import podman-1.6.4-12.module+el8.2.0+6670+014d0ff8

SOURCES/497.patch

@@ -0,0 +1,60 @@
+From a6fec757c8a17f3a5b92fb766b0f2eeb3b1a208a Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Thu, 19 Dec 2019 19:06:00 +0100
+Subject: [PATCH] store: keep graph lock during Mount
+
+This solves a race condition where a mountpoint is created without the
+home mount being present.
+
+The cause is that another process could be calling the graph driver
+cleanup as part of store.Shutdown() causing the unmount of the
+driver home directory.
+
+The unmount could happen between the time the rlstore is retrieved and
+the actual mount, causing the driver mount to be done without a home
+mount below it.
+
+A third process then would re-create again the home mount, shadowing
+the previous mount.
+
+Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1757845
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ store.go | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/store.go b/store.go
+index 65808b8a0..272153e51 100644
+--- a/vendor/github.com/containers/storage/store.go
++++ b/vendor/github.com/containers/storage/store.go
+@@ -2479,6 +2479,10 @@ func (s *store) Mount(id, mountLabel string) (string, error) {
+ 	if err != nil {
+ 		return "", err
+ 	}
++
++	s.graphLock.Lock()
++	defer s.graphLock.Unlock()
++
+ 	rlstore.Lock()
+ 	defer rlstore.Unlock()
+ 	if modified, err := rlstore.Modified(); modified || err != nil {
+@@ -2486,6 +2490,18 @@ func (s *store) Mount(id, mountLabel string) (string, error) {
+ 			return "", err
+ 		}
+ 	}
++
++	/* We need to make sure the home mount is present when the Mount is done.  */
++	if s.graphLock.TouchedSince(s.lastLoaded) {
++		s.graphDriver = nil
++		s.layerStore = nil
++		s.graphDriver, err = s.getGraphDriver()
++		if err != nil {
++			return "", err
++		}
++		s.lastLoaded = time.Now()
++	}
++
+ 	if rlstore.Exists(id) {
+ 		options := drivers.MountOpts{
+ 			MountLabel: mountLabel,

