NO-ISSUE: Changes to prepare for new 4.22 rebase

[pmtk]

Summary by CodeRabbit

• New Features

  • Improved Linux-safe path handling, /proc access APIs, and short EAGAIN retry helpers to reduce transient syscall failures.

• Chores

  • Upgraded vendored libraries (filepath-securejoin, runc, selinux) and added licensing/packaging metadata.

• Compatibility

  • Removed legacy SELinux compatibility aliases and some older shims; consumers may need minor updates for renamed/removed helpers.

[openshift-ci-robot]

@pmtk: This pull request explicitly references no jira issue.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

Upgraded vendored modules (filepath-securejoin → v0.5.1, runc → v1.2.8, selinux → v1.12.0), removed two etcd local replace directives, and introduced pathrs-lite (fd, procfs, gocompat, kernelversion, consts, assert) plus runc pathrs integrations; multiple legacy Linux helpers were removed or replaced.

Changes

Cohort / File(s)	Summary
etcd replace removals etcd/go.mod, etcd/vendor/modules.txt	Removed two local replace mappings for github.com/openshift/microshift paths.
Root module bumps & vendor metadata go.mod, vendor/modules.txt, vendor/modules.txt	Bumped vendor versions: filepath-securejoin → v0.5.1, opencontainers/runc → v1.2.8, opencontainers/selinux → v1.12.0; updated vendor metadata.
filepath-securejoin: licensing & metadata vendor/github.com/cyphar/filepath-securejoin/{LICENSE.MPL-2.0,COPYING.md,README.md,CHANGELOG.md,VERSION,.golangci.yml,codecov.yml}	Added MPL-2.0/BSD license files, changelog/README updates, CI/lint config, and version bump to 0.5.1.
filepath-securejoin: pathrs-lite addition (large) vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/...	Added pathrs-lite subtree with many subpackages: internal/{fd,procfs,gocompat,consts,assert,kernelversion,linux} and public procfs/pathrs adapters implementing FD abstractions, openat/openat2 wrappers, procfs safety, kernel probes, generics backports.
filepath-securejoin: removed legacy Linux helpers vendor/.../openat2_linux.go, openat_linux.go, procfs_linux.go, vendor gocompat older shims	Removed older Linux-specific helpers and compatibility shim files; functionality migrated/reimplemented under pathrs-lite.
filepath-securejoin: small API/const updates vendor/.../join.go, vfs.go, deprecated_linux.go	Replaced in-file symlink limit with internal/consts.MaxSymlinkLimit, added deprecated wrapper variables, minor header/comment changes.
pathrs-lite: fd & syscall wrappers .../pathrs-lite/internal/fd/*	New Fd interface and Linux wrappers: Openat/Openat2/Readlinkat/Fstatat/Faccessat, dup/dup-with-name, Fstat/Fstatfs, IsDeadInode, Fsopen/Fsmount/OpenTree, GetMountID with capability probes and CLOEXEC/error wrapping.
pathrs-lite: procfs (internal + public wrappers) .../pathrs-lite/internal/procfs/*, .../pathrs-lite/procfs/*	Comprehensive /proc layer: safe Handle, private proc mounts, subset-pid support, overmount detection, ProcSelf/ThreadSelf APIs, Readlink/Reopen helpers, test hooks; public thin wrapper exposing Handle methods.
pathrs-lite: kernel & capability probes .../pathrs-lite/internal/kernelversion/*, .../pathrs-lite/internal/linux/*	Added KernelVersion type with GreaterEqualThan and runtime capability probes HasOpenat2 and HasNewMountAPI.
pathrs-lite: gocompat generics & backports .../pathrs-lite/internal/gocompat/*	Added build-tagged compatibility shims/backports for generics and stdlib helpers (multiple variants: go1.20, go1.21, unsupported).
runc: pathrs integration & helpers vendor/github.com/opencontainers/runc/internal/pathrs/*, vendor/.../libcontainer/utils/*	Added runc internal pathrs helpers (MkdirAll/OpenInRoot/procfs/retry), updated libcontainer utils to use pathrs, add EINTR retries, export StripRoot, and adjust WithProcfd flow.
selinux: API removals & internal tweaks vendor/github.com/opencontainers/selinux/go-selinux/*	Removed several exported alias helpers and GenLabels, added ErrNotTGLeader, and changed some internal parsing/bitset/permission handling (uint→int).
vendor hygiene & metadata vendor/..., .lichen.yaml	Numerous vendor file additions/removals and license policy update for filepath-securejoin (BSD-3-Clause + MPL-2.0).

