import podman-1.6.4-25.module+el8.4.0+9935+d4945f3f

2021-03-30 06:39:45 -04:00 · 2021-03-30 06:39:45 -04:00 · 28b54a8330
commit 28b54a8330
parent a332f18f59
11 changed files with 56 additions and 14144 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/libpod-5cc9284.tar.gz
+SOURCES/v1.6.4-rhel-2c7b579.tar.gz
--- a/.podman.metadata
+++ b/.podman.metadata
@ -1 +1 @@
-dd35f1a00ac7860feeaa77dd5a92bc7bb310b821 SOURCES/libpod-5cc9284.tar.gz
+b118b9148d847b4bbee931fb6d241b34a21054db SOURCES/v1.6.4-rhel-2c7b579.tar.gz
--- a/SOURCES/497.patch
+++ b/SOURCES/497.patch
@ -1,60 +0,0 @@
 From a6fec757c8a17f3a5b92fb766b0f2eeb3b1a208a Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Thu, 19 Dec 2019 19:06:00 +0100
 Subject: [PATCH] store: keep graph lock during Mount
 This solves a race condition where a mountpoint is created without the
 home mount being present.
 The cause is that another process could be calling the graph driver
 cleanup as part of store.Shutdown() causing the unmount of the
 driver home directory.
 The unmount could happen between the time the rlstore is retrieved and
 the actual mount, causing the driver mount to be done without a home
 mount below it.
 A third process then would re-create again the home mount, shadowing
 the previous mount.
 Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1757845
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 ---
 store.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 diff --git a/store.go b/store.go
 index 65808b8a0..272153e51 100644
 --- a/vendor/github.com/containers/storage/store.go
 +++ b/vendor/github.com/containers/storage/store.go
@@ -2479,6 +2479,10 @@ func (s *store) Mount(id, mountLabel string) (string, error) {
 	if err != nil {
 		return "", err
 	}
 +
 +	s.graphLock.Lock()
 +	defer s.graphLock.Unlock()
 +
 	rlstore.Lock()
 	defer rlstore.Unlock()
 	if modified, err := rlstore.Modified(); modified || err != nil {
@@ -2486,6 +2490,18 @@ func (s *store) Mount(id, mountLabel string) (string, error) {
 			return "", err
 		}
 	}
 +
 +	/* We need to make sure the home mount is present when the Mount is done.  */
 +	if s.graphLock.TouchedSince(s.lastLoaded) {
 +		s.graphDriver = nil
 +		s.layerStore = nil
 +		s.graphDriver, err = s.getGraphDriver()
 +		if err != nil {
 +			return "", err
 +		}
 +		s.lastLoaded = time.Now()
 +	}
 +
 	if rlstore.Exists(id) {
 		options := drivers.MountOpts{
 			MountLabel: mountLabel,
--- a/SOURCES/CVE-2020-1702-1801929.patch
+++ b/SOURCES/CVE-2020-1702-1801929.patch
--- a/SOURCES/podman-1784950.patch
+++ b/SOURCES/podman-1784950.patch
@ -1,145 +0,0 @@
 From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
 From: Daniel J Walsh <dwalsh@redhat.com>
 Date: Tue, 17 Dec 2019 15:24:29 -0500
 Subject: [PATCH] Add support for FIPS-Mode backends
 If host is running in fips mode, then RHEL8.2 and beyond container images
 will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
 This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
 order to make all tools in the container follow the FIPS Mode rules.
 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
 ---
 pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
 run_linux.go           |  2 +-
 2 files changed, 39 insertions(+), 11 deletions(-)
 diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go.1784950 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
 --- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go.1784950	2020-02-19 14:58:22.049213896 +0100
 +++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go	2020-02-19 14:58:22.052213937 +0100
@@ -148,12 +148,21 @@ func getMountsMap(path string) (string,
 }
 // SecretMounts copies, adds, and mounts the secrets to the container root filesystem
 +// Deprecated, Please use SecretMountWithUIDGID
 func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
 	return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
 }
 -// SecretMountsWithUIDGID specifies the uid/gid of the owner
 -func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
 +// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
 +// mountLabel: MAC/SELinux label for container content
 +// containerWorkingDir: Private data for storing secrets on the host mounted in container.
