update to 3.4.4

2022-07-05 16:28:52 +08:00 · 2022-07-05 16:28:52 +08:00 · 011702f40c
commit 011702f40c
parent a56c194d4d
14 changed files with 283 additions and 1493 deletions
--- a/0001-Fix-the-invalid-memory-address-reference.patch
+++ b/0001-Fix-the-invalid-memory-address-reference.patch
@ -11,20 +11,20 @@ diff --git a/libpod/stats.go b/libpod/stats.go
 index c58a461..97a2169 100644
 --- a/libpod/stats.go
 +++ b/libpod/stats.go
-@@ -57,9 +57,11 @@ func (c *Container) GetContainerStats(previousStats *ContainerStats) (*Container
+@@ -68,9 +68,11 @@
- 	previousCPU := previousStats.CPUNano
+ 	stats.CPU = calculateCPUPercent(cgroupStats, previousCPU, now, previousStats.SystemNano)
- 	previousSystem := previousStats.SystemNano
+ 	stats.AvgCPU = calculateAvgCPU(stats.CPU, previousStats.AvgCPU, previousStats.DataPoints)
- 	stats.CPU = calculateCPUPercent(cgroupStats, previousCPU, previousSystem)
+ 	stats.DataPoints = previousStats.DataPoints + 1
 -	stats.MemUsage = cgroupStats.Memory.Usage.Usage
-	stats.MemLimit = getMemLimit(cgroupStats.Memory.Usage.Limit)
+-	stats.MemLimit = c.getMemLimit()
 -	stats.MemPerc = (float64(stats.MemUsage) / float64(stats.MemLimit)) * 100
-+    if cgroupStats.Memory != nil {
+	if cgroupStats.Memory != (cgroups.MemoryMetrics{}){
 +		stats.MemUsage = cgroupStats.Memory.Usage.Usage
-+	    stats.MemLimit = getMemLimit(cgroupStats.Memory.Usage.Limit)
+		stats.MemLimit = c.getMemLimit()
 +		stats.MemPerc = (float64(stats.MemUsage) / float64(stats.MemLimit)) * 100
 +	}
 	stats.PIDs = 0
- 	if conState == ContainerStateRunning {
+ 	if conState == define.ContainerStateRunning || conState == define.ContainerStatePaused {
 		stats.PIDs = cgroupStats.Pids.Current
 -- 
 2.23.0
--- a/0001-podman-patch-for-local-search.patch
+++ b/0001-podman-patch-for-local-search.patch
@ -1,24 +0,0 @@
 From 40aabbc1707bfb6ed0a0bb01bc356a16efae8b4e Mon Sep 17 00:00:00 2001
 From: weishengjing1 <773945074@qq.com>
 Date: Sat, 9 Jan 2021 10:09:27 +0800
 Subject: [PATCH] patch for podman pull (issue I2BF99)
 ---
 libpod.conf | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/libpod.conf b/libpod.conf
 index 2976cec..4001d21 100644
 --- a/libpod.conf
 +++ b/libpod.conf
@@ -7,6 +7,7 @@ image_default_transport = "docker://"
 # Paths to look for a valid OCI runtime (runc, runv, etc)
 runtime_path = [
 	     "/usr/bin/runc",
 +	     "/usr/local/bin/runc",
 	     "/usr/sbin/runc",
 	     "/sbin/runc",
 	     "/bin/runc",
 -- 
 2.27.0
--- a/0002-add-openEuler-hardened-ld.patch
+++ b/0002-add-openEuler-hardened-ld.patch
@ -0,0 +1,7 @@
 diff -Naru podman-3.4.4/openEuler-hardened-ld podman-3.4.4-new/openEuler-hardened-ld
 --- podman-3.4.4/openEuler-hardened-ld	1970-01-01 08:00:00.000000000 +0800
 +++ podman-3.4.4-new/openEuler-hardened-ld	2022-07-01 16:50:11.640052823 +0800
@@ -0,0 +1,3 @@
 +*self_spec:
 ++ %{!static:%{!shared:%{!r:-pie}}}
 +
--- a/0003-eat-signal-23-in-signal-proxy.patch
+++ b/0003-eat-signal-23-in-signal-proxy.patch
@ -1,29 +0,0 @@
 From 7bb9c6b9d1f195391f50047447b8caec404b5c2a Mon Sep 17 00:00:00 2001
 From: maminjie <maminjie1@huawei.com>
 Date: Wed, 31 Mar 2021 11:22:39 +0800
 Subject: [PATCH] eat signal 23 in signal proxy
 reference to: https://github.com/containers/podman/pull/5496
 ---
 cmd/podman/sigproxy.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/cmd/podman/sigproxy.go b/cmd/podman/sigproxy.go
 index 16861ba..9bb104d 100644
 --- a/cmd/podman/sigproxy.go
 +++ b/cmd/podman/sigproxy.go
@@ -19,7 +19,10 @@ func ProxySignals(ctr *libpod.Container) {
 		for s := range sigBuffer {
 			// Ignore SIGCHLD and SIGPIPE - these are mostly likely
 			// intended for the podman command itself.
 -			if s == signal.SIGCHLD || s == signal.SIGPIPE {
 +			// SIGURG was added because of golang 1.14 and its preemptive changes
 +			// causing more signals to "show up".
 +			// https://github.com/containers/libpod/issues/5483
 +			if s == syscall.SIGCHLD || s == syscall.SIGPIPE || s == syscall.SIGURG {
 				continue
 			}
 -- 
 2.23.0
--- a/CVE-2021-20188-PRE1.patch
+++ b/CVE-2021-20188-PRE1.patch
@ -1,371 +0,0 @@
 From 6246942d377bd9ed665a4ac448120352454dd83d Mon Sep 17 00:00:00 2001
 From: baude <bbaude@redhat.com>
 Date: Wed, 24 Oct 2018 10:39:12 -0500
 Subject: [PATCH] Increase security and performance when looking up groups
 We implement the securejoin method to make sure the paths to /etc/passwd and
 /etc/group are not symlinks to something naughty or outside the container
 image. And then instead of actually chrooting, we use the runc functions to
 get information about a user.  The net result is increased security and
 a a performance gain from 41ms to 100us.
 Signed-off-by: baude <bbaude@redhat.com>
 ---
 libpod/container_internal_linux.go            |  26 +++-
 .../cyphar/filepath-securejoin/LICENSE        |  28 ++++
 .../cyphar/filepath-securejoin/README.md      |  65 +++++++++
 .../cyphar/filepath-securejoin/join.go        | 134 ++++++++++++++++++
 .../cyphar/filepath-securejoin/vendor.conf    |   1 +
 .../cyphar/filepath-securejoin/vfs.go         |  41 ++++++
 6 files changed, 291 insertions(+), 4 deletions(-)
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/LICENSE
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/README.md
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/join.go
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/vendor.conf
 create mode 100644 vendor/github.com/cyphar/filepath-securejoin/vfs.go
 diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
 index b25645e5cc0..5a6b72580d5 100644
 --- a/libpod/container_internal_linux.go
 +++ b/libpod/container_internal_linux.go
@@ -21,6 +21,8 @@ import (
 	"github.com/containers/libpod/pkg/chrootuser"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/storage/pkg/idtools"
 +	"github.com/cyphar/filepath-securejoin"
 +	"github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
@@ -197,12 +199,28 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	// Look up and add groups the user belongs to, if a group wasn't directly specified
 	if !rootless.IsRootless() && !strings.Contains(c.config.User, ":") {
 -		groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Config.Process.User.UID))
 -		if err != nil && errors.Cause(err) != chrootuser.ErrNoSuchUser {
 +		var groupDest, passwdDest string
 +		defaultExecUser := user.ExecUser{
 +			Uid:  0,
 +			Gid:  0,
 +			Home: "/",
 +		}
 +
 +		// Make sure the /etc/group  and /etc/passwd destinations are not a symlink to something naughty
 +		if groupDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/group"); err != nil {
 +			logrus.Debug(err)
 			return nil, err
 		}
 -		for _, gid := range groups {
 -			g.AddProcessAdditionalGid(gid)
 +		if passwdDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd"); err != nil {
 +			logrus.Debug(err)
 +			return nil, err
 +		}
 +		execUser, err := user.GetExecUserPath(c.config.User, &defaultExecUser, passwdDest, groupDest)
 +		if err != nil {
 +			return nil, err
 +		}
 +		for _, gid := range execUser.Sgids {
 +			g.AddProcessAdditionalGid(uint32(gid))
 		}
 	}
 diff --git a/vendor/github.com/cyphar/filepath-securejoin/LICENSE b/vendor/github.com/cyphar/filepath-securejoin/LICENSE
 new file mode 100644
 index 00000000000..bec842f294f
 --- /dev/null
 +++ b/vendor/github.com/cyphar/filepath-securejoin/LICENSE
@@ -0,0 +1,28 @@
 +Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
 +Copyright (C) 2017 SUSE LLC. All rights reserved.
 +
 +Redistribution and use in source and binary forms, with or without
 +modification, are permitted provided that the following conditions are
 +met:
 +
 +   * Redistributions of source code must retain the above copyright
 +notice, this list of conditions and the following disclaimer.
 +   * Redistributions in binary form must reproduce the above
 +copyright notice, this list of conditions and the following disclaimer
 +in the documentation and/or other materials provided with the
 +distribution.
 +   * Neither the name of Google Inc. nor the names of its
 +contributors may be used to endorse or promote products derived from
 +this software without specific prior written permission.
 +
 +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 diff --git a/vendor/github.com/cyphar/filepath-securejoin/README.md b/vendor/github.com/cyphar/filepath-securejoin/README.md
 new file mode 100644
 index 00000000000..49b2baa9f35
 --- /dev/null
 +++ b/vendor/github.com/cyphar/filepath-securejoin/README.md
@@ -0,0 +1,65 @@
 +## `filepath-securejoin` ##
 +
 +[![Build Status](https://travis-ci.org/cyphar/filepath-securejoin.svg?branch=master)](https://travis-ci.org/cyphar/filepath-securejoin)
 +
 +An implementation of `SecureJoin`, a [candidate for inclusion in the Go
 +standard library][go#20126]. The purpose of this function is to be a "secure"
 +alternative to `filepath.Join`, and in particular it provides certain
 +guarantees that are not provided by `filepath.Join`.
 +
 +This is the function prototype:
 +
 +```go
 +func SecureJoin(root, unsafePath string) (string, error)
 +```
 +
 +This library **guarantees** the following:
 +
 +* If no error is set, the resulting string **must** be a child path of
 +  `SecureJoin` and will not contain any symlink path components (they will all
 +  be expanded).
