Update github.com/cyphar/filepath-securejoin to v0.6.0 and github.com/opencontainers/runc to v1.3.3

[mtrmac]

This is a replacement for #432 , also updating the users of removed functions.

Do note the licensing conversation in #432 — and how #446 needs an updated filepath-securejoin (does not matter for container-libs, but needed e.g. in podman-container-tools/podman#27466 ).

Cc: @TomSweeneyRedHat . FYI @mheon

[podmanbot]

✅ A new PR has been created in buildah to vendor these changes: podman-container-tools/buildah#6487

[Luap99]

Looks like you need to bump runc here at the same time, really annoying that the 0.6.0 update introduces breaking changes which means every users must be updates in the right dependency order first. This will be gigantic PITA if the selinux chnage (podman-container-tools/podman#27466) must be backported.

Looking at it closer I doubt we use the selinux code to write labels in untrusted namespaces so maybe we are good without it.

[mtrmac]

Yes

• Podman wants github.com/opencontainers/selinux v1.13.0 (not part of this PR)
• That requires github.com/cyphar/filepath-securejoin v0.6.0
• That removed API and thus needs an update to github.com/opencontainers/runc v1.3.3

[mtrmac]

Looking at it closer I doubt we use the selinux code to write labels in untrusted namespaces so maybe we are good without it.

All of this is making me wonder whether there shouldn’t be some way to solve the overmounts within runc, without adding all the /proc complexity and overhead to all other simpler users. But I’m not going to try.

[lsm5]

LGTM

[mheon]

LGTM once tests are green

[TomSweeneyRedHat]

LGTM
with happy tests

[0xFelix]

Can we backport this to podman-5.8?

[Luap99]

Can we backport this to podman-5.8?

What do you need this for? This branch is used for our podman releases and backporting these fixes through all projects is additional work for us.

[0xFelix]

It's not as important, nevermind. We can wait for Podman 6 libs. Thanks for looking into it.