[meta-virtualization][walnascar][PATCH 1/2] podman: remove ptest

[meta-virtualization][walnascar][PATCH 1/2] podman: remove ptest

[dchellam]

From: Divya Chellam <divya.chellam@windriver.com>

The ptest was added almost three years ago and since then nobody
ever fixed anything. It's almost impossible that the ptest never
failed. As an evidence, for the current version, the test cases
cannot even run.

Remove this ptest. People who care about podman ptest should be
maintaining it.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
(master rev: a8175deded4decb9b889901caabb48bf8c4edc73)

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
 recipes-containers/podman/podman/run-ptest | 13 -----------
 recipes-containers/podman/podman_git.bb    | 27 +---------------------
 2 files changed, 1 insertion(+), 39 deletions(-)
 delete mode 100644 recipes-containers/podman/podman/run-ptest

diff --git a/recipes-containers/podman/podman/run-ptest b/recipes-containers/podman/podman/run-ptest
deleted file mode 100644
index 108ff451..00000000
--- a/recipes-containers/podman/podman/run-ptest
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: Huawei Inc.
-#
-# SPDX-License-Identifier: MIT
-
-#
-# Podman system tests
-#
-
-# The system tests don't need any go related variables. Dummy-define them to
-# avoid useless warnings/errors.
-GOOS=undefined GO=true BUILDTAGS= make localsystem
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index d98521ba..a83764fc 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -20,7 +20,6 @@ SRCREV = "227df90eb7c021097c9ba5f8000c83648a598028"
 SRC_URI = " \
     git://github.com/containers/libpod.git;branch=v5.4;protocol=https;destsuffix=${GO_SRCURI_DESTSUFFIX} \
     ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
-    file://run-ptest \
     file://CVE-2025-6032.patch;patchdir=src/import \
 "
 
@@ -56,7 +55,7 @@ export BUILDFLAGS = "${GOBUILDFLAGS}"
 
 inherit go goarch
 inherit container-host
-inherit systemd pkgconfig ptest
+inherit systemd pkgconfig
 
 do_configure[noexec] = "1"
 
@@ -129,17 +128,6 @@ do_install() {
 	fi
 }
 
-do_install_ptest () {
-	cp ${S}/src/import/Makefile ${D}${PTEST_PATH}
-	install -d ${D}${PTEST_PATH}/test
-	cp -r ${S}/src/import/test/system ${D}${PTEST_PATH}/test
-
-	# Some compatibility links for the Makefile assumptions.
-	install -d ${D}${PTEST_PATH}/bin
-	ln -s ${bindir}/podman ${D}${PTEST_PATH}/bin/podman
-	ln -s ${bindir}/podman-remote ${D}${PTEST_PATH}/bin/podman-remote
-}
-
 FILES:${PN} += " \
     ${systemd_unitdir}/system/* \
     ${nonarch_libdir}/systemd/* \
@@ -170,16 +158,3 @@ RRECOMMENDS:${PN} += "slirp4netns \
                       kernel-module-xt-tcpudp \
                       "
 RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"
-
-RDEPENDS:${PN}-ptest += " \
-	bash \
-	bats \
-	buildah \
-	coreutils \
-	file \
-	gnupg \
-	jq \
-	make \
-	skopeo \
-	tar \
-"
-- 
2.40.0

[meta-virtualization][walnascar][PATCH 2/2] podman: fix CVE-2025-9566

[dchellam]

From: Divya Chellam <divya.chellam@windriver.com>

There's a vulnerability in podman where an attacker may use the kube play
command to overwrite host files when the kube file container a Secrete or
a ConfigMap volume mount and such volume contains a symbolic link to a host
file path. In a successful attack, the attacker can only control the target
file to be overwritten but not the content to be written into the file.
[EOL][EOL]Binary-Affected: podman[EOL]Upstream-version-introduced:
v4.0.0[EOL]Upstream-version-fixed: v5.6.1

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-9566

Upstream-patch:
https://github.com/containers/podman/commit/ca994186f07822b9048fe711b6903e51614d3e15

