From d8f2e8bcb7e8542e3994ad963200befc7616af11 Mon Sep 17 00:00:00 2001
From: Kornilios Kourtis <kornilios@isovalent.com>
Date: Fri, 18 Oct 2024 09:05:51 +0200
Subject: [PATCH] chore: update containers/common

This is to avoid scanners complaining about
https://github.com/advisories/GHSA-mc76-5925-c5p6.

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
---
 contrib/rthooks/tetragon-oci-hook/go.mod      |   17 +-
 contrib/rthooks/tetragon-oci-hook/go.sum      |   43 +-
 .../containers/common/pkg/hooks/1.0.0/hook.go |    4 +-
 .../github.com/containers/storage/AUTHORS     | 1523 +++++++++++++++++
 .../github.com/containers/storage/LICENSE     |  191 +++
 .../github.com/containers/storage/NOTICE      |   19 +
 .../storage/pkg/fileutils/exists_unix.go      |   34 +
 .../storage/pkg/fileutils/exists_windows.go   |   18 +
 .../storage/pkg/fileutils/fileutils.go        |  371 ++++
 .../storage/pkg/fileutils/fileutils_darwin.go |   27 +
 .../pkg/fileutils/fileutils_solaris.go        |    7 +
 .../storage/pkg/fileutils/fileutils_unix.go   |   22 +
 .../pkg/fileutils/fileutils_windows.go        |    7 +
 .../cyphar/filepath-securejoin/CHANGELOG.md   |  138 ++
 .../cyphar/filepath-securejoin/LICENSE        |    2 +-
 .../cyphar/filepath-securejoin/README.md      |  139 +-
 .../cyphar/filepath-securejoin/VERSION        |    2 +-
 .../cyphar/filepath-securejoin/join.go        |   85 +-
 .../filepath-securejoin/lookup_linux.go       |  389 +++++
 .../cyphar/filepath-securejoin/mkdir_linux.go |  229 +++
 .../cyphar/filepath-securejoin/open_linux.go  |  101 ++
 .../filepath-securejoin/openat2_linux.go      |  141 ++
 .../filepath-securejoin/openat_linux.go       |   59 +
 .../filepath-securejoin/procfs_linux.go       |  474 +++++
 .../testing_mocks_linux.go                    |   68 +
 .../cyphar/filepath-securejoin/vfs.go         |    2 +-
 .../moby/sys/mountinfo/mounted_linux.go       |    2 +-
 .../runc/libcontainer/cgroups/fs/cpu.go       |   20 +-
 .../runc/libcontainer/user/user.go            |    1 -
 .../vendor/golang.org/x/exp/LICENSE           |    4 +-
 .../vendor/golang.org/x/exp/slices/sort.go    |    4 +-
 .../vendor/golang.org/x/net/LICENSE           |    4 +-
 .../golang.org/x/net/http2/transport.go       |    4 -
 .../vendor/golang.org/x/sys/LICENSE           |    4 +-
 .../vendor/golang.org/x/sys/unix/mkerrors.sh  |    1 +
 .../golang.org/x/sys/unix/syscall_darwin.go   |   12 +
 .../golang.org/x/sys/unix/syscall_linux.go    |    1 +
 .../golang.org/x/sys/unix/syscall_openbsd.go  |    1 +
 .../x/sys/unix/zerrors_darwin_amd64.go        |    5 +
 .../x/sys/unix/zerrors_darwin_arm64.go        |    5 +
 .../golang.org/x/sys/unix/zerrors_linux.go    |   38 +-
 .../x/sys/unix/zerrors_linux_386.go           |    2 +
 .../x/sys/unix/zerrors_linux_amd64.go         |    2 +
 .../x/sys/unix/zerrors_linux_arm.go           |    2 +
 .../x/sys/unix/zerrors_linux_arm64.go         |    2 +
 .../x/sys/unix/zerrors_linux_loong64.go       |    2 +
 .../x/sys/unix/zerrors_linux_mips.go          |    2 +
 .../x/sys/unix/zerrors_linux_mips64.go        |    2 +
 .../x/sys/unix/zerrors_linux_mips64le.go      |    2 +
 .../x/sys/unix/zerrors_linux_mipsle.go        |    2 +
 .../x/sys/unix/zerrors_linux_ppc.go           |    2 +
 .../x/sys/unix/zerrors_linux_ppc64.go         |    2 +
 .../x/sys/unix/zerrors_linux_ppc64le.go       |    2 +
 .../x/sys/unix/zerrors_linux_riscv64.go       |    2 +
 .../x/sys/unix/zerrors_linux_s390x.go         |    2 +
 .../x/sys/unix/zerrors_linux_sparc64.go       |    2 +
 .../x/sys/unix/zsyscall_darwin_amd64.go       |   48 +
 .../x/sys/unix/zsyscall_darwin_amd64.s        |   10 +
 .../x/sys/unix/zsyscall_darwin_arm64.go       |   48 +
 .../x/sys/unix/zsyscall_darwin_arm64.s        |   10 +
 .../golang.org/x/sys/unix/zsyscall_linux.go   |   16 +
 .../x/sys/unix/zsyscall_openbsd_386.go        |   24 +
 .../x/sys/unix/zsyscall_openbsd_386.s         |    5 +
 .../x/sys/unix/zsyscall_openbsd_amd64.go      |   24 +
 .../x/sys/unix/zsyscall_openbsd_amd64.s       |    5 +
 .../x/sys/unix/zsyscall_openbsd_arm.go        |   24 +
 .../x/sys/unix/zsyscall_openbsd_arm.s         |    5 +