 +
 +* When expanding symlinks, all symlink path components **must** be resolved
 +  relative to the provided root. In particular, this can be considered a
 +  userspace implementation of how `chroot(2)` operates on file paths. Note that
 +  these symlinks will **not** be expanded lexically (`filepath.Clean` is not
 +  called on the input before processing).
 +
 +* Non-existant path components are unaffected by `SecureJoin` (similar to
 +  `filepath.EvalSymlinks`'s semantics).
 +
 +* The returned path will always be `filepath.Clean`ed and thus not contain any
 +  `..` components.
 +
 +A (trivial) implementation of this function on GNU/Linux systems could be done
 +with the following (note that this requires root privileges and is far more
 +opaque than the implementation in this library, and also requires that
 +`readlink` is inside the `root` path):
 +
 +```go
 +package securejoin
 +
 +import (
 +	"os/exec"
 +	"path/filepath"
 +)
 +
 +func SecureJoin(root, unsafePath string) (string, error) {
 +	unsafePath = string(filepath.Separator) + unsafePath
 +	cmd := exec.Command("chroot", root,
 +		"readlink", "--canonicalize-missing", "--no-newline", unsafePath)
 +	output, err := cmd.CombinedOutput()
 +	if err != nil {
 +		return "", err
 +	}
 +	expanded := string(output)
 +	return filepath.Join(root, expanded), nil
 +}
 +```
 +
 +[go#20126]: https://github.com/golang/go/issues/20126
 +
 +### License ###
 +
 +The license of this project is the same as Go, which is a BSD 3-clause license
 +available in the `LICENSE` file.
 diff --git a/vendor/github.com/cyphar/filepath-securejoin/join.go b/vendor/github.com/cyphar/filepath-securejoin/join.go
 new file mode 100644
 index 00000000000..c4ca3d71300
 --- /dev/null
 +++ b/vendor/github.com/cyphar/filepath-securejoin/join.go
@@ -0,0 +1,134 @@
 +// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
 +// Copyright (C) 2017 SUSE LLC. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
 +// Package securejoin is an implementation of the hopefully-soon-to-be-included
 +// SecureJoin helper that is meant to be part of the "path/filepath" package.
 +// The purpose of this project is to provide a PoC implementation to make the
 +// SecureJoin proposal (https://github.com/golang/go/issues/20126) more
 +// tangible.
 +package securejoin
 +
 +import (
 +	"bytes"
 +	"os"
 +	"path/filepath"
 +	"strings"
 +	"syscall"
 +
 +	"github.com/pkg/errors"
 +)
 +
 +// ErrSymlinkLoop is returned by SecureJoinVFS when too many symlinks have been
 +// evaluated in attempting to securely join the two given paths.
 +var ErrSymlinkLoop = errors.Wrap(syscall.ELOOP, "secure join")
 +
 +// IsNotExist tells you if err is an error that implies that either the path
 +// accessed does not exist (or path components don't exist). This is
 +// effectively a more broad version of os.IsNotExist.
 +func IsNotExist(err error) bool {
 +	// If it's a bone-fide ENOENT just bail.
 +	if os.IsNotExist(errors.Cause(err)) {
 +		return true
 +	}
 +
 +	// Check that it's not actually an ENOTDIR, which in some cases is a more
 +	// convoluted case of ENOENT (usually involving weird paths).
 +	var errno error
 +	switch err := errors.Cause(err).(type) {
 +	case *os.PathError:
 +		errno = err.Err
 +	case *os.LinkError:
 +		errno = err.Err
 +	case *os.SyscallError:
 +		errno = err.Err
 +	}
 +	return errno == syscall.ENOTDIR || errno == syscall.ENOENT
 +}
 +
 +// SecureJoinVFS joins the two given path components (similar to Join) except
 +// that the returned path is guaranteed to be scoped inside the provided root
 +// path (when evaluated). Any symbolic links in the path are evaluated with the
 +// given root treated as the root of the filesystem, similar to a chroot. The
 +// filesystem state is evaluated through the given VFS interface (if nil, the
 +// standard os.* family of functions are used).
 +//
 +// Note that the guarantees provided by this function only apply if the path
 +// components in the returned string are not modified (in other words are not
 +// replaced with symlinks on the filesystem) after this function has returned.
 +// Such a symlink race is necessarily out-of-scope of SecureJoin.
 +func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {
 +	// Use the os.* VFS implementation if none was specified.
 +	if vfs == nil {
 +		vfs = osVFS{}
 +	}
 +
 +	var path bytes.Buffer
 +	n := 0
 +	for unsafePath != "" {
 +		if n > 255 {
 +			return "", ErrSymlinkLoop
 +		}
 +
 +		// Next path component, p.
 +		i := strings.IndexRune(unsafePath, filepath.Separator)
 +		var p string
 +		if i == -1 {
 +			p, unsafePath = unsafePath, ""
 +		} else {
 +			p, unsafePath = unsafePath[:i], unsafePath[i+1:]
 +		}
 +
 +		// Create a cleaned path, using the lexical semantics of /../a, to
 +		// create a "scoped" path component which can safely be joined to fullP
 +		// for evaluation. At this point, path.String() doesn't contain any
 +		// symlink components.
 +		cleanP := filepath.Clean(string(filepath.Separator) + path.String() + p)
 +		if cleanP == string(filepath.Separator) {
 +			path.Reset()
 +			continue
 +		}
 +		fullP := filepath.Clean(root + cleanP)
 +
 +		// Figure out whether the path is a symlink.
 +		fi, err := vfs.Lstat(fullP)
 +		if err != nil && !IsNotExist(err) {
 +			return "", err
 +		}
 +		// Treat non-existent path components the same as non-symlinks (we
 +		// can't do any better here).
 +		if IsNotExist(err) || fi.Mode()&os.ModeSymlink == 0 {
 +			path.WriteString(p)
 +			path.WriteRune(filepath.Separator)
 +			continue
 +		}
 +
 +		// Only increment when we actually dereference a link.
 +		n++
 +
 +		// It's a symlink, expand it by prepending it to the yet-unparsed path.
 +		dest, err := vfs.Readlink(fullP)
 +		if err != nil {
 +			return "", err
 +		}
 +		// Absolute symlinks reset any work we've already done.
 +		if filepath.IsAbs(dest) {
 +			path.Reset()
 +		}
 +		unsafePath = dest + string(filepath.Separator) + unsafePath
 +	}
 +
 +	// We have to clean path.String() here because it may contain '..'
 +	// components that are entirely lexical, but would be misleading otherwise.
 +	// And finally do a final clean to ensure that root is also lexically
 +	// clean.
 +	fullP := filepath.Clean(string(filepath.Separator) + path.String())
 +	return filepath.Clean(root + fullP), nil
 +}
 +
 +// SecureJoin is a wrapper around SecureJoinVFS that just uses the os.* library
 +// of functions as the VFS. If in doubt, use this function over SecureJoinVFS.
 +func SecureJoin(root, unsafePath string) (string, error) {
 +	return SecureJoinVFS(root, unsafePath, nil)
 +}
 diff --git a/vendor/github.com/cyphar/filepath-securejoin/vendor.conf b/vendor/github.com/cyphar/filepath-securejoin/vendor.conf
 new file mode 100644
 index 00000000000..66bb574b955
 --- /dev/null
 +++ b/vendor/github.com/cyphar/filepath-securejoin/vendor.conf
@@ -0,0 +1 @@
 +github.com/pkg/errors v0.8.0
 diff --git a/vendor/github.com/cyphar/filepath-securejoin/vfs.go b/vendor/github.com/cyphar/filepath-securejoin/vfs.go
 new file mode 100644
 index 00000000000..a82a5eae11e
 --- /dev/null
 +++ b/vendor/github.com/cyphar/filepath-securejoin/vfs.go
@@ -0,0 +1,41 @@
 +// Copyright (C) 2017 SUSE LLC. All rights reserved.
 +// Use of this source code is governed by a BSD-style
 +// license that can be found in the LICENSE file.
 +
 +package securejoin
 +
 +import "os"
 +
 +// In future this should be moved into a separate package, because now there
 +// are several projects (umoci and go-mtree) that are using this sort of
 +// interface.
 +
 +// VFS is the minimal interface necessary to use SecureJoinVFS. A nil VFS is
 +// equivalent to using the standard os.* family of functions. This is mainly
 +// used for the purposes of mock testing, but also can be used to otherwise use
 +// SecureJoin with VFS-like system.
 +type VFS interface {
 +	// Lstat returns a FileInfo describing the named file. If the file is a
 +	// symbolic link, the returned FileInfo describes the symbolic link. Lstat
 +	// makes no attempt to follow the link. These semantics are identical to
 +	// os.Lstat.
 +	Lstat(name string) (os.FileInfo, error)
 +
 +	// Readlink returns the destination of the named symbolic link. These
 +	// semantics are identical to os.Readlink.
 +	Readlink(name string) (string, error)
 +}
 +
 +// osVFS is the "nil" VFS, in that it just passes everything through to the os
 +// module.
 +type osVFS struct{}
 +
 +// Lstat returns a FileInfo describing the named file. If the file is a
 +// symbolic link, the returned FileInfo describes the symbolic link. Lstat
 +// makes no attempt to follow the link. These semantics are identical to
 +// os.Lstat.
 +func (o osVFS) Lstat(name string) (os.FileInfo, error) { return os.Lstat(name) }
 +
 +// Readlink returns the destination of the named symbolic link. These
 +// semantics are identical to os.Readlink.
 +func (o osVFS) Readlink(name string) (string, error) { return os.Readlink(name) }
--- a/CVE-2021-20188-PRE2.patch
+++ b/CVE-2021-20188-PRE2.patch
@ -1,388 +0,0 @@
 From 1dd7f13dfbc1dd377eabace0239b1c05cd60b144 Mon Sep 17 00:00:00 2001
 From: baude <bbaude@redhat.com>
 Date: Thu, 25 Oct 2018 13:39:25 -0500
 Subject: [PATCH] get user and group information using securejoin and runc's
 user library
 for the purposes of performance and security, we use securejoin to contstruct
 the root fs's path so that symlinks are what they appear to be and no pointing
 to something naughty.
 then instead of chrooting to parse /etc/passwd|/etc/group, we now use the runc user/group
 methods which saves us quite a bit of performance.