SOURCES/podman-1784950.patch

@@ -0,0 +1,145 @@
+From fb7d2b6bd6a16ffdbe4a69428e3ba5b487719e78 Mon Sep 17 00:00:00 2001
+From: Daniel J Walsh <dwalsh@redhat.com>
+Date: Tue, 17 Dec 2019 15:24:29 -0500
+Subject: [PATCH] Add support for FIPS-Mode backends
+
+If host is running in fips mode, then RHEL8.2 and beyond container images
+will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
+This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
+order to make all tools in the container follow the FIPS Mode rules.
+
+Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
+---
+ pkg/secrets/secrets.go | 48 +++++++++++++++++++++++++++++++++---------
+ run_linux.go           |  2 +-
+ 2 files changed, 39 insertions(+), 11 deletions(-)
+
+diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go.1784950 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go
+--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go.1784950	2020-02-19 14:58:22.049213896 +0100
++++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/pkg/secrets/secrets.go	2020-02-19 14:58:22.052213937 +0100
+@@ -148,12 +148,21 @@ func getMountsMap(path string) (string,
+ }
+ 
+ // SecretMounts copies, adds, and mounts the secrets to the container root filesystem
++// Deprecated, Please use SecretMountWithUIDGID
+ func SecretMounts(mountLabel, containerWorkingDir, mountFile string, rootless, disableFips bool) []rspec.Mount {
+ 	return SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, containerWorkingDir, 0, 0, rootless, disableFips)
+ }
+ 
+-// SecretMountsWithUIDGID specifies the uid/gid of the owner
+-func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPrefix string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
++// SecretMountsWithUIDGID copies, adds, and mounts the secrets to the container root filesystem
++// mountLabel: MAC/SELinux label for container content
++// containerWorkingDir: Private data for storing secrets on the host mounted in container.
++// mountFile: Additional mount points required for the container.
++// mountPoint: Container image mountpoint
++// uid: to assign to content created for secrets
++// gid: to assign to content created for secrets
++// rootless: indicates whether container is running in rootless mode
++// disableFips: indicates whether system should ignore fips mode
++func SecretMountsWithUIDGID(mountLabel, containerWorkingDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
+ 	var (
+ 		secretMounts []rspec.Mount
+ 		mountFiles   []string
+@@ -171,7 +180,7 @@ func SecretMountsWithUIDGID(mountLabel,
+ 	}
+ 	for _, file := range mountFiles {
+ 		if _, err := os.Stat(file); err == nil {
+-			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, mountPrefix, uid, gid)
++			mounts, err := addSecretsFromMountsFile(file, mountLabel, containerWorkingDir, uid, gid)
+ 			if err != nil {
+ 				logrus.Warnf("error mounting secrets, skipping entry in %s: %v", file, err)
+ 			}
+@@ -187,7 +196,7 @@ func SecretMountsWithUIDGID(mountLabel,
+ 	// Add FIPS mode secret if /etc/system-fips exists on the host
+ 	_, err := os.Stat("/etc/system-fips")
+ 	if err == nil {
+-		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPrefix, mountLabel, uid, gid); err != nil {
++		if err := addFIPSModeSecret(&secretMounts, containerWorkingDir, mountPoint, mountLabel, uid, gid); err != nil {
+ 			logrus.Errorf("error adding FIPS mode secret to container: %v", err)
+ 		}
+ 	} else if os.IsNotExist(err) {
+@@ -206,7 +215,7 @@ func rchown(chowndir string, uid, gid in
+ 
+ // addSecretsFromMountsFile copies the contents of host directory to container directory
+ // and returns a list of mounts
+-func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPrefix string, uid, gid int) ([]rspec.Mount, error) {
++func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir string, uid, gid int) ([]rspec.Mount, error) {
+ 	var mounts []rspec.Mount
+ 	defaultMountsPaths := getMounts(filePath)
+ 	for _, path := range defaultMountsPaths {
+@@ -285,7 +294,7 @@ func addSecretsFromMountsFile(filePath,
+ 		}
+ 
+ 		m := rspec.Mount{
+-			Source:      filepath.Join(mountPrefix, ctrDirOrFile),
++			Source:      ctrDirOrFileOnHost,
+ 			Destination: ctrDirOrFile,
+ 			Type:        "bind",
+ 			Options:     []string{"bind", "rprivate"},
+@@ -300,15 +309,15 @@ func addSecretsFromMountsFile(filePath,
+ // root filesystem if /etc/system-fips exists on hosts.
+ // This enables the container to be FIPS compliant and run openssl in
+ // FIPS mode as the host is also in FIPS mode.
+-func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPrefix, mountLabel string, uid, gid int) error {
++func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir, mountPoint, mountLabel string, uid, gid int) error {
+ 	secretsDir := "/run/secrets"
+ 	ctrDirOnHost := filepath.Join(containerWorkingDir, secretsDir)
+ 	if _, err := os.Stat(ctrDirOnHost); os.IsNotExist(err) {
+ 		if err = idtools.MkdirAllAs(ctrDirOnHost, 0755, uid, gid); err != nil {
+-			return errors.Wrapf(err, "making container directory on host failed")
++			return errors.Wrapf(err, "making container directory %q on host failed", ctrDirOnHost)
+ 		}
+ 		if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
+-			return errors.Wrap(err, "error applying correct labels")
++			return errors.Wrapf(err, "error applying correct labels on %q", ctrDirOnHost)
+ 		}
+ 	}
+ 	fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
+@@ -323,7 +332,7 @@ func addFIPSModeSecret(mounts *[]rspec.M
+ 
+ 	if !mountExists(*mounts, secretsDir) {
+ 		m := rspec.Mount{
+-			Source:      filepath.Join(mountPrefix, secretsDir),
++			Source:      ctrDirOnHost,
+ 			Destination: secretsDir,
+ 			Type:        "bind",
+ 			Options:     []string{"bind", "rprivate"},
+@@ -331,6 +340,25 @@ func addFIPSModeSecret(mounts *[]rspec.M
+ 		*mounts = append(*mounts, m)
+ 	}
+ 
++	srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
++	destDir := "/etc/crypto-policies/back-ends"
++	srcOnHost := filepath.Join(mountPoint, srcBackendDir)
++	if _, err := os.Stat(srcOnHost); err != nil {
++		if os.IsNotExist(err) {
++			return nil
++		}
++		return errors.Wrapf(err, "failed to stat FIPS Backend directory %q", ctrDirOnHost)
++	}
++
++	if !mountExists(*mounts, destDir) {
++		m := rspec.Mount{
++			Source:      srcOnHost,
++			Destination: destDir,
++			Type:        "bind",
++			Options:     []string{"bind", "rprivate"},
++		}
++		*mounts = append(*mounts, m)
++	}
+ 	return nil
+ }
+ 
+diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go.1784950 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go
+--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go.1784950	2020-02-19 14:58:22.021213507 +0100
++++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/vendor/github.com/containers/buildah/run_linux.go	2020-02-19 14:58:22.024213549 +0100
+@@ -460,7 +460,7 @@ func (b *Builder) setupMounts(mountPoint
+ 	}
+ 
+ 	// Get the list of secrets mounts.
+-	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, cdir, int(rootUID), int(rootGID), unshare.IsRootless(), false)
++	secretMounts := secrets.SecretMountsWithUIDGID(b.MountLabel, cdir, b.DefaultMountsFilePath, mountPoint, int(rootUID), int(rootGID), unshare.IsRootless(), false)
+ 
+ 	// Add temporary copies of the contents of volume locations at the
+ 	// volume locations, unless we already have something there.