 +// mountFile: Additional mount points required for the container.
 +// mountPoint: Container image mountpoint
 +// uid: to assign to content created for secrets
 +// gid: to assign to content created for secrets
 +// rootless: indicates whether container is running in rootless mode
 +// disableFips: indicates whether system should ignore fips mode
 +func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
 	var (
 		secretMounts []rspec.Mount
 		mountFiles   []string
@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel,
 	}
 	for _, file := range mountFiles {
 		if _, err := os.Stat(file); err == nil {
 -			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
 +			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
 			if err != nil {
 				logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
 			}
@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel,
 	// Add FIPS mode secret if /etc/system-fips exists on the host
 	_, err := os.Stat("/etc/system-fips")
 	if err == nil {
 -		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
 +		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
 			logrus.Errorf("error adding FIPS mode secret to container: %v", err)
 		}
 	} else if os.IsNotExist(err) {
@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid in
 // addSecretsFromMountsFile copies the contents of host directory to container directory
 // and returns a list of mounts
 -func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
 +func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
 	var mounts []rspec.Mount
 	defaultMountsPaths := getMounts(filePath)
 	for _, path := range defaultMountsPaths {
@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath,
 		}
 		m := rspec.Mount{
 -			Source:      filepath.Join(mountPrefix, ctrDirOrFile),
 +			Source:      ctrDirOrFileOnHost,
 			Destination: ctrDirOrFile,
 			Type:        "bind",
 			Options:     []string{"bind", "rprivate"},
@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath,
 // root filesystem if /etc/system-fips exists on hosts.
 // This enables the container to be FIPS compliant and run openssl in
 // FIPS mode as the host is also in FIPS mode.
 -func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
 +func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
 	secretsDir := "/run/secrets"
 	ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
 	if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
 		if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
 -			return errors.Wrapf(err, "making container directory on host failed")
 +			return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
 		}
 		if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
 -			return errors.Wrap(err, "error applying correct labels")
 +			return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
 		}
 	}
 	fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.M
 	if !mountExists(*mounts, secretsDir) {
 		m := rspec.Mount{
 -			Source:      filepath.Join(mountPrefix, secretsDir),
 +			Source:      ctrDirOnHost,
 			Destination: secretsDir,
 			Type:        "bind",
 			Options:     []string{"bind", "rprivate"},
@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.M
 		*mounts = append(*mounts, m)
 	}
 +	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
 +	destDir := "/etc/crypto-policies/back-ends"
 +	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
 +	if _, err := os.Stat(srcOnHost); err != nil {
 +		if os.IsNotExist(err) {
 +			return nil
 +		}
 +		return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
 +	}
 +
 +	if !mountExists(*mounts, destDir) {
 +		m := rspec.Mount{
 +			Source:      srcOnHost,
 +			Destination: destDir,
 +			Type:        "bind",
 +			Options:     []string{"bind", "rprivate"},
 +		}
 +		*mounts = append(*mounts, m)
 +	}
 	return nil
 }
 diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go.1784950 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go
 --- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go.1784950	2020-02-19 14:58:22.021213507 +0100
 +++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go	2020-02-19 14:58:22.024213549 +0100
@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint
 	}
 	// Get the list of secrets mounts.
 -	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
 +	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
 	// Add temporary copies of the contents of volume locations at the
 	// volume locations, unless we already have something there.
--- a/SOURCES/podman-1805212.patch
+++ b/SOURCES/podman-1805212.patch
@ -1,51 +0,0 @@
 From 6c97e0d5c140d587e5477d478159e91b8adcfd15 Mon Sep 17 00:00:00 2001
 From: Brent Baude <bbaude@redhat.com>
 Date: Thu, 27 Feb 2020 14:39:31 -0600
 Subject: [PATCH 2/2] network create should use firewall plugin
 when creating a network, podman should add the firewall plugin to the config but not specify a backend.  this will allow cni to determine whether it should use an iptables|firewalld backend.