 .../x/sys/unix/zsyscall_openbsd_arm64.go      |   24 +
 .../x/sys/unix/zsyscall_openbsd_arm64.s       |    5 +
 .../x/sys/unix/zsyscall_openbsd_mips64.go     |   24 +
 .../x/sys/unix/zsyscall_openbsd_mips64.s      |    5 +
 .../x/sys/unix/zsyscall_openbsd_ppc64.go      |   24 +
 .../x/sys/unix/zsyscall_openbsd_ppc64.s       |    6 +
 .../x/sys/unix/zsyscall_openbsd_riscv64.go    |   24 +
 .../x/sys/unix/zsyscall_openbsd_riscv64.s     |    5 +
 .../x/sys/unix/zsysnum_linux_386.go           |    1 +
 .../x/sys/unix/zsysnum_linux_amd64.go         |    1 +
 .../x/sys/unix/zsysnum_linux_arm.go           |    1 +
 .../x/sys/unix/zsysnum_linux_arm64.go         |    1 +
 .../x/sys/unix/zsysnum_linux_loong64.go       |    1 +
 .../x/sys/unix/zsysnum_linux_mips.go          |    1 +
 .../x/sys/unix/zsysnum_linux_mips64.go        |    1 +
 .../x/sys/unix/zsysnum_linux_mips64le.go      |    1 +
 .../x/sys/unix/zsysnum_linux_mipsle.go        |    1 +
 .../x/sys/unix/zsysnum_linux_ppc.go           |    1 +
 .../x/sys/unix/zsysnum_linux_ppc64.go         |    1 +
 .../x/sys/unix/zsysnum_linux_ppc64le.go       |    1 +
 .../x/sys/unix/zsysnum_linux_riscv64.go       |    1 +
 .../x/sys/unix/zsysnum_linux_s390x.go         |    1 +
 .../x/sys/unix/zsysnum_linux_sparc64.go       |    1 +
 .../golang.org/x/sys/unix/ztypes_linux.go     |   10 +-
 .../x/sys/windows/security_windows.go         |    2 +-
 .../x/sys/windows/syscall_windows.go          |   12 +-
 .../golang.org/x/sys/windows/types_windows.go |   71 +-
 .../x/sys/windows/zsyscall_windows.go         |   49 +-
 .../vendor/golang.org/x/text/LICENSE          |    4 +-
 .../tetragon-oci-hook/vendor/modules.txt      |   27 +-
 97 files changed, 4628 insertions(+), 146 deletions(-)
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/AUTHORS
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/LICENSE
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/NOTICE
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/exists_unix.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/exists_windows.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_darwin.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_solaris.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_unix.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_windows.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/open_linux.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go
 create mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/testing_mocks_linux.go

diff --git a/contrib/rthooks/tetragon-oci-hook/go.mod b/contrib/rthooks/tetragon-oci-hook/go.mod
index a1ab984d84c..489d0a81393 100644
--- a/contrib/rthooks/tetragon-oci-hook/go.mod
+++ b/contrib/rthooks/tetragon-oci-hook/go.mod
@@ -7,9 +7,9 @@ require (
 	github.com/alecthomas/kong v0.9.0
 	github.com/cilium/lumberjack/v2 v2.3.0
 	github.com/cilium/tetragon/api v0.0.0-00010101000000-000000000000
-	github.com/containers/common v0.58.2
+	github.com/containers/common v0.60.4
 	github.com/google/cel-go v0.20.1
-	github.com/opencontainers/runc v1.1.12
+	github.com/opencontainers/runc v1.1.13
 	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
@@ -19,17 +19,18 @@ require (
 require (
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/cilium/ebpf v0.12.3 // indirect
+	github.com/containers/storage v1.55.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
-	github.com/moby/sys/mountinfo v0.7.1 // indirect
+	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
-	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect
-	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/sys v0.22.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/sys v0.24.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
diff --git a/contrib/rthooks/tetragon-oci-hook/go.sum b/contrib/rthooks/tetragon-oci-hook/go.sum
index 010f14e519f..3f2fbff7e3c 100644
--- a/contrib/rthooks/tetragon-oci-hook/go.sum
+++ b/contrib/rthooks/tetragon-oci-hook/go.sum
@@ -1,6 +1,6 @@
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
-github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/alecthomas/assert/v2 v2.6.0 h1:o3WJwILtexrEUk3cUVal3oiQY2tfgr/FHWiz/v2n4FU=
 github.com/alecthomas/assert/v2 v2.6.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