 Signed-off-by: baude <bbaude@redhat.com>
 ---
 libpod/container_api.go            |   8 +-
 libpod/container_internal.go       |  56 ++++++-----
 libpod/container_internal_linux.go |  44 ++------
 pkg/lookup/lookup.go               | 156 +++++++++++++++++++++++++++++
 4 files changed, 201 insertions(+), 63 deletions(-)
 create mode 100644 pkg/lookup/lookup.go
 diff --git a/libpod/container_api.go b/libpod/container_api.go
 index 41a131ea212..83f93cf9eb6 100644
 --- a/libpod/container_api.go
 +++ b/libpod/container_api.go
@@ -10,8 +10,8 @@ import (
 	"time"
 	"github.com/containers/libpod/libpod/driver"
 -	"github.com/containers/libpod/pkg/chrootuser"
 	"github.com/containers/libpod/pkg/inspect"
 +	"github.com/containers/libpod/pkg/lookup"
 	"github.com/containers/storage/pkg/stringid"
 	"github.com/docker/docker/daemon/caps"
 	"github.com/pkg/errors"
@@ -292,13 +292,13 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
 	// the host
 	hostUser := ""
 	if user != "" {
 -		uid, gid, err := chrootuser.GetUser(c.state.Mountpoint, user)
 +		execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
 		if err != nil {
 -			return errors.Wrapf(err, "error getting user to launch exec session as")
 +			return err
 		}
 		// runc expects user formatted as uid:gid
 -		hostUser = fmt.Sprintf("%d:%d", uid, gid)
 +		hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid)
 	}
 	// Generate exec session ID
 diff --git a/libpod/container_internal.go b/libpod/container_internal.go
 index 2af216358b4..d928c4aedd5 100644
 --- a/libpod/container_internal.go
 +++ b/libpod/container_internal.go
@@ -12,9 +13,9 @@ import (
 	"strings"
 	"syscall"
 -	"github.com/containers/libpod/pkg/chrootuser"
 	"github.com/containers/libpod/pkg/hooks"
 	"github.com/containers/libpod/pkg/hooks/exec"
 +	"github.com/containers/libpod/pkg/lookup"
 	"github.com/containers/libpod/pkg/resolvconf"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/secrets"
@@ -1094,6 +1095,7 @@ func (c *Container) generateHosts() (str
 }
 func (c *Container) addLocalVolumes(ctx context.Context, g *generate.Generator) error {
 +	var uid, gid int
 	mountPoint := c.state.Mountpoint
 	if !c.state.Mounted {
 		return errors.Wrapf(ErrInternal, "container is not mounted")
@@ -1117,6 +1119,18 @@ func (c *Container) addLocalVolumes(ctx
 		}
 	}
 +	if c.config.User != "" {
 +		if !c.state.Mounted {
 +			return errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to translate User field", c.ID())
 +		}
 +		execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, nil)
 +		if err != nil {
 +			return err
 +		}
 +		uid = execUser.Uid
 +		gid = execUser.Gid
 +	}
 +
 	for k := range imageData.ContainerConfig.Volumes {
 		mount := spec.Mount{
 			Destination: k,
@@ -1129,27 +1143,13 @@ func (c *Container) addLocalVolumes(ctx
 		volumePath := filepath.Join(c.config.StaticDir, "volumes", k)
 		srcPath := filepath.Join(mountPoint, k)
 -		var (
 -			uid uint32
 -			gid uint32
 -		)
 -		if c.config.User != "" {
 -			if !c.state.Mounted {
 -				return errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to translate User field", c.ID())
 -			}
 -			uid, gid, err = chrootuser.GetUser(c.state.Mountpoint, c.config.User)
 -			if err != nil {
 -				return err
 -			}
 -		}
 -
 		if _, err := os.Stat(srcPath); os.IsNotExist(err) {
 			logrus.Infof("Volume image mount point %s does not exist in root FS, need to create it", k)
 			if err = os.MkdirAll(srcPath, 0755); err != nil {
 				return errors.Wrapf(err, "error creating directory %q for volume %q in container %q", volumePath, k, c.ID)
 			}
 -			if err = os.Chown(srcPath, int(uid), int(gid)); err != nil {
 +			if err = os.Chown(srcPath, uid, gid); err != nil {
 				return errors.Wrapf(err, "error chowning directory %q for volume %q in container %q", srcPath, k, c.ID)
 			}
 		}
@@ -1159,7 +1159,7 @@ func (c *Container) addLocalVolumes(ctx
 				return errors.Wrapf(err, "error creating directory %q for volume %q in container %q", volumePath, k, c.ID)
 			}
 -			if err = os.Chown(volumePath, int(uid), int(gid)); err != nil {
 +			if err = os.Chown(volumePath, uid, gid); err != nil {
 				return errors.Wrapf(err, "error chowning directory %q for volume %q in container %q", volumePath, k, c.ID)
 			}
 diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
 index 0a1784ba740..7bf2c71cac6 100644
 --- a/libpod/container_internal_linux.go
 +++ b/libpod/container_internal_linux.go
@@ -17,11 +17,9 @@ import (
 	cnitypes "github.com/containernetworking/cni/pkg/types/current"
 	crioAnnotations "github.com/containers/libpod/pkg/annotations"
 -	"github.com/containers/libpod/pkg/chrootuser"
 +	"github.com/containers/libpod/pkg/lookup"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/storage/pkg/idtools"
 -	"github.com/cyphar/filepath-securejoin"
 -	"github.com/opencontainers/runc/libcontainer/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
@@ -135,6 +133,10 @@ func (c *Container) cleanupNetwork() error {
 // Generate spec for a container
 // Accepts a map of the container's dependencies
 func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 +	execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, nil)
 +	if err != nil {
 +		return nil, err
 +	}
 	g := generate.NewFromSpec(c.config.Spec)
 	// If network namespace was requested, add it now
@@ -188,7 +190,6 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		}
 	}
 -	var err error
 	if !rootless.IsRootless() {
 		if c.state.ExtensionStageHooks, err = c.setupOCIHooks(ctx, g.Config); err != nil {
 			return nil, errors.Wrapf(err, "error setting up OCI Hooks")
@@ -206,13 +207,9 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		if !c.state.Mounted {
 			return nil, errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to translate User field", c.ID())
 		}
 -		uid, gid, err := chrootuser.GetUser(c.state.Mountpoint, c.config.User)
 -		if err != nil {
 -			return nil, err
 -		}
 		// User and Group must go together
 -		g.SetProcessUID(uid)
 -		g.SetProcessGID(gid)
 +		g.SetProcessUID(uint32(execUser.Uid))
 +		g.SetProcessGID(uint32(execUser.Gid))
 	}
 	// Add addition groups if c.config.GroupAdd is not empty
@@ -220,11 +217,8 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		if !c.state.Mounted {
 			return nil, errors.Wrapf(ErrCtrStateInvalid, "container %s must be mounted in order to add additional groups", c.ID())
 		}
 -		for _, group := range c.config.Groups {
 -			gid, err := chrootuser.GetGroup(c.state.Mountpoint, group)
 -			if err != nil {
 -				return nil, err
 -			}
 +		gids, _ := lookup.GetContainerGroups(c.config.Groups, c.state.Mountpoint, nil)
 +		for _, gid := range gids {
 			g.AddProcessAdditionalGid(gid)
 		}
 	}
@@ -237,26 +231,6 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	// Look up and add groups the user belongs to, if a group wasn't directly specified
 	if !rootless.IsRootless() && !strings.Contains(c.config.User, ":") {
 -		var groupDest, passwdDest string
 -		defaultExecUser := user.ExecUser{
 -			Uid:  0,
 -			Gid:  0,
 -			Home: "/",
 -		}
 -
 -		// Make sure the /etc/group  and /etc/passwd destinations are not a symlink to something naughty
 -		if groupDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/group"); err != nil {
 -			logrus.Debug(err)
 -			return nil, err
 -		}
 -		if passwdDest, err = securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd"); err != nil {
 -			logrus.Debug(err)
 -			return nil, err
 -		}
 -		execUser, err := user.GetExecUserPath(c.config.User, &defaultExecUser, passwdDest, groupDest)
 -		if err != nil {
 -			return nil, err
 -		}
 		for _, gid := range execUser.Sgids {
 			g.AddProcessAdditionalGid(uint32(gid))
 		}
 diff --git a/pkg/lookup/lookup.go b/pkg/lookup/lookup.go
 new file mode 100644
 index 00000000000..b27e2a724bc
 --- /dev/null
 +++ b/pkg/lookup/lookup.go
@@ -0,0 +1,156 @@
 +package lookup
 +
 +import (
 +	"github.com/cyphar/filepath-securejoin"
 +	"github.com/opencontainers/runc/libcontainer/user"
 +	"github.com/sirupsen/logrus"
 +	"strconv"
 +)
 +
 +const (
 +	etcpasswd = "/etc/passwd"
 +	etcgroup  = "/etc/group"
 +)
 +
 +// Overrides allows you to override defaults in GetUserGroupInfo
 +type Overrides struct {
 +	DefaultUser            *user.ExecUser
 +	ContainerEtcPasswdPath string
 +	ContainerEtcGroupPath  string
 +}
 +
 +// GetUserGroupInfo takes string forms of the the container's mount path and the container user and
 +// returns a ExecUser with uid, gid, sgids, and home.  And override can be provided for defaults.
 +func GetUserGroupInfo(containerMount, containerUser string, override *Overrides) (*user.ExecUser, error) {
 +	var (
 +		passwdDest, groupDest string
 +		defaultExecUser       *user.ExecUser
 +		err                   error
 +	)
 +	passwdPath := etcpasswd
 +	groupPath := etcgroup
 +
 +	if override != nil {
 +		// Check for an override /etc/passwd path
 +		if override.ContainerEtcPasswdPath != "" {
 +			passwdPath = override.ContainerEtcPasswdPath
 +		}
 +		// Check for an override for /etc/group path
 +		if override.ContainerEtcGroupPath != "" {
 +			groupPath = override.ContainerEtcGroupPath
 +		}
 +	}
 +
 +	// Check for an override default user
 +	if override != nil && override.DefaultUser != nil {
 +		defaultExecUser = override.DefaultUser
 +	} else {
 +		// Define a default container user
 +		//defaultExecUser = &user.ExecUser{
 +		//	Uid:  0,
 +		//	Gid:  0,
 +		//	Home: "/",
 +		defaultExecUser = nil
 +
 +	}
 +
 +	// Make sure the /etc/group  and /etc/passwd destinations are not a symlink to something naughty
 +	if passwdDest, err = securejoin.SecureJoin(containerMount, passwdPath); err != nil {
 +		logrus.Debug(err)
 +		return nil, err
 +	}
 +	if groupDest, err = securejoin.SecureJoin(containerMount, groupPath); err != nil {
 +		logrus.Debug(err)
 +		return nil, err
 +	}
 +	return user.GetExecUserPath(containerUser, defaultExecUser, passwdDest, groupDest)
 +}
 +
 +// GetContainerGroups uses securejoin to get a list of numerical groupids from a container. Per the runc
 +// function it calls: If a group name cannot be found, an error will be returned. If a group id cannot be found,
 +// or the given group data is nil, the id will be returned as-is  provided it is in the legal range.