SOURCES/podman-1805212.patch

@@ -0,0 +1,51 @@
+From 6c97e0d5c140d587e5477d478159e91b8adcfd15 Mon Sep 17 00:00:00 2001
+From: Brent Baude <bbaude@redhat.com>
+Date: Thu, 27 Feb 2020 14:39:31 -0600
+Subject: [PATCH 2/2] network create should use firewall plugin
+
+when creating a network, podman should add the firewall plugin to the config but not specify a backend.  this will allow cni to determine whether it should use an iptables|firewalld backend.
+
+Signed-off-by: Brent Baude <bbaude@redhat.com>
+---
+ pkg/adapter/network.go     | 1 +
+ pkg/network/netconflist.go | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pkg/network/netconflist.go b/pkg/network/netconflist.go
+index a8217097ac..34ff000249 100644
+--- a/pkg/network/netconflist.go
++++ b/pkg/network/netconflist.go
+@@ -110,7 +110,6 @@ func NewPortMapPlugin() PortMapConfig {
+ func NewFirewallPlugin() FirewallConfig {
+ 	return FirewallConfig{
+ 		PluginType: "firewall",
+-		Backend:    "iptables",
+ 	}
+ }
+ 
+
+From cfd40608907b653a8b05f2e4f4243f8aa677b6e3 Mon Sep 17 00:00:00 2001
+From: Brent Baude <bbaude@redhat.com>
+Date: Thu, 27 Feb 2020 14:35:48 -0600
+Subject: [PATCH 1/2] add firewall plugin (no backend) to default cni config
+
+in order for the fall back mechanisms to work in containernetworking-plugins, the firewall plugin must still be called via the cni configuration file.  however, no backend w
+
+Signed-off-by: Brent Baude <bbaude@redhat.com>
+---
+ cni/87-podman-bridge.conflist | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff -up a/cni/87-podman-bridge.conflist b/cni/87-podman-bridge.conflist
+--- a/cni/87-podman-bridge.conflist
++++ b/cni/87-podman-bridge.conflist
+@@ -31,8 +31,7 @@
+             }
+ 	},
+ 	{
+-            "type": "firewall",
+-	    "backend": "iptables"
++            "type": "firewall"
+ 	}
+     ]
+ }