Sequence Diagram(s)

sequenceDiagram
  participant Caller as Caller
  participant Pathrs as pathrs-lite
  participant FD as internal/fd
  participant Procfs as internal/procfs
  participant Kernel as Kernel/syscalls

  Caller->>Pathrs: request lookup / open / mkdir
  Pathrs->>FD: prepareAt → Openat/Openat2 / Readlinkat / Fstat
  FD->>Kernel: syscall (openat2/openat/readlink/statx/fstat)
  Kernel-->>FD: result / error
  FD-->>Pathrs: *os.File or error
  Pathrs->>Procfs: ProcSelf/overmount/mountID checks / reopen helpers
  Procfs->>Kernel: probe features / open proc handles
  Kernel-->>Procfs: probe results
  Procfs-->>Pathrs: verified handles / paths or error
  Pathrs-->>Caller: safe *os.File or error

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title accurately describes the PR's main purpose: preparing for a 4.22 rebase. It's specific and concise.
Docstring Coverage	✅ Passed	Docstring coverage is 84.76% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

🤖 Fix all issues with AI agents

In `@go.mod`:
- Around line 133-135: The go.mod currently pins
github.com/opencontainers/selinux at v1.12.0 which is vulnerable
(CVE-2025-52881); update the selinux dependency to v1.13.0 or later by changing
the module version (github.com/opencontainers/selinux -> v1.13.0 or newer) in
go.mod or running `go get github.com/opencontainers/selinux@v1.13.0` (or later),
then run `go mod tidy` and verify the updated version in go.sum; ensure you
re-run tests and any container/runtime integration checks to confirm no
regressions after upgrading (also confirm runc remains at the patched v1.2.8).

In `@vendor/github.com/cyphar/filepath-securejoin/doc.go`:
- Line 46: The markdown reference link for [os.Root] in
vendor/github.com/cyphar/filepath-securejoin/doc.go is malformed (it uses
"https:///" instead of "https://"); update the URL in the comment to use
"https://" (i.e., change "https:///" to "https://") so the link resolves
correctly, and optionally add a note to report this to the upstream project or
include a local vendored patch—locate the comment containing "[os.Root]" in
doc.go to make the edit.

In
`@vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/fd/openat2_linux.go`:
- Around line 42-46: The Openat2 function dereferences the how pointer
unconditionally which will panic if nil; update Openat2 to guard against a nil
how by creating a local unix.OpenHow value when how == nil (or copy into a local
variable AlwaysHow := *how / defaultHow when how != nil), then operate on that
local (set Flags |= unix.O_CLOEXEC) and pass its address to the subsequent call;
reference the Openat2 function and the how variable so the change replaces
direct mutations of how with mutations on the local safeOpenHow before using it.

In
`@vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/internal/procfs/procfs_linux.go`:
- Around line 130-137: The clonePrivateProcMount function leaks the first
procRoot file descriptor when hookForcePrivateProcRootOpenTreeAtRecursive forces
the AT_RECURSIVE fallback after a successful fd.OpenTree; update
clonePrivateProcMount to close the initially opened procRoot (call
procRoot.Close() or fd.Close on the handle) before reassigning it with the
second fd.OpenTree call, and ensure you only attempt to close when procRoot is
non-nil and the first open succeeded (use the existing procRoot, err variables),
preserving error semantics if the close itself fails or if the second OpenTree
returns an error.
- Around line 326-336: The code handling a fallback for ProcRoot masks the real
failure by returning the original err when OpenUnsafeProcRoot() (called as proc,
err2 := OpenUnsafeProcRoot()) fails; change the error return to propagate err2
(the OpenUnsafeProcRoot error) instead of err so callers see the actual failure
from OpenUnsafeProcRoot when it fails during the proc.lookup fallback. Ensure
the return in that branch returns nil, nil, err2 and keep the surrounding logic
(ProcRoot switch, proc.lookup, err checks) intact.