 +func GetContainerGroups(groups []string, containerMount string, override *Overrides) ([]uint32, error) {
 +	var (
 +		groupDest string
 +		err       error
 +		uintgids  []uint32
 +	)
 +
 +	groupPath := etcgroup
 +	if override != nil && override.ContainerEtcGroupPath != "" {
 +		groupPath = override.ContainerEtcGroupPath
 +	}
 +
 +	if groupDest, err = securejoin.SecureJoin(containerMount, groupPath); err != nil {
 +		logrus.Debug(err)
 +		return nil, err
 +	}
 +
 +	gids, err := user.GetAdditionalGroupsPath(groups, groupDest)
 +	if err != nil {
 +		return nil, err
 +	}
 +	// For libpod, we want []uint32s
 +	for _, gid := range gids {
 +		uintgids = append(uintgids, uint32(gid))
 +	}
 +	return uintgids, nil
 +}
 +
 +// GetUser takes a containermount path and user name or id and returns
 +// a matching User structure from /etc/passwd.  If it cannot locate a user
 +// with the provided information, an ErrNoPasswdEntries is returned.
 +func GetUser(containerMount, userIDorName string) (*user.User, error) {
 +	var inputIsName bool
 +	uid, err := strconv.Atoi(userIDorName)
 +	if err != nil {
 +		inputIsName = true
 +	}
 +	passwdDest, err := securejoin.SecureJoin(containerMount, etcpasswd)
 +	if err != nil {
 +		return nil, err
 +	}
 +	users, err := user.ParsePasswdFileFilter(passwdDest, func(u user.User) bool {
 +		if inputIsName {
 +			return u.Name == userIDorName
 +		}
 +		return u.Uid == uid
 +	})
 +	if err != nil {
 +		return nil, err
 +	}
 +	if len(users) > 0 {
 +		return &users[0], nil
 +	}
 +	return nil, user.ErrNoPasswdEntries
 +}
 +
 +// GetGroup takes ac ontainermount path and a group name or id and returns
 +// a match Group struct from /etc/group.  if it cannot locate a group,
 +// an ErrNoGroupEntries error is returned.
 +func GetGroup(containerMount, groupIDorName string) (*user.Group, error) {
 +	var inputIsName bool
 +	gid, err := strconv.Atoi(groupIDorName)
 +	if err != nil {
 +		inputIsName = true
 +	}
 +
 +	groupDest, err := securejoin.SecureJoin(containerMount, etcgroup)
 +	if err != nil {
 +		return nil, err
 +	}
 +
 +	groups, err := user.ParseGroupFileFilter(groupDest, func(g user.Group) bool {
 +		if inputIsName {
 +			return g.Name == groupIDorName
 +		}
 +		return g.Gid == gid
 +	})
 +	if err != nil {
 +		return nil, err
 +	}
 +	if len(groups) > 0 {
 +		return &groups[0], nil
 +	}
 +	return nil, user.ErrNoGroupEntries
 +}
--- a/CVE-2021-20188-PRE3.patch
+++ b/CVE-2021-20188-PRE3.patch
@ -1,181 +0,0 @@
 From 867669374c3fdd39f2629e53cbe7430f1bc3e085 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Tue, 8 Jan 2019 12:53:50 +0100
 Subject: [PATCH] Add a --workdir option to 'podman exec'
 Signed-off-by: Debarshi Ray <rishi@fedoraproject.org>
 ---
 cmd/podman/common.go    |  9 +++++----
 cmd/podman/exec.go      |  3 ++-
 completions/bash/podman |  2 ++
 docs/podman-exec.1.md   |  8 ++++++++
 libpod/container_api.go |  4 ++--
 libpod/oci.go           |  6 ++++--
 test/e2e/exec_test.go   | 32 ++++++++++++++++++++++++++++++++
 7 files changed, 55 insertions(+), 9 deletions(-)
 diff --git a/cmd/podman/common.go b/cmd/podman/common.go
 index 0fc9a6accfd..d934c869946 100644
 --- a/cmd/podman/common.go
 +++ b/cmd/podman/common.go
@@ -28,6 +28,10 @@ var (
 		Name:  "latest, l",
 		Usage: "act on the latest pod podman is aware of",
 	}
 +	WorkDirFlag = cli.StringFlag{
 +		Name:  "workdir, w",
 +		Usage: "Working directory inside the container",
 +	}
 )
 const (
@@ -522,10 +526,7 @@ var createFlags = []cli.Flag{
 		Name:  "volumes-from",
 		Usage: "Mount volumes from the specified container(s) (default [])",
 	},
 -	cli.StringFlag{
 -		Name:  "workdir, w",
 -		Usage: "Working `directory inside the container",
 -	},
 +	WorkDirFlag,
 }
 func getFormat(c *cli.Context) (string, error) {
 diff --git a/cmd/podman/exec.go b/cmd/podman/exec.go
 index c03834dea23..073e72e6404 100644
 --- a/cmd/podman/exec.go
 +++ b/cmd/podman/exec.go
@@ -34,6 +34,7 @@ var (
 			Usage: "Sets the username or UID used and optionally the groupname or GID for the specified command",
 		},
 		LatestFlag,
 +		WorkDirFlag,
 	}
 	execDescription = `
 	podman exec
@@ -108,5 +109,5 @@ func execCmd(c *cli.Context) error {
 		envs = append(envs, fmt.Sprintf("%s=%s", k, v))
 	}
 -	return ctr.Exec(c.Bool("tty"), c.Bool("privileged"), envs, cmd, c.String("user"))
 +	return ctr.Exec(c.Bool("tty"), c.Bool("privileged"), envs, cmd, c.String("user"), c.String("workdir"))
 }
 diff --git a/completions/bash/podman b/completions/bash/podman
 index d65f54690e3..e23615d5256 100644
 --- a/completions/bash/podman
 +++ b/completions/bash/podman
@@ -1111,6 +1111,8 @@ _podman_exec() {
     --env
     --user
     -u
 +    --workdir
 +    -w
      "
     local boolean_options="
     --latest
 diff --git a/docs/podman-exec.1.md b/docs/podman-exec.1.md
 index 284fa5a4a29..77317b0cabd 100644
 --- a/docs/podman-exec.1.md
 +++ b/docs/podman-exec.1.md
@@ -38,6 +38,14 @@ Sets the username or UID used and optionally the groupname or GID for the specif
 The following examples are all valid:
 --user [user | user:group | uid | uid:gid | user:gid | uid:group ]
 +**--workdir**, **-w**=""
 +
 +Working directory inside the container
 +
 +The default working directory for running binaries within a container is the root directory (/).
 +The image developer can set a different default with the WORKDIR instruction, which can be overridden
 +when creating the container.
 +
 ## SEE ALSO
 podman(1), podman-run(1)
 diff --git a/libpod/container_api.go b/libpod/container_api.go
 index 09bc46905ae..4eaf737b09a 100644
 --- a/libpod/container_api.go
 +++ b/libpod/container_api.go
@@ -262,7 +262,7 @@ func (c *Container) Kill(signal uint) error {
 // Exec starts a new process inside the container
 // TODO allow specifying streams to attach to
 // TODO investigate allowing exec without attaching
 -func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) error {
 +func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error {
 	var capList []string
 	locked := false
@@ -324,7 +324,7 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
 	logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID)
 -	execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, hostUser, sessionID)
 +	execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID)
 	if err != nil {
 		return errors.Wrapf(err, "error exec %s", c.ID())
 	}
 diff --git a/libpod/oci.go b/libpod/oci.go
 index 093bfdd3573..31c1a7e8514 100644
 --- a/libpod/oci.go
 +++ b/libpod/oci.go
@@ -728,7 +728,7 @@ func (r *OCIRuntime) unpauseContainer(ctr *Container) error {
 // TODO: Add --detach support
 // TODO: Convert to use conmon
 // TODO: add --pid-file and use that to generate exec session tracking
 -func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, user, sessionID string) (*exec.Cmd, error) {
 +func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) {
 	if len(cmd) == 0 {
 		return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
 	}
@@ -749,7 +749,9 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty
 	args = append(args, "exec")
 -	args = append(args, "--cwd", c.config.Spec.Process.Cwd)
 +	if cwd != "" {
 +		args = append(args, "--cwd", cwd)
 +	}
 	args = append(args, "--pid-file", c.execPidPath(sessionID))
 diff --git a/test/e2e/exec_test.go b/test/e2e/exec_test.go
 index fec80717fa2..a181501a5ff 100644
 --- a/test/e2e/exec_test.go
 +++ b/test/e2e/exec_test.go
@@ -127,4 +127,36 @@ var _ = Describe("Podman exec", func() {
 		Expect(session2.ExitCode()).To(Equal(0))
 		Expect(session2.OutputToString()).To(Equal(testUser))
 	})
 +
 +	It("podman exec simple working directory test", func() {
 +		setup := podmanTest.RunTopContainer("test1")
 +		setup.WaitWithDefaultTimeout()
 +		Expect(setup.ExitCode()).To(Equal(0))
 +
 +		session := podmanTest.Podman([]string{"exec", "-l", "--workdir", "/tmp", "pwd"})
 +		session.WaitWithDefaultTimeout()
 +		Expect(session.ExitCode()).To(Equal(0))
 +		match, _ := session.GrepString("/tmp")
 +		Expect(match).Should(BeTrue())
 +
 +		session = podmanTest.Podman([]string{"exec", "-l", "-w", "/tmp", "pwd"})
 +		session.WaitWithDefaultTimeout()
 +		Expect(session.ExitCode()).To(Equal(0))
 +		match, _ = session.GrepString("/tmp")
 +		Expect(match).Should(BeTrue())
 +	})
 +
 +	It("podman exec missing working directory test", func() {
 +		setup := podmanTest.RunTopContainer("test1")
 +		setup.WaitWithDefaultTimeout()
 +		Expect(setup.ExitCode()).To(Equal(0))
 +
 +		session := podmanTest.Podman([]string{"exec", "-l", "--workdir", "/missing", "pwd"})
 +		session.WaitWithDefaultTimeout()
 +		Expect(session.ExitCode()).To(Equal(1))
 +
 +		session = podmanTest.Podman([]string{"exec", "-l", "-w", "/missing", "pwd"})
 +		session.WaitWithDefaultTimeout()
 +		Expect(session.ExitCode()).To(Equal(1))
 +	})
 })
--- a/CVE-2021-20188.patch
+++ b/CVE-2021-20188.patch
@ -1,320 +0,0 @@
 From 69daa67c436a8fdeb0149aa5cb0112f03fdb699f Mon Sep 17 00:00:00 2001
 From: Matthew Heon <mheon@redhat.com>
 Date: Mon, 25 Jan 2021 14:18:07 -0500
 Subject: [PATCH] Correct handling of capabilities
 Ensure that capabilities are properly handled for non-root users
 in privileged containers. We do not want to give full caps, but
 instead only CapInh and CapEff (others should be all-zeroes).
