Merge pull request #26990 from mheon/final_backports_561

Final backports for v5.6.1

Author: openshift-merge-bot[bot]

.cirrus.yml

@@ -31,7 +31,7 @@ env:
     DEBIAN_NAME: "debian-13"
 
     # Image identifiers
-    IMAGE_SUFFIX: "c20250627t155202z-f42f41d13"
+    IMAGE_SUFFIX: "c20250812t173301z-f42f41d13"
 
     # EC2 images
     FEDORA_AMI: "fedora-aws-${IMAGE_SUFFIX}"

RELEASE_NOTES.md

@@ -1,12 +1,21 @@
 # Release Notes
 
 ## 5.6.1
+### Security
+- This release addresses CVE-2025-9566, where Kubernetes YAML run by `podman play kube` containing `ConfigMap` and `Secret` volumes can use crafted symlinks to overwrite content on the host.
+
 ### Bugfixes
 - Fixed a bug where network creation and removal events were displayed incorrectly when the `journald` events driver was in use.
 - Fixed a bug where the `--security-opt seccomp=unconfined` option was broken on Windows ([#26855](https://github.com/containers/podman/issues/26855)).
 - Fixed a bug where containers created with a name longer than 64 characters, no explicit hostname, the the `container_name_as_hostname` option in `containers.conf` set to `true` would fail to start.
 - Fixed a bug where Podman would fail to start containers when runc 1.3.0 or later was used as the OCI runtime ([#26938](https://github.com/containers/podman/issues/26938)).
 
+### Misc
+- Adjusted the systemd-tmpfiles script to recursively remove temporary files directories placed in `/tmp`, ensuring proper operation of Podman after a reboot if `/tmp` is not a tmpfs.
+- Updated Buildah to v1.41.4
+- Updated the containers/storage to v1.59.1
+- Updated the containers/common library to v0.64.2
+
 ## 5.6.0
 ### Features
 - A new set of commands for managing Quadlets has been added as `podman quadlet install` (install a new Quadlet for the current user), `podman quadlet list` (list installed Quadlets), `podman quadlet print` (print the contents of a Quadlet file), and `podman quadlet rm` (remove a Quadlet). These commands are presently not available with the remote Podman client - we expect support for this to arrive in a future release.

contrib/tmpfile/podman.conf

@@ -1,9 +1,16 @@
 # /tmp/podman-run-* directory can contain content for Podman containers that have run
-# for many days. This following line prevents systemd from removing this content.
+# for many days. The following lines prevents systemd from removing this content.
+# At the same time, these directories must also be cleaned on reboot.
+# Thus, each path has two lines: x to not periodically clean, R! to recursively
+# remove on reboot.
 x /tmp/podman-run-*
+R! /tmp/podman-run-*
 x /tmp/storage-run-*
+R! /tmp/storage-run-*
 x /tmp/containers-user-*
+R! /tmp/containers-user-*
 x /tmp/run-*/libpod
+R! /tmp/run-*/libpod
 D! /var/lib/containers/storage/tmp 0700 root root
 D! /run/podman 0700 root root
 D! /var/lib/cni/networks

libpod/container_exec.go

@@ -859,6 +859,19 @@ func (c *Container) healthCheckExec(config *ExecConfig, timeout time.Duration, s
 		return -1, err
 	}
 	defer func() {
+		// cleanupExecBundle MUST be called with the parent container locked.
+		if !unlock && !c.batched {
+			c.lock.Lock()
+			unlock = true
+
+			if err := c.syncContainer(); err != nil {
+				logrus.Errorf("Error syncing container %s state: %v", c.ID(), err)
+				// Normally we'd want to continue here, get rid of the exec directory.
+				// But the risk of proceeding into a function that can mutate state with a bad state is high.
+				// Lesser of two evils is to bail and leak a directory.
+				return
+			}
+		}
 		if err := c.cleanupExecBundle(session.ID()); err != nil {
 			logrus.Errorf("Container %s light exec session cleanup error: %v", c.ID(), err)
 		}
@@ -971,7 +984,8 @@ func (c *Container) exec(config *ExecConfig, streams *define.AttachStreams, resi
 	return session.ExitCode, nil
 }
 
-// cleanupExecBundle cleanups an exec session after its done
+// cleanupExecBundle cleans up an exec session after completion.
+// MUST BE CALLED with container `c` locked.
 // Please be careful when using this function since it might temporarily unlock
 // the container when os.RemoveAll($bundlePath) fails with ENOTEMPTY or EBUSY
 // errors.

test/apiv2/20-containers.at

@@ -762,14 +762,13 @@ if root && test -e /dev/nullb0; then
   t POST libpod/containers/updateCtr/update ${TMPD}/update.json 201
 
   cgroupPath=/sys/fs/cgroup/cpu.weight
-  # 002 is the byte length
-  cpu_weight_expect=$'\001\0025'
 
   # Verify CPU weight
   echo '{ "AttachStdout":true,"Cmd":["cat", "'$cgroupPath'"]}' >${TMPD}/exec.json
   t POST containers/updateCtr/exec ${TMPD}/exec.json 201 .Id~[0-9a-f]\\{64\\}
   eid=$(jq -r '.Id' <<<"$output")
-  t POST exec/$eid/start 200 $cpu_weight_expect
+  t POST exec/$eid/start 200
+  like "$(<$WORKDIR/curl.result.out)" $'^\x01.\(20\|5\)$' "cpu.weight is 5 or 20"
 
   BlkioDeviceReadBps_expected='[
   {

test/e2e/update_test.go

@@ -141,7 +141,8 @@ var _ = Describe("Podman update", func() {
 		podmanTest.CheckFileInContainerSubstring(ctrID, "/sys/fs/cgroup/memory.swap.max", "1073741824")
 
 		// checking cpu-shares
-		podmanTest.CheckFileInContainerSubstring(ctrID, "/sys/fs/cgroup/cpu.weight", "5")
+		exec := podmanTest.PodmanExitCleanly("exec", ctrID, "cat", "/sys/fs/cgroup/cpu.weight")
+		Expect(exec.OutputToString()).To(Or(ContainSubstring("5"), ContainSubstring("20")))
 
 		// checking pids-limit
 		podmanTest.CheckFileInContainerSubstring(ctrID, "/sys/fs/cgroup/pids.max", "123")