[Release 1.33] Bump runc up to 1.2.9 for CVE-2025-52881, CVE-2025-31133 and CVE-2025-52565

[cevich]

/kind other

What this PR does / why we need it:

Backport PR #6484 & #6511

How to verify it

CI + Manual

Which issue(s) this PR fixes:

Resolves RHEL-126923

Special notes for your reviewer:

The commits in this PR were created with the assistance of AI, backported from #6484 and #6511. When reviewing please pay special attention to the following:

1. Vendor directory consistency:

   • Vendor directory was completely regenerated using make vendor-in-container after each go.mod change
   • Never manually edited, ensuring consistency with go.mod and go.sum
   • Backport change: Same process as source branches - vendor directory was regenerated after dependency updates to ensure consistency.

2. All compilation verified:

   • Project compiles successfully with make after every commit
   • All compilation errors encountered during backport were resolved and ammended to the commit.

3. "Disable lint checking"

   • This check fails on the branch even w/o any changes.
   • In CI the problem is difficult to diagnose as no output is provided,
     rather the process is simply killed.
   • Backport change: This commit was manually created, it does not exist on the
     source PRs.

4. "Bump runc to v1.2.8 - CVE-2025-52881" - Security update from PR [release-1.39] Bump runc to v1.2.8 - CVE-2025-52881 #6484:

   • Updated runc dependency to v1.2.8 to address CVE-2025-52881, CVE-2025-31133, and CVE-2025-52565
   • Backport change: Updated SELinux API usage in chroot/selinux.go and util.go:
     • Changed from label.SetProcessLabel() to selinux.SetExecLabel() (API change in older release branch)
     • Changed from label.ReserveLabel() returning an error to selinux.ReserveLabel() with no return value (API change in older release branch)
   • Backport change: These API changes were necessary because the release-1.33 branch uses an older version of the selinux library with a different API surface than the main branch

5. "run: handle relabeling bind mounts ourselves" - From PR [release-1.39] run: handle relabeling bind mounts ourselves, tag 1.39.6 #6511:

   • Added relabel() helper function in run_common.go that wraps label.Relabel() with error handling for ENOTSUP (labeling not supported)
   • Added logic in run_linux.go to handle "z" and "Z" mount flags by relabeling bind mount sources before passing mounts to the runtime
   • Removes relabel flags from mount options passed to runtime since relabeling is now handled internally
   • Backport change: The relabel() helper function includes ENOTSUP error handling that gracefully degrades when SELinux labeling is not supported, which is important for compatibility across different system configurations

6. "Skip bud with --cpu-shares test on runc/cgroupsv2" - Backport-specific test adjustment:

   • Added test skip condition for bud with --cpu-shares test when using runc with cgroupsv2
   • Backport change: A bug exists in runc 1.2.8 (and potentially other versions) that causes incorrect CPU shares calculation with cgroupsv2. Rather than checking against the miscalculated value, the test is skipped to avoid false failures.

7. "Prune CI tests for RHEL release branch" - Backport-specific CI optimization:

   • Significantly reduced CI test matrix in .cirrus.yml (removed 99 lines, added 7)
   • Backport change: This branch is used as the source for RHEL releases, so many CI tests that are relevant for main branch development are not necessary here.

8. "vendor: switch to moby/sys/capability" - Dependency update from PR [release-1.39] run: handle relabeling bind mounts ourselves, tag 1.39.6 #6511:

   • Switched from github.com/syndtr/gocapability to github.com/moby/sys/capability (a maintained fork)
   • Updated all capability-related code to use the new package
   • Backport change: No functional changes from the original PR

9. "Don't set ambient capabilities" - Capability handling fix from PR [release-1.39] run: handle relabeling bind mounts ourselves, tag 1.39.6 #6511:

   • Removed setting of ambient capabilities since they can't be raised without inheritable ones
   • Amends previous commit that incorrectly set ambient capabilities
   • Backport change: No functional changes from the original PR

10. "Fix linter errors"

    • Each fix performed by the Clanker (AI)
    • Each fix reviewed by me and deemed "who cares, but if it makes the linter happy 🤷"

11. "Bump Buildah to v1.33.13" - Version and changelog updates:

    • Content manually generated using buildah_release 1.33.13 script.