 github.com/alecthomas/kong v0.9.0 h1:G5diXxc85KvoV2f0ZRVuMsi45IrBgx9zDNGNj165aPA=
@@ -13,12 +13,14 @@ github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4=
 github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM=
 github.com/cilium/lumberjack/v2 v2.3.0 h1:IhVJMvPpqDYmQzC0KDhAoy7KlaRsyOsZnT97Nsa3u0o=
 github.com/cilium/lumberjack/v2 v2.3.0/go.mod h1:yfbtPGmg4i//5oEqzaMxDqSWqgfZFmMoV70Mc2k6v0A=
-github.com/containers/common v0.58.2 h1:5nu9lQz4QNSgovNk7NRk33SkqkVNKYoXh7L6gXmACow=
-github.com/containers/common v0.58.2/go.mod h1:l3vMqanJGj7tZ3W/i76gEJ128VXgFUO1tLaohJXPvdk=
+github.com/containers/common v0.60.4 h1:H5+LAMHPZEqX6vVNOQ+IguVsaFl8kbO/SZ/VPXjxhy0=
+github.com/containers/common v0.60.4/go.mod h1:I0upBi1qJX3QmzGbUOBN1LVP6RvkKhd3qQpZbQT+Q54=
+github.com/containers/storage v1.55.0 h1:wTWZ3YpcQf1F+dSP4KxG9iqDfpQY1otaUXjPpffuhgg=
+github.com/containers/storage v1.55.0/go.mod h1:28cB81IDk+y7ok60Of6u52RbCeBRucbFOeLunhER1RQ=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE=
+github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -38,17 +40,17 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
-github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
-github.com/opencontainers/runc v1.1.12 h1:BOIssBaW1La0/qbNZHXOOa71dZfZEQOzW7dqQf3phss=
-github.com/opencontainers/runc v1.1.12/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8=
+github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
+github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
+github.com/opencontainers/runc v1.1.13 h1:98S2srgG9vw0zWcDpFMn5TRrh8kLxa/5OFUstuUhmRs=
+github.com/opencontainers/runc v1.1.13/go.mod h1:R016aXacfp/gwQBYw2FDGa9m+n6atbLWrYY8hNMT/sA=
 github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY=
 github.com/seccomp/libseccomp-golang v0.10.0/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
@@ -60,16 +62,15 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ=
-golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
+golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
+golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237 h1:RFiFrvy37/mpSpdySBDrUdipW/dHwsRwh3J3+A9VgT4=
 google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237/go.mod h1:Z5Iiy3jtmioajWHDGFk7CeugTyHtPvMHA4UTmUkyalE=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA=
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/common/pkg/hooks/1.0.0/hook.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/common/pkg/hooks/1.0.0/hook.go
index 71f940a64cb..be78b0cfbd6 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/common/pkg/hooks/1.0.0/hook.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/common/pkg/hooks/1.0.0/hook.go
@@ -5,9 +5,9 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"os"
 	"regexp"
 
+	"github.com/containers/storage/pkg/fileutils"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -44,7 +44,7 @@ func (hook *Hook) Validate(extensionStages []string) (err error) {
 		return errors.New("missing required property: hook.path")
 	}
 
-	if _, err := os.Stat(hook.Hook.Path); err != nil {
+	if err := fileutils.Exists(hook.Hook.Path); err != nil {
 		return err
 	}
 
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/AUTHORS b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/AUTHORS
new file mode 100644
index 00000000000..129dd39692a
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/AUTHORS
@@ -0,0 +1,1523 @@
+# This file lists all individuals having contributed content to the repository.
+# For how it is generated, see `hack/generate-authors.sh`.
+
+Aanand Prasad <aanand.prasad@gmail.com>
+Aaron Davidson <aaron@databricks.com>
+Aaron Feng <aaron.feng@gmail.com>
+Aaron Huslage <huslage@gmail.com>
+Aaron Lehmann <aaron.lehmann@docker.com>
+Aaron Welch <welch@packet.net>
+Abel Muiño <amuino@gmail.com>
+Abhijeet Kasurde <akasurde@redhat.com>
+Abhinav Ajgaonkar <abhinav316@gmail.com>
+Abhishek Chanda <abhishek.becs@gmail.com>
+Abin Shahab <ashahab@altiscale.com>
+Adam Miller <admiller@redhat.com>
+Adam Singer <financeCoding@gmail.com>
+Aditi Rajagopal <arajagopal@us.ibm.com>
+Aditya <aditya@netroy.in>
+Adria Casas <adriacasas88@gmail.com>