 Fixing `podman run` is easy - the same code as the Podman 1.6 fix
 works there. The `podman exec` command is far more challenging.
 Exec received a complete rewrite to use Conmon at some point
 before Podman 1.6, and gained many capabilities in the process.
 One of those was the ability to actually tweak the capabilities
 of the exec process - 1.0 did not have that. Since it was needed
 to resolve this CVE, I was forced to backport a large bit of the
 1.0 -> 1.6 exec changes (passing a Process block to the OCI
 runtime, and using `prepareProcessExec()` to prepare said block).
 I am honestly uncomfortable with the size and scope of this
 change but I don't see another way around this.
 Fixes CVE-2021-20188
 Signed-off-by: Matthew Heon <mheon@redhat.com>
 ---
 libpod/container_api.go |  24 +------
 libpod/oci.go           | 148 ++++++++++++++++++++++++++++++++--------
 pkg/spec/spec.go        |   8 +++
 3 files changed, 132 insertions(+), 48 deletions(-)
 diff --git a/libpod/container_api.go b/libpod/container_api.go
 index fe66abf7a8f..b10596f6228 100644
 --- a/libpod/container_api.go
 +++ b/libpod/container_api.go
@@ -2,7 +2,6 @@ package libpod
 import (
 	"context"
 -	"fmt"
 	"io/ioutil"
 	"os"
 	"strconv"
@@ -11,9 +10,7 @@ import (
 	"github.com/containers/libpod/libpod/driver"
 	"github.com/containers/libpod/pkg/inspect"
 -	"github.com/containers/libpod/pkg/lookup"
 	"github.com/containers/storage/pkg/stringid"
 -	"github.com/docker/docker/daemon/caps"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -260,8 +257,6 @@ func (c *Container) Kill(signal uint) er
 // TODO allow specifying streams to attach to
 // TODO investigate allowing exec without attaching
 func (c *Container) Exec(tty, privileged bool, env, cmd []string, user, workDir string) error {
 -	var capList []string
 -
 	locked := false
 	if !c.batched {
 		locked = true
@@ -284,22 +279,8 @@ func (c *Container) Exec(tty, privileged
 	if conState != ContainerStateRunning {
 		return errors.Errorf("cannot exec into container that is not running")
 	}
 -	if privileged || c.config.Privileged {
 -		capList = caps.GetAllCapabilities()
 -	}
 -	// If user was set, look it up in the container to get a UID to use on
 -	// the host
 -	hostUser := ""
 -	if user != "" {
 -		execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
 -		if err != nil {
 -			return err
 -		}
 -
 -		// runc expects user formatted as uid:gid
 -		hostUser = fmt.Sprintf("%d:%d", execUser.Uid, execUser.Gid)
 -	}
 +	isPrivileged := privileged || c.config.Privileged
 	// Generate exec session ID
 	// Ensure we don't conflict with an existing session ID
@@ -321,10 +303,11 @@ func (c *Container) Exec(tty, privileged
 	logrus.Debugf("Creating new exec session in container %s with session id %s", c.ID(), sessionID)
 -	execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, workDir, hostUser, sessionID)
 +	execCmd, processFile, err := c.runtime.ociRuntime.execContainer(c, cmd, env, tty, workDir, user, sessionID, isPrivileged)
 	if err != nil {
 		return errors.Wrapf(err, "error exec %s", c.ID())
 	}
 +	defer os.Remove(processFile)
 	pidFile := c.execPidPath(sessionID)
 	// 1 second seems a reasonable time to wait
 diff --git a/libpod/oci.go b/libpod/oci.go
 index a1894b52fbe..79217dced5d 100644
 --- a/libpod/oci.go
 +++ b/libpod/oci.go
@@ -15,10 +15,12 @@ import (
 	"syscall"
 	"time"
 +	"github.com/containers/libpod/pkg/lookup"
 	"github.com/containers/libpod/pkg/ctime"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/coreos/go-systemd/activation"
 	"github.com/cri-o/ocicni/pkg/ocicni"
 +	"github.com/docker/docker/daemon/caps"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
@@ -689,18 +691,23 @@ func (r *OCIRuntime) unpauseContainer(ct
 // TODO: Add --detach support
 // TODO: Convert to use conmon
 // TODO: add --pid-file and use that to generate exec session tracking
 -func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty bool, cwd, user, sessionID string) (*exec.Cmd, error) {
 +func (r *OCIRuntime) execContainer(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (*exec.Cmd, string, error) {
 	if len(cmd) == 0 {
 -		return nil, errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
 +		return nil, "", errors.Wrapf(ErrInvalidArg, "must provide a command to execute")
 	}
 	if sessionID == "" {
 -		return nil, errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
 +		return nil, "", errors.Wrapf(ErrEmptyID, "must provide a session ID for exec")
 	}
 	runtimeDir, err := GetRootlessRuntimeDir()
 	if err != nil {
 -		return nil, err
 +		return nil, "", err
 +	}
 +
 +	processFile, err := prepareProcessExec(c, cmd, env, tty, cwd, user, sessionID, privileged)
 +	if err != nil {
 +		return nil, "", err
 	}
 	args := []string{}
@@ -710,32 +717,14 @@ func (r *OCIRuntime) execContainer(c *Co
 	args = append(args, "exec")
 -	if cwd != "" {
 -		args = append(args, "--cwd", cwd)
 -	}
 +	args = append(args, "--process", processFile)
 	args = append(args, "--pid-file", c.execPidPath(sessionID))
 -	if tty {
 -		args = append(args, "--tty")
 -	}
 -
 -	if user != "" {
 -		args = append(args, "--user", user)
 -	}
 -
 	if c.config.Spec.Process.NoNewPrivileges {
 		args = append(args, "--no-new-privs")
 	}
 -	for _, cap := range capAdd {
 -		args = append(args, "--cap", cap)
 -	}
 -
 -	for _, envVar := range env {
 -		args = append(args, "--env", envVar)
 -	}
 -
 	// Append container ID and command
 	args = append(args, c.ID())
 	args = append(args, cmd...)
@@ -749,10 +738,10 @@ func (r *OCIRuntime) execContainer(c *Co
 	execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
 	if err := execCmd.Start(); err != nil {
 -		return nil, errors.Wrapf(err, "cannot start container %s", c.ID())
 +		return nil, "", errors.Wrapf(err, "cannot start container %s", c.ID())
 	}
 -	return execCmd, nil
 +	return execCmd, processFile, nil
 }
 // execStopContainer stops all active exec sessions in a container
@@ -831,3 +820,110 @@ func (r *OCIRuntime) checkpointContainer
 	return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, nil, r.path, "checkpoint",
 		"--image-path", imagePath, "--work-path", workPath, ctr.ID())
 }
 +
 +// prepareProcessExec returns the path of the process.json used in runc exec -p.
 +// Returns path to the created exec process file. This will need to be removed
 +// by the caller when they're done, best effort.
 +func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, sessionID string, privileged bool) (string, error) {
 +	filename := filepath.Join(c.bundlePath(), fmt.Sprintf("exec-process-%s", sessionID))
 +	f, err := os.OpenFile(filename, os.O_CREATE|os.O_WRONLY, 0600)
 +	if err != nil {
 +		return "", err
 +	}
 +	defer f.Close()
 +
 +	pspec := c.config.Spec.Process
 +	pspec.SelinuxLabel = c.config.ProcessLabel
 +	pspec.Args = cmd
 +	// We need to default this to false else it will inherit terminal as true
 +	// from the container.
 +	pspec.Terminal = false
 +	if tty {
 +		pspec.Terminal = true
 +	}
 +	if len(env) > 0 {
 +		pspec.Env = append(pspec.Env, env...)