SOURCES/podman-1807310.patch

@@ -0,0 +1,133 @@
+From b41c864d569357a102ee2335a4947e59e5e2b08a Mon Sep 17 00:00:00 2001
+From: Matthew Heon <matthew.heon@pm.me>
+Date: Thu, 27 Feb 2020 16:08:29 -0500
+Subject: [PATCH] Ensure that exec sessions inherit supplemental groups
+
+This corrects a regression from Podman 1.4.x where container exec
+sessions inherited supplemental groups from the container, iff
+the exec session did not specify a user.
+
+Signed-off-by: Matthew Heon <matthew.heon@pm.me>
+---
+ libpod/container_api.go            |  5 -----
+ libpod/container_internal_linux.go |  5 ++++-
+ libpod/oci_conmon_linux.go         | 25 +++++++++++++++++++++----
+ test/e2e/exec_test.go              | 24 ++++++++++++++++++++++++
+ 4 files changed, 49 insertions(+), 10 deletions(-)
+
+diff --git a/libpod/container_api.go b/libpod/container_api.go
+index d612341bce..dabbe27dcd 100644
+--- a/libpod/container_api.go
++++ b/libpod/container_api.go
+@@ -270,11 +270,6 @@ func (c *Container) Exec(tty, privileged bool, env map[string]string, cmd []stri
+ 		}
+ 	}()
+ 
+-	// if the user is empty, we should inherit the user that the container is currently running with
+-	if user == "" {
+-		user = c.config.User
+-	}
+-
+ 	opts := new(ExecOptions)
+ 	opts.Cmd = cmd
+ 	opts.CapAdd = capList
+diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
+index 7390262647..63968918cb 100644
+--- a/libpod/container_internal_linux.go
++++ b/libpod/container_internal_linux.go
+@@ -330,7 +330,10 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
+ 
+ 	// Add addition groups if c.config.GroupAdd is not empty
+ 	if len(c.config.Groups) > 0 {
+-		gids, _ := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, nil)
++		gids, err := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, overrides)
++		if err != nil {
++			return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s", c.ID())
++		}
+ 		for _, gid := range gids {
+ 			g.AddProcessAdditionalGid(gid)
+ 		}
+diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
+index 07d38693f0..800f896036 100644
+--- a/libpod/oci_conmon_linux.go
++++ b/libpod/oci_conmon_linux.go
+@@ -1252,18 +1252,35 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
+ 
+ 	}
+ 
++	var addGroups []string
++	var sgids []uint32
++
++	// if the user is empty, we should inherit the user that the container is currently running with
++	if user == "" {
++		user = c.config.User
++		addGroups = c.config.Groups
++	}
++
+ 	overrides := c.getUserOverrides()
+ 	execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, overrides)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+ 
++	if len(addGroups) > 0 {
++		sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, overrides)
++		if err != nil {
++			return nil, errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
++		}
++	}
++
+ 	// If user was set, look it up in the container to get a UID to use on
+ 	// the host
+-	if user != "" {
+-		sgids := make([]uint32, 0, len(execUser.Sgids))
+-		for _, sgid := range execUser.Sgids {
+-			sgids = append(sgids, uint32(sgid))
++	if user != "" || len(sgids) > 0 {
++		if user != "" {
++			for _, sgid := range execUser.Sgids {
++				sgids = append(sgids, uint32(sgid))
++			}
+ 		}
+ 		processUser := spec.User{
+ 			UID:            uint32(execUser.Uid),
+diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go
+index ed4eb3335f..ab806f6831 100644
+--- a/test/e2e/exec_test.go
++++ b/test/e2e/exec_test.go
+@@ -1,6 +1,7 @@
+ package integration
+ 
+ import (
++	"fmt"
+ 	"os"
+ 	"strings"
+ 
+@@ -244,4 +245,27 @@ var _ = Describe("Podman exec", func() {
+ 		Expect(session.ExitCode()).To(Equal(0))
+ 	})
+ 
++	It("podman exec preserves --group-add groups", func() {
++		groupName := "group1"
++		gid := "4444"
++		ctrName1 := "ctr1"
++		ctr1 := podmanTest.Podman([]string{"run", "-ti", "--name", ctrName1, fedoraMinimal, "groupadd", "-g", gid, groupName})
++		ctr1.WaitWithDefaultTimeout()
++		Expect(ctr1.ExitCode()).To(Equal(0))
++
++		imgName := "img1"
++		commit := podmanTest.Podman([]string{"commit", ctrName1, imgName})
++		commit.WaitWithDefaultTimeout()
++		Expect(commit.ExitCode()).To(Equal(0))
++
++		ctrName2 := "ctr2"
++		ctr2 := podmanTest.Podman([]string{"run", "-d", "--name", ctrName2, "--group-add", groupName, imgName, "sleep", "300"})
++		ctr2.WaitWithDefaultTimeout()
++		Expect(ctr2.ExitCode()).To(Equal(0))
++
++		exec := podmanTest.Podman([]string{"exec", "-ti", ctrName2, "id"})
++		exec.WaitWithDefaultTimeout()
++		Expect(exec.ExitCode()).To(Equal(0))
++		Expect(strings.Contains(exec.OutputToString(), fmt.Sprintf("%s(%s)", gid, groupName))).To(BeTrue())
++	})
+ })