+Adrian Mouat <adrian.mouat@gmail.com>
+Adrian Oprea <adrian@codesi.nz>
+Adrien Folie <folie.adrien@gmail.com>
+Adrien Gallouët <adrien@gallouet.fr>
+Ahmed Kamal <email.ahmedkamal@googlemail.com>
+Ahmet Alp Balkan <ahmetb@microsoft.com>
+Aidan Feldman <aidan.feldman@gmail.com>
+Aidan Hobson Sayers <aidanhs@cantab.net>
+AJ Bowen <aj@gandi.net>
+Ajey Charantimath <ajey.charantimath@gmail.com>
+ajneu <ajneu@users.noreply.github.com>
+Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
+Al Tobey <al@ooyala.com>
+alambike <alambike@gmail.com>
+Alan Scherger <flyinprogrammer@gmail.com>
+Alan Thompson <cloojure@gmail.com>
+Albert Callarisa <shark234@gmail.com>
+Albert Zhang <zhgwenming@gmail.com>
+Aleksa Sarai <asarai@suse.de>
+Aleksandrs Fadins <aleks@s-ko.net>
+Alena Prokharchyk <alena@rancher.com>
+Alessandro Boch <aboch@docker.com>
+Alessio Biancalana <dottorblaster@gmail.com>
+Alex Chan <alex@alexwlchan.net>
+Alex Crawford <alex.crawford@coreos.com>
+Alex Ellis <alexellis2@gmail.com>
+Alex Gaynor <alex.gaynor@gmail.com>
+Alex Samorukov <samm@os2.kiev.ua>
+Alex Warhawk <ax.warhawk@gmail.com>
+Alexander Artemenko <svetlyak.40wt@gmail.com>
+Alexander Boyd <alex@opengroove.org>
+Alexander Larsson <alexl@redhat.com>
+Alexander Morozov <lk4d4@docker.com>
+Alexander Shopov <ash@kambanaria.org>
+Alexandre Beslic <abronan@docker.com>
+Alexandre González <agonzalezro@gmail.com>
+Alexandru Sfirlogea <alexandru.sfirlogea@gmail.com>
+Alexey Guskov <lexag@mail.ru>
+Alexey Kotlyarov <alexey@infoxchange.net.au>
+Alexey Shamrin <shamrin@gmail.com>
+Alexis THOMAS <fr.alexisthomas@gmail.com>
+Ali Dehghani <ali.dehghani.g@gmail.com>
+Allen Madsen <blatyo@gmail.com>
+Allen Sun <allen.sun@daocloud.io>
+almoehi <almoehi@users.noreply.github.com>
+Alvin Richards <alvin.richards@docker.com>
+amangoel <amangoel@gmail.com>
+Amen Belayneh <amenbelayneh@gmail.com>
+Amit Bakshi <ambakshi@gmail.com>
+Amit Krishnan <amit.krishnan@oracle.com>
+Amy Lindburg <amy.lindburg@docker.com>
+Anand Patil <anand.prabhakar.patil@gmail.com>
+AnandkumarPatel <anandkumarpatel@gmail.com>
+Anatoly Borodin <anatoly.borodin@gmail.com>
+Anchal Agrawal <aagrawa4@illinois.edu>
+Anders Janmyr <anders@janmyr.com>
+Andre Dublin <81dublin@gmail.com>
+Andre Granovsky <robotciti@live.com>
+Andrea Luzzardi <aluzzardi@gmail.com>
+Andrea Turli <andrea.turli@gmail.com>
+Andreas Köhler <andi5.py@gmx.net>
+Andreas Savvides <andreas@editd.com>
+Andreas Tiefenthaler <at@an-ti.eu>
+Andrew C. Bodine <acbodine@us.ibm.com>
+Andrew Clay Shafer <andrewcshafer@gmail.com>
+Andrew Duckworth <grillopress@gmail.com>
+Andrew France <andrew@avito.co.uk>
+Andrew Gerrand <adg@golang.org>
+Andrew Guenther <guenther.andrew.j@gmail.com>
+Andrew Kuklewicz <kookster@gmail.com>
+Andrew Macgregor <andrew.macgregor@agworld.com.au>
+Andrew Macpherson <hopscotch23@gmail.com>
+Andrew Martin <sublimino@gmail.com>
+Andrew Munsell <andrew@wizardapps.net>
+Andrew Weiss <andrew.weiss@outlook.com>
+Andrew Williams <williams.andrew@gmail.com>
+Andrews Medina <andrewsmedina@gmail.com>
+Andrey Petrov <andrey.petrov@shazow.net>
+Andrey Stolbovsky <andrey.stolbovsky@gmail.com>
+André Martins <aanm90@gmail.com>
+andy <ztao@tibco-support.com>
+Andy Chambers <anchambers@paypal.com>
+andy diller <dillera@gmail.com>
+Andy Goldstein <agoldste@redhat.com>
+Andy Kipp <andy@rstudio.com>
+Andy Rothfusz <github@developersupport.net>
+Andy Smith <github@anarkystic.com>
+Andy Wilson <wilson.andrew.j+github@gmail.com>
+Anes Hasicic <anes.hasicic@gmail.com>
+Anil Belur <askb23@gmail.com>
+Ankush Agarwal <ankushagarwal11@gmail.com>
+Anonmily <michelle@michelleliu.io>
+Anthon van der Neut <anthon@mnt.org>
+Anthony Baire <Anthony.Baire@irisa.fr>
+Anthony Bishopric <git@anthonybishopric.com>
+Anthony Dahanne <anthony.dahanne@gmail.com>
+Anton Löfgren <anton.lofgren@gmail.com>
+Anton Nikitin <anton.k.nikitin@gmail.com>
+Anton Polonskiy <anton.polonskiy@gmail.com>
+Anton Tiurin <noxiouz@yandex.ru>
+Antonio Murdaca <antonio.murdaca@gmail.com>
+Antony Messerli <amesserl@rackspace.com>
+Anuj Bahuguna <anujbahuguna.dev@gmail.com>
+Anusha Ragunathan <anusha.ragunathan@docker.com>
+apocas <petermdias@gmail.com>
+ArikaChen <eaglesora@gmail.com>