 Signed-off-by: Brent Baude <bbaude@redhat.com>
 ---
 pkg/adapter/network.go     | 1 +
 pkg/network/netconflist.go | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)
 diff --git a/pkg/network/netconflist.go b/pkg/network/netconflist.go
 index a8217097ac..34ff000249 100644
 --- a/pkg/network/netconflist.go
 +++ b/pkg/network/netconflist.go
@@ -110,7 +110,6 @@ func NewPortMapPlugin() PortMapConfig {
 func NewFirewallPlugin() FirewallConfig {
 	return FirewallConfig{
 		PluginType: "firewall",
 -		Backend:    "iptables",
 	}
 }
 From cfd40608907b653a8b05f2e4f4243f8aa677b6e3 Mon Sep 17 00:00:00 2001
 From: Brent Baude <bbaude@redhat.com>
 Date: Thu, 27 Feb 2020 14:35:48 -0600
 Subject: [PATCH 1/2] add firewall plugin (no backend) to default cni config
 in order for the fall back mechanisms to work in containernetworking-plugins, the firewall plugin must still be called via the cni configuration file.  however, no backend w
 Signed-off-by: Brent Baude <bbaude@redhat.com>
 ---
 cni/87-podman-bridge.conflist | 3 +++
 1 file changed, 3 insertions(+)
 diff -up a/cni/87-podman-bridge.conflist b/cni/87-podman-bridge.conflist
 --- a/cni/87-podman-bridge.conflist
 +++ b/cni/87-podman-bridge.conflist
@@ -31,8 +31,7 @@
             }
 	},
 	{
 -            "type": "firewall",
 -	    "backend": "iptables"
 +            "type": "firewall"
 	}
     ]
 }
--- a/SOURCES/podman-1807310.patch
+++ b/SOURCES/podman-1807310.patch
@ -1,133 +0,0 @@
 From b41c864d569357a102ee2335a4947e59e5e2b08a Mon Sep 17 00:00:00 2001
 From: Matthew Heon <matthew.heon@pm.me>
 Date: Thu, 27 Feb 2020 16:08:29 -0500
 Subject: [PATCH] Ensure that exec sessions inherit supplemental groups
 This corrects a regression from Podman 1.4.x where container exec
 sessions inherited supplemental groups from the container, iff
 the exec session did not specify a user.
 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
 ---
 libpod/container_api.go            |  5 -----
 libpod/container_internal_linux.go |  5 ++++-
 libpod/oci_conmon_linux.go         | 25 +++++++++++++++++++++----
 test/e2e/exec_test.go              | 24 ++++++++++++++++++++++++
 4 files changed, 49 insertions(+), 10 deletions(-)
 diff --git a/libpod/container_api.go b/libpod/container_api.go
 index d612341bce..dabbe27dcd 100644
 --- a/libpod/container_api.go
 +++ b/libpod/container_api.go
@@ -270,11 +270,6 @@ func (c *Container) Exec(tty, privileged bool, env map[string]string, cmd []stri
 		}
 	}()
 -	// if the user is empty, we should inherit the user that the container is currently running with
 -	if user == "" {
 -		user = c.config.User
 -	}
 -
 	opts := new(ExecOptions)
 	opts.Cmd = cmd
 	opts.CapAdd = capList
 diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
 index 7390262647..63968918cb 100644
 --- a/libpod/container_internal_linux.go
 +++ b/libpod/container_internal_linux.go
@@ -330,7 +330,10 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	// Add addition groups if c.config.GroupAdd is not empty
 	if len(c.config.Groups) > 0 {
 -		gids, _ := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, nil)
 +		gids, err := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, overrides)
 +		if err != nil {