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
 .../podman/podman/CVE-2025-9566.patch         | 152 ++++++++++++++++++
 recipes-containers/podman/podman_git.bb       |   1 +
 2 files changed, 153 insertions(+)
 create mode 100644 recipes-containers/podman/podman/CVE-2025-9566.patch

diff --git a/recipes-containers/podman/podman/CVE-2025-9566.patch b/recipes-containers/podman/podman/CVE-2025-9566.patch
new file mode 100644
index 00000000..7e5cbe8b
--- /dev/null
+++ b/recipes-containers/podman/podman/CVE-2025-9566.patch
@@ -0,0 +1,152 @@
+From ca994186f07822b9048fe711b6903e51614d3e15 Mon Sep 17 00:00:00 2001
+From: Paul Holzinger <pholzing@redhat.com>
+Date: Fri, 29 Aug 2025 15:39:38 +0200
+Subject: [PATCH] kube play: don't follow volume symlinks onto the host
+
+For ConfigMap and Secret kube play volumes podman populates the data
+from the yaml. However the volume content is not controlled by us and we
+can be tricked following a symlink to a file on the host instead.
+
+Fixes: CVE-2025-9566
+
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+(cherry picked from commit 43fbde4e665fe6cee6921868f04b7ccd3de5ad89)
+Signed-off-by: Paul Holzinger <pholzing@redhat.com>
+
+CVE: CVE-2025-9566
+
+Upstream-Status: Backport [https://github.com/containers/podman/commit/ca994186f07822b9048fe711b6903e51614d3e15]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ pkg/domain/infra/abi/play.go             |  5 ++-
+ pkg/domain/infra/abi/play_linux.go       | 18 +++++++++++
+ pkg/domain/infra/abi/play_unsupported.go | 13 ++++++++
+ pkg/domain/infra/abi/play_utils.go       | 39 +++++++++++++++++++++++-
+ 4 files changed, 71 insertions(+), 4 deletions(-)
+ create mode 100644 pkg/domain/infra/abi/play_linux.go
+ create mode 100644 pkg/domain/infra/abi/play_unsupported.go
+
+diff --git a/pkg/domain/infra/abi/play.go b/pkg/domain/infra/abi/play.go
+index 6ffbf4cf54..2fa2752d7c 100644
+--- a/pkg/domain/infra/abi/play.go
++++ b/pkg/domain/infra/abi/play.go
+@@ -808,8 +808,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
+ 			defaultMode := v.DefaultMode
+ 			// Create files and add data to the volume mountpoint based on the Items in the volume
+ 			for k, v := range v.Items {
+-				dataPath := filepath.Join(mountPoint, k)
+-				f, err := os.Create(dataPath)
++				f, err := openPathSafely(mountPoint, k)
+ 				if err != nil {
+ 					return nil, nil, fmt.Errorf("cannot create file %q at volume mountpoint %q: %w", k, mountPoint, err)
+ 				}
+@@ -819,7 +818,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
+ 					return nil, nil, err
+ 				}
+ 				// Set file permissions
+-				if err := os.Chmod(f.Name(), os.FileMode(defaultMode)); err != nil {
++				if err := f.Chmod(os.FileMode(defaultMode)); err != nil {
+ 					return nil, nil, err
+ 				}
+ 			}
+diff --git a/pkg/domain/infra/abi/play_linux.go b/pkg/domain/infra/abi/play_linux.go
+new file mode 100644
+index 0000000000..a0f9811516
+--- /dev/null
++++ b/pkg/domain/infra/abi/play_linux.go
+@@ -0,0 +1,18 @@
++//go:build !remote
++
++package abi
++
++import (
++	"os"
++
++	securejoin "github.com/cyphar/filepath-securejoin"
++)
++
++// openSymlinkPath opens the path under root using securejoin.OpenatInRoot().
++func openSymlinkPath(root *os.File, unsafePath string, flags int) (*os.File, error) {
++	file, err := securejoin.OpenatInRoot(root, unsafePath)
++	if err != nil {