+Arnaud Porterie <arnaud.porterie@docker.com>
+Arthur Barr <arthur.barr@uk.ibm.com>
+Arthur Gautier <baloo@gandi.net>
+Artur Meyster <arthurfbi@yahoo.com>
+Arun Gupta <arun.gupta@gmail.com>
+Asbjørn Enge <asbjorn@hanafjedle.net>
+averagehuman <averagehuman@users.noreply.github.com>
+Avi Das <andas222@gmail.com>
+Avi Miller <avi.miller@oracle.com>
+ayoshitake <airandfingers@gmail.com>
+Azat Khuyiyakhmetov <shadow_uz@mail.ru>
+Bardia Keyoumarsi <bkeyouma@ucsc.edu>
+Barnaby Gray <barnaby@pickle.me.uk>
+Barry Allard <barry.allard@gmail.com>
+Bartłomiej Piotrowski <b@bpiotrowski.pl>
+Bastiaan Bakker <bbakker@xebia.com>
+bdevloed <boris.de.vloed@gmail.com>
+Ben Firshman <ben@firshman.co.uk>
+Ben Golub <ben.golub@dotcloud.com>
+Ben Hall <ben@benhall.me.uk>
+Ben Sargent <ben@brokendigits.com>
+Ben Severson <BenSeverson@users.noreply.github.com>
+Ben Toews <mastahyeti@gmail.com>
+Ben Wiklund <ben@daisyowl.com>
+Benjamin Atkin <ben@benatkin.com>
+Benoit Chesneau <bchesneau@gmail.com>
+Bernerd Schaefer <bj.schaefer@gmail.com>
+Bert Goethals <bert@bertg.be>
+Bharath Thiruveedula <bharath_ves@hotmail.com>
+Bhiraj Butala <abhiraj.butala@gmail.com>
+Bill W <SydOps@users.noreply.github.com>
+bin liu <liubin0329@users.noreply.github.com>
+Blake Geno <blakegeno@gmail.com>
+Boaz Shuster <ripcurld.github@gmail.com>
+bobby abbott <ttobbaybbob@gmail.com>
+boucher <rboucher@gmail.com>
+Bouke Haarsma <bouke@webatoom.nl>
+Boyd Hemphill <boyd@feedmagnet.com>
+boynux <boynux@gmail.com>
+Bradley Cicenas <bradley.cicenas@gmail.com>
+Bradley Wright <brad@intranation.com>
+Brandon Liu <bdon@bdon.org>
+Brandon Philips <brandon@ifup.org>
+Brandon Rhodes <brandon@rhodesmill.org>
+Brendan Dixon <brendand@microsoft.com>
+Brent Salisbury <brent.salisbury@docker.com>
+Brett Higgins <brhiggins@arbor.net>
+Brett Kochendorfer <brett.kochendorfer@gmail.com>
+Brian (bex) Exelbierd <bexelbie@redhat.com>
+Brian Bland <brian.bland@docker.com>
+Brian DeHamer <brian@dehamer.com>
+Brian Dorsey <brian@dorseys.org>
+Brian Flad <bflad417@gmail.com>
+Brian Goff <cpuguy83@gmail.com>
+Brian McCallister <brianm@skife.org>
+Brian Olsen <brian@maven-group.org>
+Brian Shumate <brian@couchbase.com>
+Brian Torres-Gil <brian@dralth.com>
+Brian Trump <btrump@yelp.com>
+Brice Jaglin <bjaglin@teads.tv>
+Briehan Lombaard <briehan.lombaard@gmail.com>
+Bruno Bigras <bigras.bruno@gmail.com>
+Bruno Binet <bruno.binet@gmail.com>
+Bruno Gazzera <bgazzera@paginar.com>
+Bruno Renié <brutasse@gmail.com>
+Bryan Bess <squarejaw@bsbess.com>
+Bryan Boreham <bjboreham@gmail.com>
+Bryan Matsuo <bryan.matsuo@gmail.com>
+Bryan Murphy <bmurphy1976@gmail.com>
+buddhamagnet <buddhamagnet@gmail.com>
+Burke Libbey <burke@libbey.me>
+Byung Kang <byung.kang.ctr@amrdec.army.mil>
+Caleb Spare <cespare@gmail.com>
+Calen Pennington <cale@edx.org>
+Cameron Boehmer <cameron.boehmer@gmail.com>
+Cameron Spear <cameronspear@gmail.com>
+Campbell Allen <campbell.allen@gmail.com>
+Candid Dauth <cdauth@cdauth.eu>
+Carl Henrik Lunde <chlunde@ping.uio.no>
+Carl X. Su <bcbcarl@gmail.com>
+Carlos Alexandro Becker <caarlos0@gmail.com>
+Carlos Sanchez <carlos@apache.org>
+Carol Fager-Higgins <carol.fager-higgins@docker.com>
+Cary <caryhartline@users.noreply.github.com>
+Casey Bisson <casey.bisson@joyent.com>
+Cedric Davies <cedricda@microsoft.com>
+Cezar Sa Espinola <cezarsa@gmail.com>
+Chad Swenson <chadswen@gmail.com>
+Chance Zibolski <chance.zibolski@gmail.com>
+Chander G <chandergovind@gmail.com>
+Charles Chan <charleswhchan@users.noreply.github.com>
+Charles Hooper <charles.hooper@dotcloud.com>
+Charles Law <claw@conduce.com>
+Charles Lindsay <chaz@chazomatic.us>
+Charles Merriam <charles.merriam@gmail.com>
+Charles Sarrazin <charles@sarraz.in>
+Charlie Lewis <charliel@lab41.org>
+Chase Bolt <chase.bolt@gmail.com>
+ChaYoung You <yousbe@gmail.com>
+Chen Chao <cc272309126@gmail.com>
+Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
+cheney90 <cheney-90@hotmail.com>
+Chewey <prosto-chewey@users.noreply.github.com>
+Chia-liang Kao <clkao@clkao.org>
+chli <chli@freewheel.tv>
+Cholerae Hu <choleraehyq@gmail.com>
+Chris Alfonso <calfonso@redhat.com>
+Chris Armstrong <chris@opdemand.com>
+Chris Dituri <csdituri@gmail.com>