SOURCES/podman-1834346.patch

@@ -0,0 +1,27 @@
+From fadd011a80c62f7a2fb971fac34d7b470c6a60df Mon Sep 17 00:00:00 2001
+From: Brent Baude <bbaude@redhat.com>
+Date: Mon, 27 Apr 2020 16:03:00 -0500
+Subject: [PATCH] separate healthcheck and container log paths
+
+instead of using the container log path to derive where to put the healthchecks, we now put them into the rundir to avoid collision of health check log files when the log path is set by user.
+
+Fixes: #5915
+
+Signed-off-by: Brent Baude <bbaude@redhat.com>
+---
+ libpod/healthcheck.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libpod/healthcheck.go b/libpod/healthcheck.go
+index daddb6561d..aec5fa4e0f 100644
+--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/healthcheck.go
++++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/healthcheck.go
+@@ -238,7 +238,7 @@ func (c *Container) updateHealthCheckLog(hcl define.HealthCheckLog, inStartPerio
+ 
+ // HealthCheckLogPath returns the path for where the health check log is
+ func (c *Container) healthCheckLogPath() string {
+-	return filepath.Join(filepath.Dir(c.LogPath()), "healthcheck.log")
++	return filepath.Join(filepath.Dir(c.state.RunDir), "healthcheck.log")
+ }
+ 
+ // GetHealthCheckLog returns HealthCheck results by reading the container's

SOURCES/podman-CVE-2020-10696.patch

@@ -0,0 +1,58 @@
+From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
+From: TomSweeneyRedHat <tsweeney@redhat.com>
+Date: Tue, 24 Mar 2020 20:10:22 -0400
+Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
+
+Stealing @nalind 's workaround to avoid refetching
+content after a file read failure.  Under the right
+circumstances that could be a symlink to a file meant
+to overwrite a good file with bad data.
+
+Testing:
+```
+goodstuff
+
+[1] 14901
+
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+no FROM statement found
+
+goodstuff
+```
+
+Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
+---
+ imagebuildah/util.go | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/imagebuildah/util.go b/imagebuildah/util.go
+index 29ea60970..5f14c9883 100644
+--- a/vendor/github.com/containers/buildah/imagebuildah/util.go
++++ b/vendor/github.com/containers/buildah/imagebuildah/util.go
+@@ -14,6 +14,7 @@ import (
+ 
+ 	"github.com/containers/buildah"
+ 	"github.com/containers/storage/pkg/chrootarchive"
++	"github.com/containers/storage/pkg/ioutils"
+ 	"github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error {
+ 		}
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
++		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
+ 		}
+ 	}
+@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error {
+ 	if err := chrootarchive.Untar(reader, dir, nil); err != nil {
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil {
++		if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile)
+ 		}
+ 	}