 +	}
 +
 +	if cwd != "" {
 +		pspec.Cwd = cwd
 +
 +	}
 +
 +	var addGroups []string
 +	var sgids []uint32
 +
 +	// if the user is empty, we should inherit the user that the container is currently running with
 +	if user == "" {
 +		user = c.config.User
 +		addGroups = c.config.Groups
 +	}
 +
 +	execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, user, nil)
 +	if err != nil {
 +		return "", err
 +	}
 +
 +	if len(addGroups) > 0 {
 +		sgids, err = lookup.GetContainerGroups(addGroups, c.state.Mountpoint, nil)
 +		if err != nil {
 +			return "", errors.Wrapf(err, "error looking up supplemental groups for container %s exec session %s", c.ID(), sessionID)
 +		}
 +	}
 +
 +	// If user was set, look it up in the container to get a UID to use on
 +	// the host
 +	if user != "" || len(sgids) > 0 {
 +		if user != "" {
 +			for _, sgid := range execUser.Sgids {
 +				sgids = append(sgids, uint32(sgid))
 +			}
 +		}
 +		processUser := spec.User{
 +			UID:            uint32(execUser.Uid),
 +			GID:            uint32(execUser.Gid),
 +			AdditionalGids: sgids,
 +		}
 +
 +		pspec.User = processUser
 +	}
 +
 +	allCaps := caps.GetAllCapabilities()
 +	pspec.Capabilities.Effective = []string{}
 +	if privileged {
 +		pspec.Capabilities.Bounding = allCaps
 +	} else {
 +		pspec.Capabilities.Bounding = []string{}
 +	}
 +	pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
 +	if execUser.Uid == 0 {
 +		pspec.Capabilities.Effective = pspec.Capabilities.Bounding
 +		pspec.Capabilities.Permitted = pspec.Capabilities.Bounding
 +		pspec.Capabilities.Ambient = pspec.Capabilities.Bounding
 +	} else {
 +		pspec.Capabilities.Permitted = pspec.Capabilities.Effective
 +		pspec.Capabilities.Ambient = pspec.Capabilities.Effective
 +	}
 +
 +	hasHomeSet := false
 +	for _, s := range pspec.Env {
 +		if strings.HasPrefix(s, "HOME=") {
 +			hasHomeSet = true
 +			break
 +		}
 +	}
 +	if !hasHomeSet {
 +		pspec.Env = append(pspec.Env, fmt.Sprintf("HOME=%s", execUser.Home))
 +	}
 +
 +	processJSON, err := json.Marshal(pspec)
 +	if err != nil {
 +		return "", err
 +	}
 +
 +	if err := ioutil.WriteFile(filename, processJSON, 0644); err != nil {
 +		return "", err
 +	}
 +
 +	return filename, nil
 +}
 diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
 index 46105af4aef..d4f13711859 100644
 --- a/pkg/spec/spec.go
 +++ b/pkg/spec/spec.go
@@ -325,6 +325,14 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
 		}
 	} else {
 		g.SetupPrivileged(true)
 +		if config.User != "" {
 +			user := strings.SplitN(config.User, ":", 2)[0]
 +			if user != "root" && user != "0" {
 +				g.Spec().Process.Capabilities.Effective = []string{}
 +				g.Spec().Process.Capabilities.Permitted = []string{}
 +				g.Spec().Process.Capabilities.Ambient = []string{}
 +			}
 +		}
 	}
 	// HANDLE SECCOMP
--- a/dnsname-18822f9.tar.gz
+++ b/dnsname-18822f9.tar.gz
--- a/gvisor-tap-vsock-4ee84d6.tar.gz
+++ b/gvisor-tap-vsock-4ee84d6.tar.gz
--- a/libpod-e4a1553.tar.gz
+++ b/libpod-e4a1553.tar.gz
--- a/podman-machine-cni-0749884.tar.gz
+++ b/podman-machine-cni-0749884.tar.gz
--- a/podman.spec
+++ b/podman.spec
@ -1,146 +1,75 @@
 %define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=openEuler-hardened-ld '" -a -v -x %{?**};
 Name:          podman
-Version:       0.10.1
+Version:       3.4.4
-Release:       12
+Release:       1
 Summary:       A daemonless container engine for managing Containers
-Epoch:         1
+Epoch:         0
 License:       ASL 2.0
 URL:           https://podman.io/
-Source0:       https://github.com/containers/libpod/archive/e4a155328fb88590fafd3d4e845f9bca49133f62/libpod-e4a1553.tar.gz
+Source0:       https://github.com/containers/podman/archive/v3.4.4.tar.gz
-Source1:       https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
+Source1:       https://github.com/containers/dnsname/archive/18822f9a4fb35d1349eb256f4cd2bfd372474d84/dnsname-18822f9.tar.gz
 Source2:       https://github.com/containers/podman-machine-cni/archive/0749884b8d1a455c68da30789e37811ec0809d51/podman-machine-cni-0749884.tar.gz
 Source3:       https://github.com/containers/gvisor-tap-vsock/archive/4ee84d66bd86668f011733d8873989b5862bcd07/gvisor-tap-vsock-4ee84d6.tar.gz
 Source4:       https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
 BuildRequires: golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
 BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel
 BuildRequires: libselinux-devel ostree-devel pkgconfig make
-Requires:      docker-runc containers-common containernetworking-plugins >= 0.7.3-2 iptables nftables conmon
+Requires:      crun containers-common containernetworking-plugins >= 0.7.3-2 iptables nftables conmon
 Requires:      (container-selinux if selinux-policy)
-Recommends:    slirp4netns
+Recommends: %{name}-plugins = %{epoch}:%{version}-%{release}
 Recommends:    slirp4netns catatonit
-Provides: bundled(golang(github.com/Azure/go-ansiterm)) = 19f72df4d05d31cbe1c56bfc8045c96babff6c7e
+Provides: bundled(golang(github.com/BurntSushi/toml)) = v0.3.1
-Provides: bundled(golang(github.com/blang/semver)) = v3.5.0
+Provides: bundled(golang(github.com/containernetworking/cni)) = v0.8.0
-Provides: bundled(golang(github.com/boltdb/bolt)) = master
+Provides: bundled(golang(github.com/containernetworking/plugins)) = v0.8.7
-Provides: bundled(golang(github.com/buger/goterm)) = 2f8dfbc7dbbff5dd1d391ed91482c24df243b2d3
+Provides: bundled(golang(github.com/containers/image/v5)) = v5.5.2
-Provides: bundled(golang(github.com/BurntSushi/toml)) = v0.2.0
+Provides: bundled(golang(github.com/containers/psgo)) = v1.5.1
-Provides: bundled(golang(github.com/containerd/cgroups)) = 77e628511d924b13a77cebdc73b757a47f6d751b
+Provides: bundled(golang(github.com/containers/storage)) = v1.23.2
-Provides: bundled(golang(github.com/containerd/continuity)) = master
+Provides: bundled(golang(github.com/coreos/go-systemd/v22)) = v22.1.0
-Provides: bundled(golang(github.com/containernetworking/plugins)) = 1562a1e60ed101aacc5e08ed9dbeba8e9f3d4ec1
+Provides: bundled(golang(github.com/cri-o/ocicni)) = v0.2.0
-Provides: bundled(golang(github.com/containers/image)) = 134f99bed228d6297dc01d152804f6f09f185418
+Provides: bundled(golang(github.com/cyphar/filepath-securejoin)) = v0.2.2
-Provides: bundled(golang(github.com/containers/psgo)) = 5dde6da0bc8831b35243a847625bcf18183bd1ee
+Provides: bundled(golang(github.com/davecgh/go-spew)) = v1.1.1
-Provides: bundled(golang(github.com/containers/storage)) = 17c7d1fee5603ccf6dd97edc14162fc1510e7e23
+Provides: bundled(golang(github.com/docker/distribution)) = v2.7.1+incompatible
-Provides: bundled(golang(github.com/coreos/go-systemd)) = v14
+Provides: bundled(golang(github.com/docker/go-connections)) = v0.4.0
-Provides: bundled(golang(github.com/cri-o/ocicni)) = master
+Provides: bundled(golang(github.com/docker/go-units)) = v0.4.0
-Provides: bundled(golang(github.com/cyphar/filepath-securejoin)) = v0.2.1
+Provides: bundled(golang(github.com/fsnotify/fsnotify)) = v1.4.9
-Provides: bundled(golang(github.com/davecgh/go-spew)) = v1.1.0
+Provides: bundled(golang(github.com/ghodss/yaml)) = v1.0.0
-Provides: bundled(golang(github.com/docker/distribution)) = 7a8efe719e55bbfaff7bc5718cdf0ed51ca821df
+Provides: bundled(golang(github.com/godbus/dbus/v5)) = v5.0.3
-Provides: bundled(golang(github.com/docker/docker)) = 86f080cff0914e9694068ed78d503701667c4c00
+Provides: bundled(golang(github.com/google/uuid)) = v1.1.2
-Provides: bundled(golang(github.com/docker/docker-credential-helpers)) = d68f9aeca33f5fd3f08eeae5e9d175edf4e731d1
+Provides: bundled(golang(github.com/gorilla/mux)) = v1.7.4
-Provides: bundled(golang(github.com/docker/go-connections)) = 3ede32e2033de7505e6500d6c868c2b9ed9f169d
+Provides: bundled(golang(github.com/gorilla/schema)) = v1.2.0
-Provides: bundled(golang(github.com/docker/go-units)) = v0.3.2
+Provides: bundled(golang(github.com/hashicorp/go-multierror)) = v1.1.0
-Provides: bundled(golang(github.com/docker/libtrust)) = aabc10ec26b754e797f9028f4589c5b7bd90dc20
+Provides: bundled(golang(github.com/hpcloud/tail)) = v1.0.0
-Provides: bundled(golang(github.com/docker/spdystream)) = ed496381df8283605c435b86d4fdd6f4f20b8c6e
+Provides: bundled(golang(github.com/json-iterator/go)) = v1.1.10
-Provides: bundled(golang(github.com/fatih/camelcase)) = f6a740d52f961c60348ebb109adde9f4635d7540
+Provides: bundled(golang(github.com/onsi/ginkgo)) = v1.14.0
-Provides: bundled(golang(github.com/fsnotify/fsnotify)) = 7d7316ed6e1ed2de075aab8dfc76de5d158d66e1
+Provides: bundled(golang(github.com/onsi/gomega)) = v1.10.1
-Provides: bundled(golang(github.com/fsouza/go-dockerclient)) = master
+Provides: bundled(golang(github.com/opencontainers/go-digest)) = v1.0.0
-Provides: bundled(golang(github.com/ghodss/yaml)) = 04f313413ffd65ce25f2541bfd2b2ceec5c0908c
+Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = v0.9.0
-Provides: bundled(golang(github.com/godbus/dbus)) = a389bdde4dd695d414e47b755e95e72b7826432c
+Provides: bundled(golang(github.com/opencontainers/selinux)) = v1.6.0
-Provides: bundled(golang(github.com/gogo/protobuf)) = c0656edd0d9eab7c66d1eb0c568f9039345796f7
+Provides: bundled(golang(github.com/opentracing/opentracing-go)) = v1.2.0
-Provides: bundled(golang(github.com/golang/glog)) = 23def4e6c14b4da8ac2ed8007337bc5eb5007998
+Provides: bundled(golang(github.com/pkg/errors)) = v0.9.1