+Chris Fordham <chris@fordham-nagy.id.au>
+Chris Khoo <chris.khoo@gmail.com>
+Chris McKinnel <chrismckinnel@gmail.com>
+Chris Seto <chriskseto@gmail.com>
+Chris Snow <chsnow123@gmail.com>
+Chris St. Pierre <chris.a.st.pierre@gmail.com>
+Chris Stivers <chris@stivers.us>
+Chris Swan <chris.swan@iee.org>
+Chris Wahl <github@wahlnetwork.com>
+Chris Weyl <cweyl@alumni.drew.edu>
+chrismckinnel <chris.mckinnel@tangentlabs.co.uk>
+Christian Berendt <berendt@b1-systems.de>
+Christian Böhme <developement@boehme3d.de>
+Christian Persson <saser@live.se>
+Christian Rotzoll <ch.rotzoll@gmail.com>
+Christian Simon <simon@swine.de>
+Christian Stefanescu <st.chris@gmail.com>
+ChristoperBiscardi <biscarch@sketcht.com>
+Christophe Mehay <cmehay@online.net>
+Christophe Troestler <christophe.Troestler@umons.ac.be>
+Christopher Currie <codemonkey+github@gmail.com>
+Christopher Jones <tophj@linux.vnet.ibm.com>
+Christopher Latham <sudosurootdev@gmail.com>
+Christopher Rigor <crigor@gmail.com>
+Christy Perez <christy@linux.vnet.ibm.com>
+Chun Chen <ramichen@tencent.com>
+Ciro S. Costa <ciro.costa@usp.br>
+Clayton Coleman <ccoleman@redhat.com>
+Clinton Kitson <clintonskitson@gmail.com>
+Coenraad Loubser <coenraad@wish.org.za>
+Colin Dunklau <colin.dunklau@gmail.com>
+Colin Rice <colin@daedrum.net>
+Colin Walters <walters@verbum.org>
+Collin Guarino <collin.guarino@gmail.com>
+Colm Hally <colmhally@gmail.com>
+companycy <companycy@gmail.com>
+Cory Forsyth <cory.forsyth@gmail.com>
+cressie176 <github@stephen-cresswell.net>
+Cristian Staretu <cristian.staretu@gmail.com>
+cristiano balducci <cristiano.balducci@gmail.com>
+Cruceru Calin-Cristian <crucerucalincristian@gmail.com>
+Cyril F <cyrilf7x@gmail.com>
+Daan van Berkel <daan.v.berkel.1980@gmail.com>
+Daehyeok Mun <daehyeok@gmail.com>
+Dafydd Crosby <dtcrsby@gmail.com>
+dalanlan <dalanlan925@gmail.com>
+Damien Nadé <github@livna.org>
+Damien Nozay <damien.nozay@gmail.com>
+Damjan Georgievski <gdamjan@gmail.com>
+Dan Anolik <dan@anolik.net>
+Dan Buch <d.buch@modcloth.com>
+Dan Cotora <dan@bluevision.ro>
+Dan Griffin <dgriffin@peer1.com>
+Dan Hirsch <thequux@upstandinghackers.com>
+Dan Keder <dan.keder@gmail.com>
+Dan Levy <dan@danlevy.net>
+Dan McPherson <dmcphers@redhat.com>
+Dan Stine <sw@stinemail.com>
+Dan Walsh <dwalsh@redhat.com>
+Dan Williams <me@deedubs.com>
+Daniel Antlinger <d.antlinger@gmx.at>
+Daniel Exner <dex@dragonslave.de>
+Daniel Farrell <dfarrell@redhat.com>
+Daniel Garcia <daniel@danielgarcia.info>
+Daniel Gasienica <daniel@gasienica.ch>
+Daniel Hiltgen <daniel.hiltgen@docker.com>
+Daniel Menet <membership@sontags.ch>
+Daniel Mizyrycki <daniel.mizyrycki@dotcloud.com>
+Daniel Nephin <dnephin@docker.com>
+Daniel Norberg <dano@spotify.com>
+Daniel Nordberg <dnordberg@gmail.com>
+Daniel Robinson <gottagetmac@gmail.com>
+Daniel S <dan.streby@gmail.com>
+Daniel Von Fange <daniel@leancoder.com>
+Daniel YC Lin <dlin.tw@gmail.com>
+Daniel Zhang <jmzwcn@gmail.com>
+Daniel, Dao Quang Minh <dqminh@cloudflare.com>
+Danny Berger <dpb587@gmail.com>
+Danny Yates <danny@codeaholics.org>
+Darren Coxall <darren@darrencoxall.com>
+Darren Shepherd <darren.s.shepherd@gmail.com>
+Darren Stahl <darst@microsoft.com>
+Dave Barboza <dbarboza@datto.com>
+Dave Henderson <Dave.Henderson@ca.ibm.com>
+Dave MacDonald <mindlapse@gmail.com>
+Dave Tucker <dt@docker.com>
+David Anderson <dave@natulte.net>
+David Calavera <david.calavera@gmail.com>
+David Corking <dmc-source@dcorking.com>
+David Cramer <davcrame@cisco.com>
+David Currie <david_currie@uk.ibm.com>
+David Davis <daviddavis@redhat.com>
+David Gageot <david@gageot.net>
+David Gebler <davidgebler@gmail.com>
+David Lawrence <david.lawrence@docker.com>
+David Mackey <tdmackey@booleanhaiku.com>
+David Mat <david@davidmat.com>
+David Mcanulty <github@hellspark.com>
+David Pelaez <pelaez89@gmail.com>
+David R. Jenni <david.r.jenni@gmail.com>
+David Röthlisberger <david@rothlis.net>
+David Sheets <sheets@alum.mit.edu>
+David Sissitka <me@dsissitka.com>
+David Xia <dxia@spotify.com>
+David Young <yangboh@cn.ibm.com>
+Davide Ceretti <davide.ceretti@hogarthww.com>
+Dawn Chen <dawnchen@google.com>
+dcylabs <dcylabs@gmail.com>
+decadent <decadent@users.noreply.github.com>