 +			return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s", c.ID())
 +		}
 		for _, gid := range gids {
 			g.AddProcessAdditionalGid(gid)
 		}
 diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
 index 07d38693f0..800f896036 100644
 --- a/libpod/oci_conmon_linux.go
 +++ b/libpod/oci_conmon_linux.go
@@ -1252,18 +1252,35 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
 	}
 +	var addGroups []string
 +	var sgids []uint32
 +
 +	// if the user is empty, we should inherit the user that the container is currently running with
 +	if user == "" {
 +		user = c.config.User
 +		addGroups = c.config.Groups
 +	}
 +
 	overrides := c.getUserOverrides()
 	execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, overrides)
 	if err != nil {
 		return nil, err
 	}
 +	if len(addGroups) > 0 {
 +		sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, overrides)
 +		if err != nil {
 +			return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
 +		}
 +	}
 +
 	// If user was set, look it up in the container to get a UID to use on
 	// the host
 -	if user != "" {
 -		sgids := make([]uint32, 0, len(execUser.Sgids))
 -		for _, sgid := range execUser.Sgids {
 -			sgids = append(sgids, uint32(sgid))
 +	if user != "" || len(sgids) > 0 {
 +		if user != "" {
 +			for _, sgid := range execUser.Sgids {
 +				sgids = append(sgids, uint32(sgid))
 +			}
 		}
 		processUser := spec.User{
 			UID:            uint32(execUser.Uid),
 diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go
 index ed4eb3335f..ab806f6831 100644
 --- a/test/e2e/exec_test.go
 +++ b/test/e2e/exec_test.go
@@ -1,6 +1,7 @@
 package integration
 import (
 +	"fmt"
 	"os"
 	"strings"
@@ -244,4 +245,27 @@ var _ = Describe("Podman exec", func() {
 		Expect(session.ExitCode()).To(Equal(0))
 	})
 +	It("podman exec preserves --group-add groups", func() {
 +		groupName := "group1"
 +		gid := "4444"
 +		ctrName1 := "ctr1"
 +		ctr1 := podmanTest.Podman([]string{"run", "-ti", "--name", ctrName1, fedoraMinimal, "groupadd", "-g", gid, groupName})
 +		ctr1.WaitWithDefaultTimeout()
 +		Expect(ctr1.ExitCode()).To(Equal(0))
 +
 +		imgName := "img1"
 +		commit := podmanTest.Podman([]string{"commit", ctrName1, imgName})
 +		commit.WaitWithDefaultTimeout()
 +		Expect(commit.ExitCode()).To(Equal(0))
 +
 +		ctrName2 := "ctr2"
 +		ctr2 := podmanTest.Podman([]string{"run", "-d", "--name", ctrName2, "--group-add", groupName, imgName, "sleep", "300"})
 +		ctr2.WaitWithDefaultTimeout()
 +		Expect(ctr2.ExitCode()).To(Equal(0))
 +
 +		exec := podmanTest.Podman([]string{"exec", "-ti", ctrName2, "id"})
 +		exec.WaitWithDefaultTimeout()
 +		Expect(exec.ExitCode()).To(Equal(0))
 +		Expect(strings.Contains(exec.OutputToString(), fmt.Sprintf("%s(%s)", gid, groupName))).To(BeTrue())
 +	})
 })
--- a/SOURCES/podman-1834346.patch
+++ b/SOURCES/podman-1834346.patch
@ -1,27 +0,0 @@
 From fadd011a80c62f7a2fb971fac34d7b470c6a60df Mon Sep 17 00:00:00 2001
 From: Brent Baude <bbaude@redhat.com>
 Date: Mon, 27 Apr 2020 16:03:00 -0500
 Subject: [PATCH] separate healthcheck and container log paths
 instead of using the container log path to derive where to put the healthchecks, we now put them into the rundir to avoid collision of health check log files when the log path is set by user.