In `@vendor/github.com/cyphar/filepath-securejoin/README.md`:
- Line 184: Remove the unused Markdown link reference `[umoci]` from the
README.md (or restore its corresponding inline reference) so the markdownlint
MD053 warning is resolved; specifically, either delete the `[umoci]:
https://github.com/opencontainers/umoci` reference or add usages of `[umoci]` in
the document where intended.

In `@vendor/github.com/opencontainers/runc/internal/pathrs/root_pathrslite.go`:
- Around line 66-71: Add O_CLOEXEC to the flags before calling unix.Openat and
wrap any returned error in an os.PathError that includes the operation "openat"
and the full path (root+"/"+subpath): when preparing flags for unix.Openat (the
flags variable used in the unix.Openat call), ensure flags |= unix.O_CLOEXEC |
unix.O_CREAT | unix.O_NOFOLLOW, and if unix.Openat returns err, return
(&os.PathError{Op: "openat", Path: root + "/" + subpath, Err: err}) instead of
the raw err so callers get path context while preserving the existing
os.NewFile(uintptr(fd), root+"/"+subpath) return.

In `@vendor/modules.txt`:
- Around line 59-67: The selinux dependency is vulnerable to CVE-2025-52881;
update the module github.com/opencontainers/selinux to v1.13.0 or later by
changing the version requirement to >= v1.13.0 in your module config (go.mod),
then run dependency resolution (go get github.com/opencontainers/selinux@v1.13.0
and go mod tidy) and regenerate vendored dependencies so the new version is
recorded; also verify go.sum no longer pins the older v1.12.x and ensure no
indirect dependencies reintroduce the vulnerable version.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GHSA-cgrx-mc8f-2prm runc patched version

💡 Result:

For GHSA-cgrx-mc8f-2prm (opencontainers runc), the patched runc versions are: 1.2.8, 1.3.3, and 1.4.0-rc.3. [1]

(Also noted in the same advisory: github.com/opencontainers/selinux is patched in 1.13.0.) [1]

---

🌐 Web query:

GO-2025-4098 runc container escape fix version

💡 Result:

For GO-2025-4098 (CVE-2025-52881) affecting runc:

• Fixed runc versions: v1.2.8, v1.3.3, v1.4.0-rc.3 (and later in each line) — i.e., upgrade to at least one of those patched releases. [1][2]
• Also affected module: github.com/opencontainers/selinux — fixed in v1.13.0 (upgrade to v1.13.0+). [1]

Affected runc ranges (per Go vuln report): before v1.2.8; v1.3.0-rc.1 to before v1.3.3; v1.4.0-rc.1 to before v1.4.0-rc.3. [1]

Sources: [1] [2]

---

Upgrade selinux to v1.13.0 or later.

The vulnerability (GHSA-cgrx-mc8f-2prm / CVE-2025-52881) affects both runc and selinux. While runc v1.2.8 is correctly patched, selinux v1.12.0 is not—it requires v1.13.0+. The current dependency is exposed to a HIGH severity runc container escape vulnerability.

🧰 Tools

🪛 OSV Scanner (2.3.2)

[HIGH] 135-135: github.com/opencontainers/selinux 1.12.0: Container escape and DDoS due to arbitrary write gadgets and procfs write redirects in github.com/opencontainers/runc

(GO-2025-4098)

---

[HIGH] 135-135: github.com/opencontainers/selinux 1.12.0: runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects

(GHSA-cgrx-mc8f-2prm)

🤖 Prompt for AI Agents

In `@go.mod` around lines 133 - 135, The go.mod currently pins
github.com/opencontainers/selinux at v1.12.0 which is vulnerable
(CVE-2025-52881); update the selinux dependency to v1.13.0 or later by changing
the module version (github.com/opencontainers/selinux -> v1.13.0 or newer) in
go.mod or running `go get github.com/opencontainers/selinux@v1.13.0` (or later),
then run `go mod tidy` and verify the updated version in go.sum; ensure you
re-run tests and any container/runtime integration checks to confirm no
regressions after upgrading (also confirm runc remains at the patched v1.2.8).