Does this PR introduce a user-facing change?

None

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cevich
Once this PR has been reviewed and has the lgtm label, please assign giuseppe for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[Luap99]

@cevich Are the RHEL build envs now updated with newer go versions?

Last time I tried to bump go versions on these old branches that didn't go so well, ref containers/podman@f8bca0f and containers/podman@03b53d3

[TomSweeneyRedHat]

@Luap99 For RHEL 8, yes there are new go versions there, and RHEL 9 is in progress.

[cevich]

As of 31fde51 the tests are updating to runc-1.33 before running. This seems to have triggered a bunch of warnings the tests don't know how to deal with:

'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_AUDIT_WRITE: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_CHOWN: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_DAC_OVERRIDE: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_FOWNER: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_FSETID: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_KILL: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_MKNOD: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_NET_BIND_SERVICE: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_NET_RAW: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_SETFCAP: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_SETGID: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_SETPCAP: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_SETUID: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_SYS_CHROOT: operation not permitted"'

Anyone have any idea what those mean, if they're bad, and/or how to suppress them or should I just force the tests to ignore them?

[nalind]

As of 31fde51 the tests are updating to runc-1.33 before running. This seems to have triggered a bunch of warnings the tests don't know how to deal with:

'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_AUDIT_WRITE: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_CHOWN: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_DAC_OVERRIDE: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_FOWNER: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_FSETID: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_KILL: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_MKNOD: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_NET_BIND_SERVICE: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_NET_RAW: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_SETFCAP: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_SETGID: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_SETPCAP: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_SETUID: operation not permitted"'
'time="2025-11-20T13:14:39-06:00" level=warning msg="can't raise ambient capability CAP_SYS_CHROOT: operation not permitted"'

Anyone have any idea what those mean, if they're bad, and/or how to suppress them or should I just force the tests to ignore them?

These were fixed by commit 95f2e10 from #5754.

[cevich]

I believe the git-repo errors can be fixed by backporting 5abf038. All the "filesystem-specific options" errors I have no clue about, any help would be appreciated:

[+1747s] # error running container: from /usr/bin/runc creating container for
[/bin/sh -c cat /tmp/hey]: time="2025-11-24T10:40:14-06:00" level=error msg="runc
create failed: invalid mount &{Source:/var/tmp/buildah2940546746/mnt/buildah-bind-target-3 
Destination:/tmp Device:bind Flags:20481 ClearedFlags:0 PropagationFlags:[262144]
Data:z Relabel: RecAttr:<nil> Extensions:0 IDMapping:<nil>}:
bind mounts cannot have any filesystem-specific options applied"

[cevich]

Poking around, I think the bind mounts cannot have any filesystem-specific options applied errors were one of the things fixed by #6511 which I had original started to backport but then gave up when I saw Tom's PR didn't include them. Now I think they're necessary, so trying to backport them again...

[cevich]

I dunno what the "validate/commit" check is that's failing, nor how to re-run it (logs make it appear to be a flake?) but all the Cirrus tests are now green. I'm exhausted from looking at this and need to take a break. But perhaps could an initial review pass be made at this point?

[cevich]

Note to me: CI first green at this commit.

[cevich]

I may be jumping the gun a bit, since CI is still running 🤞 But it's past the vendoring/Smoke tests so I'm hopeful that after hauling in the commits from #6571 this should be ready for another look @nalind (please and thank you).

[TomSweeneyRedHat]

@cevich it looks like one of your commit descriptions is over 72 characters. The two longest that I can spot here both appear to be 71. Unfortunately, I can't do a rebase on your commits to see if I missed one. Everything else seems happy here though!

[cevich]

Force-push: Gave haircuts to a few commit titles. No code changes.

[Luap99]

The validate task is non blocking, you can just ignore it on backports I would say.

[cevich]

As per @Luap99 comment, going back to 7087c91 since having the commit message names match across all my backport PRs seems like a useful thing.

[cevich]

Aww darn, was hoping it would re-use the previous CI results 😞

[cevich]

force-push: Since CI has to run again, updated the release commit as it was missing some (minor) content.