%make_install
+%make_install prefix=%{_prefix}
-rm -rf $RPM_BUILD_ROOT/usr/lib*
+rm -rf %{buildroot}%{_prefix}/lib*
 # Placeholder check to silence rpmlint
 %check
 %files
 %license COPYING
 %{_bindir}/%{name}
-%{_mandir}/man1/*
+%{_mandir}/man1/%{name}.1.gz
 %if %{defined krun_support}
 %files krun
 %license COPYING
 %{_bindir}/krun
 %{_mandir}/man1/krun.1.gz
 %endif
 %if %{defined wasm_support}
 %files wasm
 %license COPYING
 %{_bindir}/%{name}-wasm
 %endif
 %changelog
-* Tue Apr 05 2022 Jindrich Novy <jnovy@redhat.com> - 0.18-3
+* Fri Sep 19 2025 Jindrich Novy <jnovy@redhat.com> - 1.23.1-2
- fix CVE-2022-27650
+- Backport multiple crun fixes
- Related: #2061390
+- Resolves: RHEL-114555
-* Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-2
+* Mon Aug 04 2025 Jindrich Novy <jnovy@redhat.com> - 1.23.1-1
- allow to build without glibc-static (thanks to Giuseppe Scrivano)
+- update to https://github.com/containers/crun/releases/tag/1.23.1
- Related: #1883490
+- Related: RHEL-80816
-* Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-1
+* Mon Jul 28 2025 Jindrich Novy <jnovy@redhat.com> - 1.23-1
- update to https://github.com/containers/crun/releases/tag/0.18
+- update to https://github.com/containers/crun/releases/tag/1.23
- Related: #1883490
+- Related: RHEL-80816
-* Fri Jan 22 2021 Jindrich Novy <jnovy@redhat.com> - 0.17-1
+* Thu Jul 03 2025 Jindrich Novy <jnovy@redhat.com> - 1.22-1
- update to https://github.com/containers/crun/releases/tag/0.17
+- update to https://github.com/containers/crun/releases/tag/1.22
- Related: #1883490
+- Related: RHEL-80816
-* Thu Dec 03 2020 Jindrich Novy <jnovy@redhat.com> - 0.16-2
+* Fri Mar 28 2025 Jindrich Novy <jnovy@redhat.com> - 1.21-1
- exclude i686 because of build failures
+- update to https://github.com/containers/crun/releases/tag/1.21
- Related: #1883490
+- Related: RHEL-80816
-* Wed Nov 25 2020 Jindrich Novy <jnovy@redhat.com> - 0.16-1
+* Tue Mar 18 2025 Jindrich Novy <jnovy@redhat.com> - 1.20-2
- update to https://github.com/containers/crun/releases/tag/0.16
+- fix gating.yaml
- Related: #1883490
+- Related: RHEL-80816
-* Wed Nov 04 2020 Jindrich Novy <jnovy@redhat.com> - 0.15.1-1
+* Wed Feb 05 2025 Jindrich Novy <jnovy@redhat.com> - 1.20-1
- update to https://github.com/containers/crun/releases/tag/0.15.1
+- update to https://github.com/containers/crun/releases/tag/1.20
- Related: #1883490
+- Related: RHEL-60277
-* Thu Oct 29 2020 Jindrich Novy <jnovy@redhat.com> - 0.15-2
+* Thu Jan 02 2025 Jindrich Novy <jnovy@redhat.com> - 1.19.1-1
- synchronize with stream-container-tools-rhel8
+- update to https://github.com/containers/crun/releases/tag/1.19.1
- Related: #1883490
+- Related: RHEL-60277
-* Wed Oct 21 2020 Jindrich Novy <jnovy@redhat.com> - 0.15-1
+* Wed Dec 11 2024 Jindrich Novy <jnovy@redhat.com> - 1.19-2
- synchronize with stream-container-tools-rhel8
+- Add missing CFLAGS and LDFLAGS for annocheck/hardening
- Related: #1883490
+- Related: RHEL-60277
-* Tue Aug 11 2020 Jindrich Novy <jnovy@redhat.com> - 0.14.1-2
+* Mon Dec 09 2024 Jindrich Novy <jnovy@redhat.com> - 1.19-1
- use proper CFLAGS
+- update to https://github.com/containers/crun/releases/tag/1.19
- Related: #1821193
+- Related: RHEL-60277
-* Wed Jul 08 2020 Jindrich Novy <jnovy@redhat.com> - 0.14.1-1
+* Mon Nov 25 2024 Jindrich Novy <jnovy@redhat.com> - 1.18.2-1
- update to https://github.com/containers/crun/releases/tag/v0.14.1
+- update to https://github.com/containers/crun/releases/tag/1.18.2
- Related: #1821193
+- Related: RHEL-60277
 * Thu Jul 02 2020 Jindrich Novy <jnovy@redhat.com> - 0.14-1
 - update to https://github.com/containers/crun/releases/tag/v0.14
 - Related: #1821193
 * Tue Jun 16 2020 Giuseppe Scrivano <gscrivan@redhat.com> - 0.13-1
 - initial import
`@ -1 +1 @@`
	`c79a414d0b980611ba929a7526b7b4c30c2b3b1d SOURCES/crun-0.18.tar.gz`	`d2f75ee20a04208db2bbe4351b6a955425623a5e SOURCES/crun-1.23.1.tar.zst`
`@ -1 +1 @@`
	`SOURCES/crun-0.18.tar.gz`	`SOURCES/crun-1.23.1.tar.zst`