++		return nil, err
++	}
++	return securejoin.Reopen(file, flags)
++}
+diff --git a/pkg/domain/infra/abi/play_unsupported.go b/pkg/domain/infra/abi/play_unsupported.go
+new file mode 100644
+index 0000000000..3ecbae7cc1
+--- /dev/null
++++ b/pkg/domain/infra/abi/play_unsupported.go
+@@ -0,0 +1,13 @@
++//go:build !linux && !remote
++
++package abi
++
++import (
++	"errors"
++	"os"
++)
++
++// openSymlinkPath is not supported on this platform.
++func openSymlinkPath(root *os.File, unsafePath string, flags int) (*os.File, error) {
++	return nil, errors.New("cannot safely open symlink on this platform")
++}
+diff --git a/pkg/domain/infra/abi/play_utils.go b/pkg/domain/infra/abi/play_utils.go
+index 7285d9c9b9..217b656997 100644
+--- a/pkg/domain/infra/abi/play_utils.go
++++ b/pkg/domain/infra/abi/play_utils.go
+@@ -2,7 +2,14 @@
+ 
+ package abi
+ 
+-import "github.com/containers/podman/v5/libpod/define"
++import (
++	"fmt"
++	"os"
++	"strings"
++
++	"github.com/containers/podman/v5/libpod/define"
++	"golang.org/x/sys/unix"
++)
+ 
+ // getSdNotifyMode returns the `sdNotifyAnnotation/$name` for the specified
+ // name. If name is empty, it'll only look for `sdNotifyAnnotation`.
+@@ -16,3 +23,33 @@ func getSdNotifyMode(annotations map[string]string, name string) (string, error)
+ 	}
+ 	return mode, define.ValidateSdNotifyMode(mode)
+ }
++
++// openPathSafely opens the given name under the trusted root path, the unsafeName
++// must be a single path component and not contain "/".
++// The resulting path will be opened or created if it does not exists.
++// Following of symlink is done within staying under root, escapes outsides
++// of root are not allowed and prevent.
++//
++// This custom function is needed because securejoin.SecureJoin() is not race safe
++// and the volume might be mounted in another container that could swap in a symlink
++// after the function ahs run. securejoin.OpenInRoot() doesn't work either because
++// it cannot create files and doesn't work on freebsd.
++func openPathSafely(root, unsafeName string) (*os.File, error) {
++	if strings.Contains(unsafeName, "/") {
++		return nil, fmt.Errorf("name %q must not contain path separator", unsafeName)
++	}
++	fdDir, err := os.OpenFile(root, unix.O_RDONLY, 0)
++	if err != nil {
++		return nil, err
++	}
++	defer fdDir.Close()
++	flags := unix.O_CREAT | unix.O_WRONLY | unix.O_TRUNC | unix.O_CLOEXEC
++	fd, err := unix.Openat(int(fdDir.Fd()), unsafeName, flags|unix.O_NOFOLLOW, 0o644)
++	if err == nil {
++		return os.NewFile(uintptr(fd), unsafeName), nil
++	}
++	if err == unix.ELOOP {
++		return openSymlinkPath(fdDir, unsafeName, flags)
++	}
++	return nil, &os.PathError{Op: "openat", Path: unsafeName, Err: err}
++}
+-- 
+2.40.0
+
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index a83764fc..fc7a01d2 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -21,6 +21,7 @@ SRC_URI = " \
     git://github.com/containers/libpod.git;branch=v5.4;protocol=https;destsuffix=${GO_SRCURI_DESTSUFFIX} \
     ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
     file://CVE-2025-6032.patch;patchdir=src/import \
+    file://CVE-2025-9566.patch;patchdir=src/import \
 "
 
 LICENSE = "Apache-2.0"
-- 
2.40.0

Re: [meta-virtualization][walnascar][PATCH 1/2] podman: remove ptest

[Bruce Ashfield]

The tests don't do anything, but shouldn't actually break a build, etc.