 Fixes: #5915
 Signed-off-by: Brent Baude <bbaude@redhat.com>
 ---
 libpod/healthcheck.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libpod/healthcheck.go b/libpod/healthcheck.go
 index daddb6561d..aec5fa4e0f 100644
 --- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/healthcheck.go
 +++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/healthcheck.go
@@ -238,7 +238,7 @@ func (c *Container) updateHealthCheckLog(hcl define.HealthCheckLog, inStartPerio
 // HealthCheckLogPath returns the path for where the health check log is
 func (c *Container) healthCheckLogPath() string {
 -	return filepath.Join(filepath.Dir(c.LogPath()), "healthcheck.log")
 +	return filepath.Join(filepath.Dir(c.state.RunDir), "healthcheck.log")
 }
 // GetHealthCheckLog returns HealthCheck results by reading the container's
--- a/SOURCES/podman-CVE-2020-10696.patch
+++ b/SOURCES/podman-CVE-2020-10696.patch
@ -1,58 +0,0 @@
 From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
 From: TomSweeneyRedHat <tsweeney@redhat.com>
 Date: Tue, 24 Mar 2020 20:10:22 -0400
 Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
 Stealing @nalind 's workaround to avoid refetching
 content after a file read failure.  Under the right
 circumstances that could be a symlink to a file meant
 to overwrite a good file with bad data.
 Testing:
 ```
 goodstuff
 [1] 14901
 127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
 127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
 no FROM statement found
 goodstuff
 ```
 Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
 ---
 imagebuildah/util.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/imagebuildah/util.go b/imagebuildah/util.go
 index 29ea60970..5f14c9883 100644
 --- a/vendor/github.com/containers/buildah/imagebuildah/util.go
 +++ b/vendor/github.com/containers/buildah/imagebuildah/util.go
@@ -14,6 +14,7 @@ import (
 	"github.com/containers/buildah"
 	"github.com/containers/storage/pkg/chrootarchive"
 +	"github.com/containers/storage/pkg/ioutils"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error {
 		}
 		dockerfile := filepath.Join(dir, "Dockerfile")
 		// Assume this is a Dockerfile
 -		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
 +		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
 		}
 	}
@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error {
 	if err := chrootarchive.Untar(reader, dir, nil); err != nil {
 		dockerfile := filepath.Join(dir, "Dockerfile")
 		// Assume this is a Dockerfile
 -		if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil {
 +		if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil {
 			return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile)
 		}
 	}
--- a/SOURCES/podman-CVE-2020-1726.patch
+++ b/SOURCES/podman-CVE-2020-1726.patch
@ -1,100 +0,0 @@
 From c140ecdc9b416ab4efd4d21d14acd63b6adbdd42 Mon Sep 17 00:00:00 2001
 From: Matthew Heon <matthew.heon@pm.me>
 Date: Mon, 10 Feb 2020 13:37:38 -0500
 Subject: [PATCH] Do not copy up when volume is not empty
 When Docker performs a copy up, it first verifies that the volume
 being copied into is empty; thus, for volumes that have been
 modified elsewhere (e.g. manually copying into then), the copy up
 will not be performed at all. Duplicate this behavior in Podman
 by checking if the volume is empty before copying.
 Furthermore, move setting copyup to false further up. This will
 prevent a potential race where copy up could happen more than
 once if Podman was killed after some files had been copied but
 before the DB was updated.
 This resolves CVE-2020-1726.
 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
 ---
 libpod/container_internal.go | 28 ++++++++++++++++++++++------
 test/e2e/run_volume_test.go  | 24 ++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 6 deletions(-)
 diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go.1801152 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go
 --- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go.1801152	2020-02-21 17:08:38.015363357 +0100
 +++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go	2020-02-21 17:08:38.019363413 +0100
@@ -1358,18 +1358,34 @@ func (c *Container) mountNamedVolume(v *
 	}
 	if vol.state.NeedsCopyUp {
 		logrus.Debugf("Copying up contents from container %s to volume %s", c.ID(), vol.Name())
 +
 +		// Set NeedsCopyUp to false immediately, so we don't try this
 +		// again when there are already files copied.
 +		vol.state.NeedsCopyUp = false
 +		if err := vol.save(); err != nil {
 +			return nil, err
 +		}
 +
 +		// If the volume is not empty, we should not copy up.