SOURCES/podman-CVE-2020-1726.patch

@@ -0,0 +1,100 @@
+From c140ecdc9b416ab4efd4d21d14acd63b6adbdd42 Mon Sep 17 00:00:00 2001
+From: Matthew Heon <matthew.heon@pm.me>
+Date: Mon, 10 Feb 2020 13:37:38 -0500
+Subject: [PATCH] Do not copy up when volume is not empty
+
+When Docker performs a copy up, it first verifies that the volume
+being copied into is empty; thus, for volumes that have been
+modified elsewhere (e.g. manually copying into then), the copy up
+will not be performed at all. Duplicate this behavior in Podman
+by checking if the volume is empty before copying.
+
+Furthermore, move setting copyup to false further up. This will
+prevent a potential race where copy up could happen more than
+once if Podman was killed after some files had been copied but
+before the DB was updated.
+
+This resolves CVE-2020-1726.
+
+Signed-off-by: Matthew Heon <matthew.heon@pm.me>
+---
+ libpod/container_internal.go | 28 ++++++++++++++++++++++------
+ test/e2e/run_volume_test.go  | 24 ++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+), 6 deletions(-)
+
+diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go.1801152 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go
+--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go.1801152	2020-02-21 17:08:38.015363357 +0100
++++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/libpod/container_internal.go	2020-02-21 17:08:38.019363413 +0100
+@@ -1358,18 +1358,34 @@ func (c *Container) mountNamedVolume(v *
+ 	}
+ 	if vol.state.NeedsCopyUp {
+ 		logrus.Debugf("Copying up contents from container %s to volume %s", c.ID(), vol.Name())
++
++		// Set NeedsCopyUp to false immediately, so we don't try this
++		// again when there are already files copied.
++		vol.state.NeedsCopyUp = false
++		if err := vol.save(); err != nil {
++			return nil, err
++		}
++
++		// If the volume is not empty, we should not copy up.
++		volMount := vol.MountPoint()
++		contents, err := ioutil.ReadDir(volMount)
++		if err != nil {
++			return nil, errors.Wrapf(err, "error listing contents of volume %s mountpoint when copying up from container %s", vol.Name(), c.ID())
++		}
++		if len(contents) > 0 {
++			// The volume is not empty. It was likely modified
++			// outside of Podman. For safety, let's not copy up into
++			// it. Fixes CVE-2020-1726.
++			return vol, nil
++		}
++
+ 		srcDir, err := securejoin.SecureJoin(mountpoint, v.Dest)
+ 		if err != nil {
+ 			return nil, errors.Wrapf(err, "error calculating destination path to copy up container %s volume %s", c.ID(), vol.Name())
+ 		}
+-		if err := c.copyWithTarFromImage(srcDir, vol.MountPoint()); err != nil && !os.IsNotExist(err) {
++		if err := c.copyWithTarFromImage(srcDir, volMount); err != nil && !os.IsNotExist(err) {
+ 			return nil, errors.Wrapf(err, "error copying content from container %s into volume %s", c.ID(), vol.Name())
+ 		}
+-
+-		vol.state.NeedsCopyUp = false
+-		if err := vol.save(); err != nil {
+-			return nil, err
+-		}
+ 	}
+ 	return vol, nil
+ }
+diff -up ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go.1801152 ./libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go
+--- libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go.1801152	2020-02-21 17:08:38.042363735 +0100
++++ libpod-5cc92849f7fc9dd734ca2fd8f3ae8830b9a7eb26/test/e2e/run_volume_test.go	2020-02-21 17:08:38.046363791 +0100
+@@ -375,4 +375,28 @@ var _ = Describe("Podman run with volume
+ 		volMount.WaitWithDefaultTimeout()
+ 		Expect(volMount.ExitCode()).To(Not(Equal(0)))
+ 	})
++
++	It("Podman fix for CVE-2020-1726", func() {
++		volName := "testVol"
++		volCreate := podmanTest.Podman([]string{"volume", "create", volName})
++		volCreate.WaitWithDefaultTimeout()
++		Expect(volCreate.ExitCode()).To(Equal(0))
++
++		volPath := podmanTest.Podman([]string{"volume", "inspect", "--format", "{{.Mountpoint}}", volName})
++		volPath.WaitWithDefaultTimeout()
++		Expect(volPath.ExitCode()).To(Equal(0))
++		path := volPath.OutputToString()
++
++		fileName := "thisIsATestFile"
++		file, err := os.Create(filepath.Join(path, fileName))
++		Expect(err).To(BeNil())
++		defer file.Close()
++
++		runLs := podmanTest.Podman([]string{"run", "-t", "-i", "--rm", "-v", fmt.Sprintf("%v:/etc/ssl", volName), ALPINE, "ls", "-1", "/etc/ssl"})
++		runLs.WaitWithDefaultTimeout()
++		Expect(runLs.ExitCode()).To(Equal(0))
++		outputArr := runLs.OutputToStringArray()
++		Expect(len(outputArr)).To(Equal(1))
++		Expect(strings.Contains(outputArr[0], fileName)).To(BeTrue())
++	})
+ })

SPECS/podman.spec

@@ -29,11 +29,35 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
 
 Name: podman
 Version: 1.6.4
-Release: 1%{?dist}
+Release: 12%{?dist}
 Summary: Manage Pods, Containers and Container Images
 License: ASL 2.0
 URL: https://%{name}.io/
 Source0: %{git0}/archive/%{commit0}/%{repo}-%{shortcommit0}.tar.gz
+Patch0: https://patch-diff.githubusercontent.com/raw/containers/storage/pull/497.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1702
+# https://github.com/containers/libpod/pull/5096.patch
+Patch1: CVE-2020-1702-1801929.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1784950
+# backported:  https://patch-diff.githubusercontent.com/raw/containers/buildah/pull/2031.patch
+Patch2: podman-1784950.patch
+# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1726
+# backported:  https://patch-diff.githubusercontent.com/raw/containers/libpod/pull/5168.patch
+Patch3: podman-CVE-2020-1726.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1805212
+# backported:  https://github.com/containers/libpod/pull/5348.patch
+Patch4: podman-1805212.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1807310
+# patch:       https://github.com/containers/libpod/pull/5349.patch
+Patch5: podman-1807310.patch
+# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
+# backported:  https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
+Patch6: podman-CVE-2020-10696.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1834346
+# patch:       https://github.com/containers/libpod/pull/6009.patch
+Patch7: podman-1834346.patch
+Provides: %{name}-manpages = %{version}-%{release}
+Obsoletes: %{name}-manpages < %{version}-%{release}
 BuildRequires: golang >= 1.12.12-4
 BuildRequires: glib2-devel
 BuildRequires: glibc-devel
@@ -56,7 +80,6 @@ Requires: iptables
 Requires: nftables
 Requires: libseccomp >= 2.4.1
 Requires: conmon
-Requires: %{name}-manpages = %{version}-%{release}
 Requires: container-selinux
 Requires: slirp4netns >= 0.4.0-1
 Requires: runc >= 1.0.0-57
@@ -188,13 +211,6 @@ This package installs a script named docker that emulates the Docker CLI by
 executes %{name} commands, it also creates links between all Docker CLI man
 pages and %{name}.
 