As such, I don't think we really need to backport this to walnascar.

I've grabbed the CVE fix though.

Bruce


In message: [meta-virtualization][walnascar][PATCH 1/2] podman: remove ptest
on 13/10/2025 dchellam via lists.yoctoproject.org wrote:

> From: Divya Chellam <divya.chellam@windriver.com>
> 
> The ptest was added almost three years ago and since then nobody
> ever fixed anything. It's almost impossible that the ptest never
> failed. As an evidence, for the current version, the test cases
> cannot even run.
> 
> Remove this ptest. People who care about podman ptest should be
> maintaining it.
> 
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
> (master rev: a8175deded4decb9b889901caabb48bf8c4edc73)
> 
> Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
> ---
>  recipes-containers/podman/podman/run-ptest | 13 -----------
>  recipes-containers/podman/podman_git.bb    | 27 +---------------------
>  2 files changed, 1 insertion(+), 39 deletions(-)
>  delete mode 100644 recipes-containers/podman/podman/run-ptest
> 
> diff --git a/recipes-containers/podman/podman/run-ptest b/recipes-containers/podman/podman/run-ptest
> deleted file mode 100644
> index 108ff451..00000000
> --- a/recipes-containers/podman/podman/run-ptest
> +++ /dev/null
> @@ -1,13 +0,0 @@
> -#!/bin/sh
> -
> -# SPDX-FileCopyrightText: Huawei Inc.
> -#
> -# SPDX-License-Identifier: MIT
> -
> -#
> -# Podman system tests
> -#
> -
> -# The system tests don't need any go related variables. Dummy-define them to
> -# avoid useless warnings/errors.
> -GOOS=undefined GO=true BUILDTAGS= make localsystem
> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> index d98521ba..a83764fc 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -20,7 +20,6 @@ SRCREV = "227df90eb7c021097c9ba5f8000c83648a598028"
>  SRC_URI = " \
>      git://github.com/containers/libpod.git;branch=v5.4;protocol=https;destsuffix=${GO_SRCURI_DESTSUFFIX} \
>      ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://50-podman-rootless.conf', '', d)} \
> -    file://run-ptest \
>      file://CVE-2025-6032.patch;patchdir=src/import \
>  "
>  
> @@ -56,7 +55,7 @@ export BUILDFLAGS = "${GOBUILDFLAGS}"
>  
>  inherit go goarch
>  inherit container-host
> -inherit systemd pkgconfig ptest
> +inherit systemd pkgconfig
>  
>  do_configure[noexec] = "1"
>  
> @@ -129,17 +128,6 @@ do_install() {
>  	fi
>  }
>  
> -do_install_ptest () {
> -	cp ${S}/src/import/Makefile ${D}${PTEST_PATH}
> -	install -d ${D}${PTEST_PATH}/test
> -	cp -r ${S}/src/import/test/system ${D}${PTEST_PATH}/test
> -
> -	# Some compatibility links for the Makefile assumptions.
> -	install -d ${D}${PTEST_PATH}/bin
> -	ln -s ${bindir}/podman ${D}${PTEST_PATH}/bin/podman
> -	ln -s ${bindir}/podman-remote ${D}${PTEST_PATH}/bin/podman-remote
> -}
> -
>  FILES:${PN} += " \
>      ${systemd_unitdir}/system/* \
>      ${nonarch_libdir}/systemd/* \
> @@ -170,16 +158,3 @@ RRECOMMENDS:${PN} += "slirp4netns \
>                        kernel-module-xt-tcpudp \
>                        "
>  RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"
> -
> -RDEPENDS:${PN}-ptest += " \
> -	bash \
> -	bats \
> -	buildah \
> -	coreutils \
> -	file \
> -	gnupg \
> -	jq \
> -	make \
> -	skopeo \
> -	tar \
> -"
> -- 
> 2.40.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9414): https://lists.yoctoproject.org/g/meta-virtualization/message/9414
> Mute This Topic: https://lists.yoctoproject.org/mt/115732681/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>