-Provides: bundled(golang(github.com/golang/groupcache)) = b710c8433bd175204919eb38776e944233235d03
+Provides: bundled(golang(github.com/pmezard/go-difflib)) = v1.0.0
-Provides: bundled(golang(github.com/golang/protobuf)) = 4bd1920723d7b7c925de087aa32e2187708897f7
+Provides: bundled(golang(github.com/rootless-containers/rootlesskit)) = v0.10.0
-Provides: bundled(golang(github.com/googleapis/gnostic)) = 0c5108395e2debce0d731cf0287ddf7242066aba
+Provides: bundled(golang(github.com/sirupsen/logrus)) = v1.6.0
-Provides: bundled(golang(github.com/google/gofuzz)) = 44d81051d367757e1c7c6a5a86423ece9afcf63c
+Provides: bundled(golang(github.com/spf13/cobra)) = v0.0.7
-Provides: bundled(golang(github.com/gorilla/context)) = v1.1
+Provides: bundled(golang(github.com/spf13/pflag)) = v1.0.5
-Provides: bundled(golang(github.com/gorilla/mux)) = v1.3.0
+Provides: bundled(golang(github.com/stretchr/testify)) = v1.6.1
-Provides: bundled(golang(github.com/hashicorp/errwrap)) = 7554cd9344cec97297fa6649b055a8c98c2a1e55
+Provides: bundled(golang(github.com/uber/jaeger-client-go)) = v2.25.0+incompatible
-Provides: bundled(golang(github.com/hashicorp/golang-lru)) = 0a025b7e63adc15a622f29b0b2c4c3848243bbf6
+Provides: bundled(golang(github.com/uber/jaeger-lib)) = v2.2.0+incompatible
-Provides: bundled(golang(github.com/hashicorp/go-multierror)) = 83588e72410abfbe4df460eeb6f30841ae47d4c4
+Provides: bundled(golang(github.com/vishvananda/netlink)) = v1.1.0
-Provides: bundled(golang(github.com/imdario/mergo)) = 0.2.2
+Provides: bundled(golang(go.etcd.io/bbolt)) = v1.3.5
-Provides: bundled(golang(github.com/json-iterator/go)) = 1.0.0
+Provides: bundled(golang(k8s.io/api)) = v0.18.8
-Provides: bundled(golang(github.com/kr/pty)) = v1.0.0
+Provides: bundled(golang(k8s.io/apimachinery)) = v0.19.0
 Provides: bundled(golang(github.com/mailru/easyjson)) = 03f2033d19d5860aef995fe360ac7d395cd8ce65
 Provides: bundled(golang(github.com/mattn/go-runewidth)) = v0.0.1
 Provides: bundled(golang(github.com/Microsoft/go-winio)) = 78439966b38d69bf38227fbf57ac8a6fee70f69a
 Provides: bundled(golang(github.com/Microsoft/hcsshim)) = 43f9725307998e09f2e3816c2c0c36dc98f0c982
 Provides: bundled(golang(github.com/mistifyio/go-zfs)) = v2.1.1
 Provides: bundled(golang(github.com/mrunalp/fileutils)) = master
 Provides: bundled(golang(github.com/mtrmac/gpgme)) = b2432428689ca58c2b8e8dea9449d3295cf96fc9
 Provides: bundled(golang(github.com/Nvveen/Gotty)) = master
 Provides: bundled(golang(github.com/opencontainers/image-spec)) = v1.0.0
 Provides: bundled(golang(github.com/opencontainers/runc)) = b4e2ecb452d9ee4381137cc0a7e6715b96bed6de
 Provides: bundled(golang(github.com/opencontainers/runtime-spec)) = v1.0.0
 Provides: bundled(golang(github.com/opencontainers/runtime-tools)) = master
 Provides: bundled(golang(github.com/opencontainers/selinux)) = b6fa367ed7f534f9ba25391cc2d467085dbb445a
 Provides: bundled(golang(github.com/openshift/imagebuilder)) = master
 Provides: bundled(golang(github.com/ostreedev/ostree-go)) = master
 Provides: bundled(golang(github.com/pkg/errors)) = v0.8.0
 Provides: bundled(golang(github.com/pmezard/go-difflib)) = 792786c7400a136282c1664665ae0a8db921c6c2
 Provides: bundled(golang(github.com/pquerna/ffjson)) = d49c2bc1aa135aad0c6f4fc2056623ec78f5d5ac
 Provides: bundled(golang(github.com/projectatomic/buildah)) = 745bf7e56bda740ce7cfc55318da08529e5ed519
 Provides: bundled(golang(github.com/seccomp/containers-golang)) = master
 Provides: bundled(golang(github.com/seccomp/libseccomp-golang)) = v0.9.0
 Provides: bundled(golang(github.com/sirupsen/logrus)) = v1.0.0
 Provides: bundled(golang(github.com/spf13/pflag)) = 9ff6c6923cfffbcd502984b8e0c80539a94968b7
 Provides: bundled(golang(github.com/stretchr/testify)) = 4d4bfba8f1d1027c4fdbe371823030df51419987
 Provides: bundled(golang(github.com/syndtr/gocapability)) = e7cb7fa329f456b3855136a2642b197bad7366ba
 Provides: bundled(golang(github.com/tchap/go-patricia)) = v2.2.6
 Provides: bundled(golang(github.com/ulikunitz/xz)) = v0.5.4
 Provides: bundled(golang(github.com/ulule/deepcopier)) = master
 Provides: bundled(golang(github.com/urfave/cli)) = 934abfb2f102315b5794e15ebc7949e4ca253920
 Provides: bundled(golang(github.com/varlink/go)) = master
 Provides: bundled(golang(github.com/vbatts/tar-split)) = v0.10.2
 Provides: bundled(golang(github.com/vishvananda/netlink)) = master
 Provides: bundled(golang(github.com/vishvananda/netns)) = master
 Provides: bundled(golang(github.com/xeipuuv/gojsonpointer)) = master
 Provides: bundled(golang(github.com/xeipuuv/gojsonreference)) = master
 Provides: bundled(golang(github.com/xeipuuv/gojsonschema)) = master
 Provides: bundled(golang(golang.org/x/crypto)) = 81e90905daefcd6fd217b62423c0908922eadb30
 Provides: bundled(golang(golang.org/x/net)) = c427ad74c6d7a814201695e9ffde0c5d400a7674
 Provides: bundled(golang(golang.org/x/sys)) = master
 Provides: bundled(golang(golang.org/x/text)) = f72d8390a633d5dfb0cc84043294db9f6c935756
 Provides: bundled(golang(golang.org/x/time)) = f51c12702a4d776e4c1fa9b0fabab841babae631
 Provides: bundled(golang(google.golang.org/grpc)) = v1.0.4
 Provides: bundled(golang(gopkg.in/cheggaaa/pb.v1)) = v1.0.7
 Provides: bundled(golang(gopkg.in/inf.v0)) = v0.9.0
 Provides: bundled(golang(gopkg.in/mgo.v2)) = v2
 Provides: bundled(golang(gopkg.in/square/go-jose.v2)) = v2.1.3
 Provides: bundled(golang(gopkg.in/yaml.v2)) = v2
 Provides: bundled(golang(k8s.io/api)) = 5ce4aa0bf2f097f6021127b3d879eeda82026be8
 Provides: bundled(golang(k8s.io/apiextensions-apiserver)) = 1b31e26d82f1ec2e945c560790e98f34bb5f2e63
 Provides: bundled(golang(k8s.io/apimachinery)) = 616b23029fa3dc3e0ccefd47963f5651a6543d94
 Provides: bundled(golang(k8s.io/apiserver)) = 4d1163080139f1f9094baf8a3a6099e85e1867f6
 Provides: bundled(golang(k8s.io/client-go)) = 7cd1d3291b7d9b1e2d54d4b69eb65995eaf8888e
 Provides: bundled(golang(k8s.io/kube-openapi)) = 275e2ce91dec4c05a4094a7b1daee5560b555ac9
 Provides: bundled(golang(k8s.io/utils)) = 258e2a2fa64568210fbd6267cf1d8fd87c3cb86e
-Patch1:   0001-podman-patch-for-local-search.patch 
+Patch1:   0001-Fix-the-invalid-memory-address-reference.patch
-Patch2:   CVE-2021-20188-PRE1.patch
+Patch2:   0002-add-openEuler-hardened-ld.patch
 Patch3:   CVE-2021-20188-PRE2.patch
 Patch4:   CVE-2021-20188-PRE3.patch
 Patch5:   CVE-2021-20188.patch
 Patch6:   0002-Fix-the-invalid-memory-address-reference.patch
 Patch7:   0003-eat-signal-23-in-signal-proxy.patch
 %description
 Podman manages the entire container ecosystem which includes pods,
 containers, container images, and container volumes using the libpod library. 
 %package -n     python3-podman
 Summary:        Python 3 bindings and client for podman
 BuildArch:      noarch
 BuildRequires:  python3-devel python3-setuptools python3-varlink
 Requires:       python3-setuptools python3-varlink python3-dateutil python3-humanize python3-psutil
 Provides:       python3-%{name} = %{version}-%{release}
 %description -n python3-podman
 The python3-podman package containers a module that allows you to connect to a Podman socket activated systemdservice on the same host or a remote host using a ssh tunnel.
 %package -n     python3-pypodman
 Summary:        Python 3 tool for podman
 BuildArch:      noarch
 BuildRequires:  python3-devel python3-setuptools python3-varlink
 Requires:       python3-setuptools python3-varlink python3-dateutil python3-psutil
 %description -n python3-pypodman
 Python 3 tool for podman.
 %package        docker
 Summary:        Docker CLI emulator for podman
 BuildArch:      noarch
@ -150,6 +79,60 @@ Conflicts:      docker docker-latest docker-ce docker-ee moby-engine
 %description docker
 This package installs a script named docker, which emulates the Docker CLI through podman command.
 %package tests
 Summary: Tests for %{name}
 Requires: %{name} = %{epoch}:%{version}-%{release}
 Requires: bats
 Requires: jq
 Requires: skopeo
 Requires: nmap-ncat
 Requires: httpd-tools
 Requires: openssl
 Requires: socat
 Requires: buildah
 Requires: gnupg
 %description tests
 %{summary}
 This package contains system tests for %{name}
 %package remote
 Summary: (Experimental) Remote client for managing %{name} containers
 %description remote
 Remote client for managing %{name} containers.
 This experimental remote client is under heavy development. Please do not
 run %{name}-remote in production.
 %{name}-remote uses the version 2 API to connect to a %{name} client to
 manage pods, containers and container images. %{name}-remote supports ssh
 connections as well.
 %package plugins
 Summary: Plugins for %{name}
 Requires: dnsmasq
 Recommends: %{name}-gvproxy = %{epoch}:%{version}-%{release}
 %description plugins
 This plugin sets up the use of dnsmasq on a given CNI network so
 that Pods can resolve each other by name.  When configured,
 the pod and its IP address are added to a network specific hosts file
 that dnsmasq will read in.  Similarly, when a pod
 is removed from the network, it will remove the entry from the hosts
 file.  Each CNI network will have its own dnsmasq instance.
 %package gvproxy
 Summary: Go replacement for libslirp and VPNKit
 %description gvproxy
 A replacement for libslirp and VPNKit, written in pure Go.
 It is based on the network stack of gVisor. Compared to libslirp,
 gvisor-tap-vsock brings a configurable DNS server and
 dynamic port forwarding.