[pmtk]

Can't do it just yet - it would bump the github.com/cyphar/filepath-securejoin to too recent version which would require runc bump which would break K8s from o/kubernetes

[coderabbitai]

@pmtk, understood—dependency chain constraints during the rebase make sense.

Is there a plan to upgrade selinux to v1.13.0+ in a follow-up once the K8s compatibility issues are resolved? Would you like me to create a tracking issue for this security update?

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go`:
- Around line 738-740: The check that decides ErrNotTGLeader is using
unix.Getuid() incorrectly; replace the real-UID check with a PID check by
calling unix.Getpid() instead of unix.Getuid() so the condition becomes
unix.Getpid() != unix.Gettid(); update the conditional that returns
ErrNotTGLeader (the block referencing unix.Gettid() and ErrNotTGLeader) to use
unix.Getpid() to correctly detect “not thread-group leader.”

🧹 Nitpick comments (1)

vendor/github.com/cyphar/filepath-securejoin/pathrs-lite/lookup_linux.go (1)

62-63: Stale TODO: Go 1.21 has been out since August 2023.

The comment // TODO: Switch to clear once we switch to Go 1.21. is outdated. However, this is vendored upstream code — no action needed on your side.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@etcd/vendor/github.com/openshift/microshift/pkg/config/apiserver.go`:
- Around line 158-169: The issue is that ToApiserverArgs() always applies
fg.CustomNoUpgrade.Enabled/Disabled even when FeatureSet isn't
"CustomNoUpgrade"; update validation or guarding: either modify
validateFeatureGates to return an error if fg.FeatureSet is not
"CustomNoUpgrade" but fg.CustomNoUpgrade.Enabled or .Disabled are non-empty, or
change ToApiserverArgs to only call addFeatures on fg.CustomNoUpgrade when
fg.FeatureSet == "CustomNoUpgrade"; reference the validateFeatureGates function
and the ToApiserverArgs method and the CustomNoUpgrade.Enabled/Disabled fields
when making the fix so non-empty custom lists cannot bypass feature-set checks
unless FeatureSet is explicitly "CustomNoUpgrade".
- Around line 204-205: The error message currently uses intersect.UnsortedList()
which produces a non-deterministic ordering; replace the call to
intersect.UnsortedList() with intersect.SortedList() (or otherwise sort the
slice) in the block that checks if a.Intersection(b) has length > 0 so the
returned fmt.Errorf("%s: %s", errorMsg, ...) contains a stable, deterministic
list; update the code where a.Intersection(b) is computed and the fmt.Errorf
call to use SortedList() instead of UnsortedList().

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.lichen.yaml:
- Around line 37-40: The comment in .lichen.yaml claims Kubernetes is using
v0.6.1 of "github.com/cyphar/filepath-securejoin" but provides no source; either
remove the v0.6.1 claim or add a verifiable reference (e.g., a link to the
upstream Kubernetes go.mod or CHERRY-PICK/RELEASE note that pins that version
and an optional date) so the comment is maintainable; update the comment above
the path "github.com/cyphar/filepath-securejoin" to include that link and
context or delete the unsupported v0.6.1 mention and keep only the verifiable
K8s 1.35 / v0.6.0 statement.

[pacevedom]

/override ci/prow/ocp-full-conformance-rhel-eus ci/prow/ocp-full-conformance-serial-rhel-eus

Unrelated issue.

[openshift-ci]

@pacevedom: Overrode contexts on behalf of pacevedom: ci/prow/ocp-full-conformance-rhel-eus, ci/prow/ocp-full-conformance-serial-rhel-eus

Details

In response to this:

/override ci/prow/ocp-full-conformance-rhel-eus ci/prow/ocp-full-conformance-serial-rhel-eus

Unrelated issue.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[pacevedom]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom, pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pacevedom,pmtk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@pmtk: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pmtk]

/verified by @pmtk

[openshift-ci-robot]

@pmtk: This PR has been marked as verified by @pmtk.

Details

In response to this:

/verified by @pmtk

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.