-%package manpages
-Summary: Man pages for the %{name} commands
-BuildArch: noarch
-
-%description manpages
-Man pages for the %{name} commands
-
 %package remote
 Summary: (Experimental) Remote client for managing %{name} containers
 
@@ -278,6 +294,11 @@ ln -s ./ ./vendor/src # ./vendor/src -> ./vendor
 install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
 cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
 
+# do not include docker and podman-remote man pages in main package
+for file in `find %{buildroot}%{_mandir}/man[15] -type f | sed "s,%{buildroot},," | grep -v -e remote -e docker`; do
+    echo "$file*" >> podman.file-list
+done
+
 %check
 %if 0%{?with_check}
 # Since we aren't packaging up the vendor directory we need to link
@@ -305,11 +326,10 @@ exit 0
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
 
-%files
+%files -f podman.file-list
 %license LICENSE
 %doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
 %{_bindir}/%{name}
-%{_mandir}/man5/*.5*
 %{_datadir}/bash-completion/completions/*
 # By "owning" the site-functions dir, we don't need to Require zsh
 %{_datadir}/zsh/site-functions
@@ -320,24 +340,66 @@ exit 0
 %{_unitdir}/io.%{name}.socket
 %{_userunitdir}/io.%{name}.service
 %{_userunitdir}/io.%{name}.socket
-
 %{_usr}/lib/tmpfiles.d/%{name}.conf
 
 %files docker
 %{_bindir}/docker
 %{_mandir}/man1/docker*.1*
 
-%files manpages
-%{_mandir}/man1/%{name}*.1*
-
 %files remote
 %{_bindir}/%{name}-remote
+%{_mandir}/man1/%{name}-remote*.1*
 
 %files tests
 %license LICENSE
 %{_datadir}/%{name}/test
 
 %changelog
+* Mon May 18 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-12
+- fix "Please backport correction patch for the native container healthchecks"
+- Resolves: #1834346
+
+* Wed Apr 01 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-11
+- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
+- Resolves: #1819391
+
+* Thu Mar 19 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-10
+- use the full PR 5348 to fix "no route to host from inside container"
+- Resolves: #1806899
+
+* Fri Mar 06 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-9
+- update fix for "podman (1.6.4) rhel 8.1 no route to host from inside container"
+- Resolves: #1806899
+
+* Fri Mar 06 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-8
+- fix "[FJ8.2 Bug]: [REG]The "--group-add" option of "podman create" doesn't function."
+- Resolves: #1808705
+
+* Thu Feb 27 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-7
+- fix "podman (1.6.4) rhel 8.1 no route to host from inside container"
+- Resolves: #1806899
+
+* Fri Feb 21 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-6
+- fix "CVE-2020-1726 podman: incorrectly allows existing files in volumes to be overwritten by a container when it is created"
+- Resolves: #1801572
+
+* Wed Feb 19 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-5
+- fix "Podman support for FIPS Mode requires a bind mount inside the container"
+- Resolves: #1804193
+
+* Mon Feb 17 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-4
+- fix CVE-2020-1702
+- Resolves: #1801929
+
+* Wed Jan 08 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-3
+- merge podman-manpages with podman package and put man pages for
+  podman-remote to its dedicated subpackage
+Resolves: #1788539
+
+* Fri Jan 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.6.4-2
+- apply fix for #1757845
+- Related: RHELPLAN-25139
+
 * Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.6.4-1
 - update to 1.6.4
 - Related: RHELPLAN-25139