+deed02392 <georgehafiz@gmail.com>
+Deng Guangxing <dengguangxing@huawei.com>
+Deni Bertovic <deni@kset.org>
+Denis Gladkikh <denis@gladkikh.email>
+Denis Ollier <larchunix@users.noreply.github.com>
+Dennis Docter <dennis@d23.nl>
+Derek <crq@kernel.org>
+Derek <crquan@gmail.com>
+Derek Ch <denc716@gmail.com>
+Derek McGowan <derek@mcgstyle.net>
+Deric Crago <deric.crago@gmail.com>
+Deshi Xiao <dxiao@redhat.com>
+devmeyster <arthurfbi@yahoo.com>
+Devvyn Murphy <devvyn@devvyn.com>
+Dharmit Shah <shahdharmit@gmail.com>
+Dieter Reuter <dieter.reuter@me.com>
+Dima Stopel <dima@twistlock.com>
+Dimitri John Ledkov <dimitri.j.ledkov@intel.com>
+Dimitry Andric <d.andric@activevideo.com>
+Dinesh Subhraveti <dineshs@altiscale.com>
+Diogo Monica <diogo@docker.com>
+DiuDiugirl <sophia.wang@pku.edu.cn>
+Djibril Koné <kone.djibril@gmail.com>
+dkumor <daniel@dkumor.com>
+Dmitri Logvinenko <dmitri.logvinenko@gmail.com>
+Dmitry Demeshchuk <demeshchuk@gmail.com>
+Dmitry Gusev <dmitry.gusev@gmail.com>
+Dmitry V. Krivenok <krivenok.dmitry@gmail.com>
+Dmitry Vorobev <dimahabr@gmail.com>
+Dolph Mathews <dolph.mathews@gmail.com>
+Dominik Finkbeiner <finkes93@gmail.com>
+Dominik Honnef <dominik@honnef.co>
+Don Kirkby <donkirkby@users.noreply.github.com>
+Don Kjer <don.kjer@gmail.com>
+Don Spaulding <donspauldingii@gmail.com>
+Donald Huang <don.hcd@gmail.com>
+Dong Chen <dongluo.chen@docker.com>
+Donovan Jones <git@gamma.net.nz>
+Doug Davis <dug@us.ibm.com>
+Doug MacEachern <dougm@vmware.com>
+Doug Tangren <d.tangren@gmail.com>
+Dr Nic Williams <drnicwilliams@gmail.com>
+dragon788 <dragon788@users.noreply.github.com>
+Dražen Lučanin <kermit666@gmail.com>
+Dustin Sallings <dustin@spy.net>
+Ed Costello <epc@epcostello.com>
+Edmund Wagner <edmund-wagner@web.de>
+Eiichi Tsukata <devel@etsukata.com>
+Eike Herzbach <eike@herzbach.net>
+Eivind Uggedal <eivind@uggedal.com>
+Elan Ruusamäe <glen@delfi.ee>
+Elias Probst <mail@eliasprobst.eu>
+Elijah Zupancic <elijah@zupancic.name>
+eluck <mail@eluck.me>
+Elvir Kuric <elvirkuric@gmail.com>
+Emil Hernvall <emil@quench.at>
+Emily Maier <emily@emilymaier.net>
+Emily Rose <emily@contactvibe.com>
+Emir Ozer <emirozer@yandex.com>
+Enguerran <engcolson@gmail.com>
+Eohyung Lee <liquidnuker@gmail.com>
+Eric Hanchrow <ehanchrow@ine.com>
+Eric Lee <thenorthsecedes@gmail.com>
+Eric Myhre <hash@exultant.us>
+Eric Paris <eparis@redhat.com>
+Eric Rafaloff <erafaloff@gmail.com>
+Eric Rosenberg <ehaydenr@users.noreply.github.com>
+Eric Sage <eric.david.sage@gmail.com>
+Eric Windisch <eric@windisch.us>
+Eric Yang <windfarer@gmail.com>
+Eric-Olivier Lamey <eo@lamey.me>
+Erik Bray <erik.m.bray@gmail.com>
+Erik Dubbelboer <erik@dubbelboer.com>
+Erik Hollensbe <github@hollensbe.org>
+Erik Inge Bolsø <knan@redpill-linpro.com>
+Erik Kristensen <erik@erikkristensen.com>
+Erik Weathers <erikdw@gmail.com>
+Erno Hopearuoho <erno.hopearuoho@gmail.com>
+Erwin van der Koogh <info@erronis.nl>
+Euan <euank@amazon.com>
+Eugene Yakubovich <eugene.yakubovich@coreos.com>
+eugenkrizo <eugen.krizo@gmail.com>
+evalle <shmarnev@gmail.com>
+Evan Allrich <evan@unguku.com>
+Evan Carmi <carmi@users.noreply.github.com>
+Evan Hazlett <ejhazlett@gmail.com>
+Evan Krall <krall@yelp.com>
+Evan Phoenix <evan@fallingsnow.net>
+Evan Wies <evan@neomantra.net>
+Evgeny Vereshchagin <evvers@ya.ru>
+Ewa Czechowska <ewa@ai-traders.com>
+Eystein Måløy Stenberg <eystein.maloy.stenberg@cfengine.com>
+ezbercih <cem.ezberci@gmail.com>
+Fabiano Rosas <farosas@br.ibm.com>
+Fabio Falci <fabiofalci@gmail.com>
+Fabio Rehm <fgrehm@gmail.com>
+Fabrizio Regini <freegenie@gmail.com>
+Fabrizio Soppelsa <fsoppelsa@mirantis.com>
+Faiz Khan <faizkhan00@gmail.com>
+falmp <chico.lopes@gmail.com>
+Fangyuan Gao <21551127@zju.edu.cn>
+Fareed Dudhia <fareeddudhia@googlemail.com>
+Fathi Boudra <fathi.boudra@linaro.org>
+Federico Gimenez <fgimenez@coit.es>
+Felix Geisendörfer <felix@debuggable.com>
+Felix Hupfeld <quofelix@users.noreply.github.com>
+Felix Rabe <felix@rabe.io>
+Felix Schindler <fschindler@weluse.de>
+Ferenc Szabo <pragmaticfrank@gmail.com>
+Fernando <fermayo@gmail.com>
+Fero Volar <alian@alian.info>
+Filipe Brandenburger <filbranden@google.com>