 %package help
 Summary:        Help document for the podman package
 Conflicts:      docker docker-latest docker-ce docker-ee moby-engine
@ -158,74 +141,187 @@ Conflicts:      docker docker-latest docker-ce docker-ee moby-engine
 Help document for the podman package
 %prep
-%autosetup -n libpod-e4a155328fb88590fafd3d4e845f9bca49133f62 -p1
+%autosetup -Sgit -n %{name}-%{version}
-sed -i '/\/bin\/env/d' completions/bash/%{name}
+# untar dnsname
-sed -i 's/0.0.0/%{version}/' contrib/python/%{name}/setup.py
+tar zxf %{SOURCE1}
-sed -i 's/0.0.0/%{version}/' contrib/python/py%{name}/setup.py
+# untar %%{name}-machine-cni
-mv pkg/hooks/README.md pkg/hooks/README-hooks.md
+tar zxf %{SOURCE2}
-tar -xf %SOURCE1
+# untar %%{name}-gvproxy
 tar zxf %{SOURCE3}
 tar -xf %SOURCE4
 %build
-mkdir -p _build/bin _output/bin
+GO_MD2MAN_PATH="$(pwd)%{_bindir}"
 mkdir -p _buildgo2man/bin $GO_MD2MAN_PATH
 cd go-md2man-*
-go build -mod=vendor -o ../_build/bin/go-md2man .
+go build -mod=vendor -o ../_buildgo2man/bin/go-md2man .
-cp ../_build/bin/go-md2man ../_output/bin/go-md2man
+cp ../_buildgo2man/bin/go-md2man $GO_MD2MAN_PATH/go-md2man
 export PATH=$GO_MD2MAN_PATH:$PATH
 cd -
-cd _build
+
-mkdir -p src/github.com/containers
+%set_build_flags
 ln -s ../../../../ src/github.com/containers/libpod
 cd -
 ln -s vendor src
 export GOPATH=$(pwd)/_build:$(pwd):$(pwd):%{gopath}
 export BUILDTAGS="varlink selinux seccomp $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) $(hack/libdm_tag.sh) exclude_graphdriver_devicemapper"
 export GO111MODULE=off
-go generate ./cmd/%{name}/varlink/...
+export GOPATH=$(pwd)/_build:$(pwd)
-BUILDTAGS=$BUILDTAGS make binaries docs
+export CGO_CFLAGS=$CFLAGS
 # These extra flags present in $CFLAGS have been skipped for now as they break the build
 CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-flto=auto//g')
 CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-Wp,D_GLIBCXX_ASSERTIONS//g')
 CGO_CFLAGS=$(echo $CGO_CFLAGS | sed 's/-specs=\/usr\/lib\/rpm\/redhat\/redhat-annobin-cc1//g')
 %ifarch x86_64
 export CGO_CFLAGS+=" -m64 -mtune=generic -fcf-protection=full"
 %endif
 mkdir _build
 pushd _build
 mkdir -p src/github.com/containers
 ln -s ../../../../ src/github.com/containers/podman
 popd
 ln -s vendor src
 # build %%{name}
 export BUILDTAGS="seccomp exclude_graphdriver_devicemapper $(hack/btrfs_installed_tag.sh) $(hack/btrfs_tag.sh) $(hack/libdm_tag.sh) $(hack/selinux_tag.sh) $(hack/systemd_tag.sh)"
 # build date. FIXME: Makefile uses '/v2/libpod', that doesn't work here?
 LDFLAGS="-X github.com/containers/podman/libpod/define.buildInfo=$(date +%s)"
 %gobuild -o bin/%{name} github.com/containers/podman/cmd/%{name}
 # build %%{name}-remote
 export BUILDTAGS+=" exclude_graphdriver_btrfs btrfs_noversion remote"
 %gobuild -o bin/%{name}-remote github.com/containers/podman/cmd/%{name}
 pushd dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84
 mkdir _build
 pushd _build
 mkdir -p src/github.com/containers
 ln -s ../../../../ src/github.com/containers/dnsname
 popd
 ln -s vendor src
 export GOPATH=$(pwd)/_build:$(pwd)
 %gobuild -o bin/dnsname github.com/containers/dnsname/plugins/meta/dnsname
 popd
 pushd podman-machine-cni-0749884b8d1a455c68da30789e37811ec0809d51
 mkdir _build
 pushd _build
 mkdir -p src/github.com/containers
 ln -s ../../../../ src/github.com/containers/podman-machine-cni
 popd
 ln -s vendor src
 export GOPATH=$(pwd)/_build:$(pwd)
 %gobuild -o bin/%{name}-machine github.com/containers/podman-machine-cni/plugins/meta/%{name}-machine
 popd
 pushd gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07
 mkdir _build
 pushd _build
 mkdir -p src/github.com/containers
 ln -s ../../../../ src/github.com/containers/gvisor-tap-vsock
 popd
 ln -s vendor src
 export GOPATH=$(pwd)/_build:$(pwd)
 %gobuild -o bin/gvproxy github.com/containers/gvisor-tap-vsock/cmd/gvproxy
 popd
 BUILDTAGS=$BUILDTAGS make docs docker-docs
 %install
 install -dp %{buildroot}%{_unitdir}
 make PREFIX=%{buildroot}%{_prefix} ETCDIR=%{buildroot}%{_sysconfdir} \
-        install.bin install.man install.cni install.systemd install.completions install.docker
+        install.bin-nobuild install.man-nobuild install.systemd install.completions install.docker install.docker-docs-nobuild install.remote-nobuild
-%{__make} DESTDIR=%{buildroot} install.python
+install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.service %{buildroot}%{_userunitdir}/podman-auto-update.service
 install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.timer %{buildroot}%{_userunitdir}/podman-auto-update.timer
 install -Z -m 644 contrib/systemd/user/podman.socket %{buildroot}%{_userunitdir}/podman.socket
 install -Z -m 644 contrib/systemd/user/podman.service %{buildroot}%{_userunitdir}/podman.service
 install -Z -m 644 contrib/systemd/user/podman-restart.service %{buildroot}%{_userunitdir}/podman-restart.service
 install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.service %{buildroot}%{_unitdir}/podman-auto-update.service
 install -Z -m 644 contrib/systemd/auto-update/podman-auto-update.timer %{buildroot}%{_unitdir}/podman-auto-update.timer
 install -Z -m 644 contrib/systemd/system/podman.socket %{buildroot}%{_unitdir}/podman.socket
 install -Z -m 644 contrib/systemd/system/podman.service %{buildroot}%{_unitdir}/podman.service
 install -Z -m 644 contrib/systemd/system/podman-restart.service %{buildroot}%{_unitdir}/podman-restart.service
-install -Dp -m644 libpod.conf %{buildroot}%{_datadir}/containers/libpod.conf
+mv pkg/hooks/README.md pkg/hooks/README-hooks.md
 # install dnsname plugin
 pushd dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84
 %{__make} PREFIX=%{_prefix} DESTDIR=%{buildroot} install
 popd
 # install machine-cni plugin
 pushd podman-machine-cni-0749884b8d1a455c68da30789e37811ec0809d51
 %{__make} PREFIX=%{_prefix} DESTDIR=%{buildroot} install
 popd
 # install gvproxy
 pushd gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07
 install -dp %{buildroot}%{_libexecdir}/%{name}
 install -p -m0755 bin/gvproxy %{buildroot}%{_libexecdir}/%{name}
 popd
 # do not include docker and podman-remote man pages in main package
 for file in `find %{buildroot}%{_mandir}/man[15] -type f | sed "s,%{buildroot},," | grep -v -e remote -e docker`; do
    echo "$file*" >> podman.file-list
 done
 %global license %doc
 %files
 %license LICENSE
-%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
+%doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md transfer.md
 %{_bindir}/%{name}
-%{_datadir}/bash-completion/completions/*
+%{_datadir}/bash-completion/completions/%{name}
-%config(noreplace) %{_sysconfdir}/cni/net.d/87-%{name}-bridge.conflist
+%dir %{_datadir}/zsh/site-functions
-%{_datadir}/containers/libpod.conf
+%{_datadir}/zsh/site-functions/_%{name}
-%{_unitdir}/{io.%{name}.service,io.%{name}.socket}
+%dir %{_datadir}/fish/vendor_completions.d
 %{_datadir}/fish/vendor_completions.d/%{name}.fish
 %{_unitdir}/%{name}-auto-update.service
 %{_unitdir}/%{name}-auto-update.timer
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}.socket
 %{_unitdir}/%{name}-restart.service
 %{_userunitdir}/%{name}-auto-update.service
 %{_userunitdir}/%{name}-auto-update.timer
 %{_userunitdir}/%{name}.service
 %{_userunitdir}/%{name}.socket
 %{_userunitdir}/%{name}-restart.service
 %{_usr}/lib/tmpfiles.d/%{name}.conf
 %files -n python3-podman
 %license LICENSE
 %doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
 %dir %{python3_sitelib}/%{name}
 %{python3_sitelib}/%{name}/*
 %{python3_sitelib}/%{name}*.egg-info
 %files -n python3-pypodman
 %license LICENSE
 %doc README.md CONTRIBUTING.md pkg/hooks/README-hooks.md install.md code-of-conduct.md transfer.md
 %dir %{python3_sitelib}/py%{name}
 %{python3_sitelib}/py%{name}/*
 %{python3_sitelib}/py%{name}*.egg-info
 %{_bindir}/py%{name}
 %files docker
 %{_bindir}/docker
 %{_usr}/lib/tmpfiles.d/%{name}-docker.conf
 %files help
 %{_mandir}/man1/{docker*.1*,podman*.1*}
 %{_mandir}/man5/*.5*
 %files remote
 %license LICENSE
 %{_bindir}/%{name}-remote
 %{_mandir}/man1/%{name}-remote*.*
 %{_datadir}/bash-completion/completions/%{name}-remote
 %dir %{_datadir}/fish/vendor_completions.d
 %{_datadir}/fish/vendor_completions.d/%{name}-remote.fish
 %dir %{_datadir}/zsh/site-functions
 %{_datadir}/zsh/site-functions/_%{name}-remote
 %files plugins
 %license dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/LICENSE
 %doc dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/{README.md,README_PODMAN.md}
 %dir %{_libexecdir}/cni
 %{_libexecdir}/cni/dnsname
 %{_libexecdir}/cni/%{name}-machine
 %files gvproxy
 %license gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/LICENSE
 %doc gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/README.md
 %dir %{_libexecdir}/%{name}
 %{_libexecdir}/%{name}/gvproxy
 %changelog
 * Tue Jul 05 2022 fushanqing <fushanqing@kylinos.cn> - 0:3.4.4-1
 - update to 3.4.4
 * Thu Apr 14 2022 wangkai<wangkai385@h-partners.com> - 0.10.1-12
 - Fix build error
--- a/v3.4.4.tar.gz
+++ b/v3.4.4.tar.gz