 +		volMount := vol.MountPoint()
 +		contents, err := ioutil.ReadDir(volMount)
 +		if err != nil {
 +			return nil, errors.Wrapf(err, "error listing contents of volume %s mountpoint when copying up from container %s", vol.Name(), c.ID())
 +		}
 +		if len(contents) > 0 {
 +			// The volume is not empty. It was likely modified
 +			// outside of Podman. For safety, let's not copy up into
 +			// it. Fixes CVE-2020-1726.
 +			return vol, nil
 +		}
 +
 		srcDir, err := securejoin.SecureJoin(mountpoint, v.Dest)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error calculating destination path to copy up container %s volume %s", c.ID(), vol.Name())
 		}
 -		if err := c.copyWithTarFromImage(srcDir, vol.MountPoint()); err != nil && !os.IsNotExist(err) {
 +		if err := c.copyWithTarFromImage(srcDir, volMount); err != nil && !os.IsNotExist(err) {
 			return nil, errors.Wrapf(err, "error copying content from container %s into volume %s", c.ID(), vol.Name())
 		}
 -
 -		vol.state.NeedsCopyUp = false
 -		if err := vol.save(); err != nil {
 -			return nil, err
 -		}
 	}
 	return vol, nil
 }
 diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go.1801152 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go
 --- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go.1801152	2020-02-21 17:08:38.042363735 +0100
 +++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go	2020-02-21 17:08:38.046363791 +0100
@@ -375,4 +375,28 @@ var _ = Describe("Podman run with volume
 		volMount.WaitWithDefaultTimeout()
 		Expect(volMount.ExitCode()).To(Not(Equal(0)))
 	})
 +
 +	It("Podman fix for CVE-2020-1726", func() {
 +		volName := "testVol"
 +		volCreate := podmanTest.Podman([]string{"volume", "create", volName})
 +		volCreate.WaitWithDefaultTimeout()
 +		Expect(volCreate.ExitCode()).To(Equal(0))
 +
 +		volPath := podmanTest.Podman([]string{"volume", "inspect", "--format", "{{.Mountpoint}}", volName})
 +		volPath.WaitWithDefaultTimeout()
 +		Expect(volPath.ExitCode()).To(Equal(0))
 +		path := volPath.OutputToString()
 +
 +		fileName := "thisIsATestFile"
 +		file, err := os.Create(filepath.Join(path, fileName))
 +		Expect(err).To(BeNil())
 +		defer file.Close()
 +
 +		runLs := podmanTest.Podman([]string{"run", "-t", "-i", "--rm", "-v", fmt.Sprintf("%v:/etc/ssl", volName), ALPINE, "ls", "-1", "/etc/ssl"})
 +		runLs.WaitWithDefaultTimeout()
 +		Expect(runLs.ExitCode()).To(Equal(0))
 +		outputArr := runLs.OutputToStringArray()
 +		Expect(len(outputArr)).To(Equal(1))
 +		Expect(strings.Contains(outputArr[0], fileName)).To(BeTrue())
 +	})
 })
--- a/SPECS/podman.spec
+++ b/SPECS/podman.spec
@ -14,8 +14,11 @@
 %if 0%{?rhel} > 7 && ! 0%{?fedora}
 %define gobuild(o:) \
 go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
 %else
 %define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
 %endif
 %global branch v1.6.4-rhel
 %global provider github
 %global provider_tld com
 %global project containers
@ -24,38 +27,22 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
 %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path %{provider_prefix}
 %global git0 https://%{provider}.%{provider_tld}/%{project}/%{repo}
-%global commit0 5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26
+%global commit0 2c7b579fe7328dc6db48bdaf60d0ddd9136b1e24
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 Name: podman
 Version: 1.6.4
-Release: 12%{?dist}
+Release: 25%{?dist}
 Summary: Manage Pods, Containers and Container Images
 License: ASL 2.0
 URL: https://%{name}.io/
-Source0: %{git0}/archive/%{commit0}/%{repo}-%{shortcommit0}.tar.gz
+# Build fails with: No matching package to install: 'golang >= 1.12.12-4' on i686
-Patch0: https://patch-diff.githubusercontent.com/raw/containers/storage/pull/497.patch
+ExcludeArch: i686
-# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1702
+%if 0%{?branch:1}
