This new version includes the fixes for CVE-2025-52881, so we can remove
the internal/third_party copy of the library we added in commit
ed6b1693b8 ("selinux: use safe procfs API for labels") as well as the
"replace" directive in go.mod (which is problematic for "go get"
installs).

Fixes: ed6b1693b8 ("selinux: use safe procfs API for labels")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This commit is contained in:
Aleksa Sarai
2025-11-08 02:10:48 +11:00
parent 846835cce9
commit 96f1962f91
67 changed files with 2240 additions and 4909 deletions
+3 -6
View File
@@ -153,12 +153,9 @@ jobs:
- name: no toolchain in go.mod # See https://github.com/opencontainers/runc/pull/4717, https://github.com/dependabot/dependabot-core/issues/11933.
run: |
if grep -q '^toolchain ' go.mod; then echo "Error: go.mod must not have toolchain directive, please fix"; exit 1; fi
# FIXME: This check needed to be disabled for the go-selinux patch addded
# when patching CVE-2025-52881. This needs to be removed as soon as
# the embargo is lifted, along with the replace directive in go.mod.
#- name: no exclude nor replace in go.mod
# run: |
# if grep -Eq '^\s*(exclude|replace) ' go.mod; then echo "Error: go.mod must not have exclude/replace directive, it breaks go install. Please fix"; exit 1; fi
- name: no exclude nor replace in go.mod
run: |
if grep -Eq '^\s*(exclude|replace) ' go.mod; then echo "Error: go.mod must not have exclude/replace directive, it breaks go install. Please fix"; exit 1; fi
commit: