fix(deps): update module github.com/containers/storage to v1.55.1

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/containers/common v0.60.4
 	github.com/containers/image/v5 v5.32.2
 	github.com/containers/ocicrypt v1.2.0
-	github.com/containers/storage v1.55.0
+	github.com/containers/storage v1.55.1
 	github.com/docker/distribution v2.8.3+incompatible
 	github.com/moby/sys/capability v0.3.0
 	github.com/opencontainers/go-digest v1.0.0

go.sum

@@ -45,8 +45,8 @@ github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYgle
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/ocicrypt v1.2.0 h1:X14EgRK3xNFvJEfI5O4Qn4T3E25ANudSOZz/sirVuPM=
 github.com/containers/ocicrypt v1.2.0/go.mod h1:ZNviigQajtdlxIZGibvblVuIFBKIuUI2M0QM12SD31U=
-github.com/containers/storage v1.55.0 h1:wTWZ3YpcQf1F+dSP4KxG9iqDfpQY1otaUXjPpffuhgg=
+github.com/containers/storage v1.55.1 h1:ius7angdTqxO56hmTJnAznyEcUnYeLOV3ybwLozA/h8=
-github.com/containers/storage v1.55.0/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ=
+github.com/containers/storage v1.55.1/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ=
 github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
 github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=

vendor/github.com/containers/storage/.cirrus.yml

@@ -120,7 +120,7 @@ lint_task:
     env:
         CIRRUS_WORKING_DIR: "/go/src/github.com/containers/storage"
     container:
-        image: golang
+        image: golang:1.21
     modules_cache:
         fingerprint_script: cat go.sum
         folder: $GOPATH/pkg/mod

vendor/github.com/containers/storage/VERSION

@@ -1 +1 @@
-1.55.0
+1.55.1

vendor/github.com/containers/storage/userns.go

@@ -1,18 +1,21 @@
+//go:build linux
+
 package storage
 
 import (
 	"fmt"
 	"os"
 	"os/user"
-	"path/filepath"
 	"strconv"
 
 	drivers "github.com/containers/storage/drivers"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/containers/storage/pkg/unshare"
 	"github.com/containers/storage/types"
+	securejoin "github.com/cyphar/filepath-securejoin"
 	libcontainerUser "github.com/moby/sys/user"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
 )
 
 // getAdditionalSubIDs looks up the additional IDs configured for
@@ -85,40 +88,59 @@ const nobodyUser = 65534
 // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
 // /etc/group files.
 func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
+	var (
+		passwd *os.File
+		group  *os.File
+		size   int
+		err    error
+	)
 	if passwdFile == "" {
-		passwdFile = filepath.Join(containerMount, "etc/passwd")
+		passwd, err = secureOpen(containerMount, "/etc/passwd")
-	}
+	} else {
-	if groupFile == "" {
+		// User-specified override from a volume. Will not be in
-		groupFile = filepath.Join(groupFile, "etc/group")
+		// container root.
+		passwd, err = os.Open(passwdFile)
 	}
+	if err == nil {
+		defer passwd.Close()
 
-	size := 0
+		users, err := libcontainerUser.ParsePasswd(passwd)
-
-	users, err := libcontainerUser.ParsePasswdFile(passwdFile)
 		if err == nil {
 			for _, u := range users {
 				// Skip the "nobody" user otherwise we end up with 65536
 				// ids with most images
-			if u.Name == "nobody" {
+				if u.Name == "nobody" || u.Name == "nogroup" {
 					continue
 				}
 				if u.Uid > size && u.Uid != nobodyUser {
-				size = u.Uid
+					size = u.Uid + 1
 				}
 				if u.Gid > size && u.Gid != nobodyUser {
-				size = u.Gid
+					size = u.Gid + 1
+				}
 			}
 		}
 	}
 
-	groups, err := libcontainerUser.ParseGroupFile(groupFile)
+	if groupFile == "" {
+		group, err = secureOpen(containerMount, "/etc/group")
+	} else {
+		// User-specified override from a volume. Will not be in
+		// container root.
+		group, err = os.Open(groupFile)
+	}
+	if err == nil {
+		defer group.Close()
+
+		groups, err := libcontainerUser.ParseGroup(group)
 		if err == nil {
 			for _, g := range groups {
-			if g.Name == "nobody" {
+				if g.Name == "nobody" || g.Name == "nogroup" {
 					continue
 				}
 				if g.Gid > size && g.Gid != nobodyUser {
-				size = g.Gid
+					size = g.Gid + 1
+				}
 			}
 		}
 	}
@@ -309,3 +331,14 @@ func getAutoUserNSIDMappings(
 	gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
 	return uidMap, gidMap, nil
 }
+
+// Securely open (read-only) a file in a container mount.
+func secureOpen(containerMount, file string) (*os.File, error) {
+	tmpFile, err := securejoin.OpenInRoot(containerMount, file)
+	if err != nil {
+		return nil, err
+	}
+	defer tmpFile.Close()
+
+	return securejoin.Reopen(tmpFile, unix.O_RDONLY)
+}

vendor/github.com/containers/storage/userns_unsupported.go

@@ -0,0 +1,14 @@
+//go:build !linux
+
+package storage
+
+import (
+	"errors"
+
+	"github.com/containers/storage/pkg/idtools"
+	"github.com/containers/storage/types"
+)
+
+func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
+	return nil, nil, errors.New("user namespaces are not supported on this platform")
+}

vendor/modules.txt

@@ -165,7 +165,7 @@ github.com/containers/ocicrypt/keywrap/pkcs7
 github.com/containers/ocicrypt/spec
 github.com/containers/ocicrypt/utils
 github.com/containers/ocicrypt/utils/keyprovider
-# github.com/containers/storage v1.55.0
+# github.com/containers/storage v1.55.1
 ## explicit; go 1.21
 github.com/containers/storage
 github.com/containers/storage/drivers