-# https://github.com/containers/libpod/pull/5096.patch
+Source0: https://%{import_path}/tarball/%{commit0}/%{branch}-%{shortcommit0}.tar.gz
-Patch1: CVE-2020-1702-1801929.patch
+%else
-# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1784950
+Source0: https://%{import_path}/archive/%{commit0}/%{name}-%{version}-%{shortcommit0}.tar.gz
-# backported:  https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch
+%endif
 Patch2: podman-1784950.patch
 # tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1726
 # backported:  https://patch-diff.githubusercontent.com/raw/containers/libpod/pull/5168.patch
 Patch3: podman-CVE-2020-1726.patch
 # related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1805212
 # backported:  https://github.com/containers/libpod/pull/5348.patch
 Patch4: podman-1805212.patch
 # related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1807310
 # patch:       https://github.com/containers/libpod/pull/5349.patch
 Patch5: podman-1807310.patch
 # tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
 # backported:  https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
 Patch6: podman-CVE-2020-10696.patch
 # related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1834346
 # patch:       https://github.com/containers/libpod/pull/6009.patch
 Patch7: podman-1834346.patch
 Provides: %{name}-manpages = %{version}-%{release}
 Obsoletes: %{name}-manpages < %{version}-%{release}
 BuildRequires: golang >= 1.12.12-4
@ -236,7 +223,11 @@ Requires: jq
 This package contains system tests for %{name}
 %prep
-%autosetup -Sgit -n %{repo}-%{commit0}
+%if 0%{?branch:1}
 %autosetup -Sgit -n containers-%{name}-%{shortcommit0}
 %else
 %autosetup -Sgit -n %{name}-%{commit0}
 %endif
 sed -i 's/install.bin: podman/install.bin:/' Makefile
 sed -i 's/install.man: docs/install.man:/' Makefile
@ -355,9 +346,43 @@ exit 0
 %{_datadir}/%{name}/test
 %changelog
-* Mon May 18 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-12
+* Fri Feb 12 2021 Jindrich Novy <jnovy@redhat.com> - 1.6.4-25
- fix "Please backport correction patch for the native container healthchecks"
+- bump NVR to preserve upgrade path
- Resolves: #1834346
+- Related: #1920383
 * Thu Feb 11 2021 Jindrich Novy <jnovy@redhat.com> - 1.6.4-24
 - fix CVE-2021-20188
 - update to the latest content of https://github.com/containers/podman/tree/v1.6.4-rhel
  (https://github.com/containers/podman/commit/2c7b579)
 - Related: #1920383
 * Tue Jan 12 2021 Jindrich Novy <jnovy@redhat.com> - 1.6.4-23
 - fix "podman exec is fragile in the presence of signals" to avoid regression
 - Resolves: #1883490
 * Fri Sep 18 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-22
 - sync with 1.6.4-rhel branch to avoid regression
 - Resolves: #1879092
 * Thu Sep 10 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-21
 - fix "podman run with --rm errors out/segfaults on rhel8.3"
 - Resolves: #1875289
 * Thu Aug 20 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-20
 - bump release to preserve upgrade path
 - Related: #1868603
 * Mon Aug 17 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-14
 - fix "[2.0-8.3.0] Podman does not use --tmpdir when pulling an image"
 - Related: #1868603
 * Thu Jul 16 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-13
 - exclude i686 arch
 - Related: #1821193
 * Fri Jun 26 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-12
 - bump release to preserve upgrade path
 - Related: #1821193
 * Wed Apr 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-11
 - fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
`@ -1 +1 @@`
	`SOURCES/libpod-5cc9284.tar.gz`	`SOURCES/v1.6.4-rhel-2c7b579.tar.gz`
`@ -1 +1 @@`
	`dd35f1a00ac7860feeaa77dd5a92bc7bb310b821 SOURCES/libpod-5cc9284.tar.gz`	`b118b9148d847b4bbee931fb6d241b34a21054db SOURCES/v1.6.4-rhel-2c7b579.tar.gz`