+Filipe Oliveira <contato@fmoliveira.com.br>
+fl0yd <fl0yd@me.com>
+Flavio Castelli <fcastelli@suse.com>
+FLGMwt <ryan.stelly@live.com>
+Florian <FWirtz@users.noreply.github.com>
+Florian Klein <florian.klein@free.fr>
+Florian Maier <marsmensch@users.noreply.github.com>
+Florian Weingarten <flo@hackvalue.de>
+Florin Asavoaie <florin.asavoaie@gmail.com>
+Francesc Campoy <campoy@google.com>
+Francisco Carriedo <fcarriedo@gmail.com>
+Francisco Souza <f@souza.cc>
+Frank Groeneveld <frank@ivaldi.nl>
+Frank Herrmann <fgh@4gh.tv>
+Frank Macreery <frank@macreery.com>
+Frank Rosquin <frank.rosquin+github@gmail.com>
+Fred Lifton <fred.lifton@docker.com>
+Frederick F. Kautz IV <fkautz@redhat.com>
+Frederik Loeffert <frederik@zitrusmedia.de>
+Frederik Nordahl Jul Sabroe <frederikns@gmail.com>
+Freek Kalter <freek@kalteronline.org>
+fy2462 <fy2462@gmail.com>
+Félix Baylac-Jacqué <baylac.felix@gmail.com>
+Félix Cantournet <felix.cantournet@cloudwatt.com>
+Gabe Rosenhouse <gabe@missionst.com>
+Gabor Nagy <mail@aigeruth.hu>
+Gabriel Monroy <gabriel@opdemand.com>
+GabrielNicolasAvellaneda <avellaneda.gabriel@gmail.com>
+Galen Sampson <galen.sampson@gmail.com>
+Gareth Rushgrove <gareth@morethanseven.net>
+Garrett Barboza <garrett@garrettbarboza.com>
+Gaurav <gaurav.gosec@gmail.com>
+gautam, prasanna <prasannagautam@gmail.com>
+GennadySpb <lipenkov@gmail.com>
+Geoffrey Bachelet <grosfrais@gmail.com>
+George MacRorie <gmacr31@gmail.com>
+George Xie <georgexsh@gmail.com>
+Georgi Hristozov <georgi@forkbomb.nl>
+Gereon Frey <gereon.frey@dynport.de>
+German DZ <germ@ndz.com.ar>
+Gert van Valkenhoef <g.h.m.van.valkenhoef@rug.nl>
+Gianluca Borello <g.borello@gmail.com>
+Gildas Cuisinier <gildas.cuisinier@gcuisinier.net>
+gissehel <public-devgit-dantus@gissehel.org>
+Giuseppe Mazzotta <gdm85@users.noreply.github.com>
+Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+Gleb M Borisov <borisov.gleb@gmail.com>
+Glyn Normington <gnormington@gopivotal.com>
+GoBella <caili_welcome@163.com>
+Goffert van Gool <goffert@phusion.nl>
+Gosuke Miyashita <gosukenator@gmail.com>
+Gou Rao <gourao@users.noreply.github.com>
+Govinda Fichtner <govinda.fichtner@googlemail.com>
+Grant Reaber <grant.reaber@gmail.com>
+Graydon Hoare <graydon@pobox.com>
+Greg Fausak <greg@tacodata.com>
+Greg Thornton <xdissent@me.com>
+grossws <grossws@gmail.com>
+grunny <mwgrunny@gmail.com>
+gs11 <gustav.sinder@gmail.com>
+Guilhem Lettron <guilhem+github@lettron.fr>
+Guilherme Salgado <gsalgado@gmail.com>
+Guillaume Dufour <gdufour.prestataire@voyages-sncf.com>
+Guillaume J. Charmes <guillaume.charmes@docker.com>
+guoxiuyan <guoxiuyan@huawei.com>
+Gurjeet Singh <gurjeet@singh.im>
+Guruprasad <lgp171188@gmail.com>
+gwx296173 <gaojing3@huawei.com>
+Günter Zöchbauer <guenter@gzoechbauer.com>
+Hans Kristian Flaatten <hans@starefossen.com>
+Hans Rødtang <hansrodtang@gmail.com>
+Hao Shu Wei <haosw@cn.ibm.com>
+Hao Zhang <21521210@zju.edu.cn>
+Harald Albers <github@albersweb.de>
+Harley Laue <losinggeneration@gmail.com>
+Harold Cooper <hrldcpr@gmail.com>
+Harry Zhang <harryzhang@zju.edu.cn>
+He Simei <hesimei@zju.edu.cn>
+heartlock <21521209@zju.edu.cn>
+Hector Castro <hectcastro@gmail.com>
+Henning Sprang <henning.sprang@gmail.com>
+Hobofan <goisser94@gmail.com>
+Hollie Teal <hollie@docker.com>
+Hong Xu <hong@topbug.net>
+hsinko <21551195@zju.edu.cn>
+Hu Keping <hukeping@huawei.com>
+Hu Tao <hutao@cn.fujitsu.com>
+Huanzhong Zhang <zhanghuanzhong90@gmail.com>
+Huayi Zhang <irachex@gmail.com>
+Hugo Duncan <hugo@hugoduncan.org>
+Hugo Marisco <0x6875676f@gmail.com>
+Hunter Blanks <hunter@twilio.com>
+huqun <huqun@zju.edu.cn>
+Huu Nguyen <huu@prismskylabs.com>
+hyeongkyu.lee <hyeongkyu.lee@navercorp.com>
+hyp3rdino <markus.kortlang@lhsystems.com>
+Hyzhou <1187766782@qq.com>
+Ian Babrou <ibobrik@gmail.com>
+Ian Bishop <ianbishop@pace7.com>
+Ian Bull <irbull@gmail.com>
+Ian Calvert <ianjcalvert@gmail.com>
+Ian Lee <IanLee1521@gmail.com>
+Ian Main <imain@redhat.com>
+Ian Truslove <ian.truslove@gmail.com>
+Iavael <iavaelooeyt@gmail.com>
+Icaro Seara <icaro.seara@gmail.com>
+Igor Dolzhikov <bluesriverz@gmail.com>
+Ilkka Laukkanen <ilkka@ilkka.io>
+Ilya Dmitrichenko <errordeveloper@gmail.com>
+Ilya Gusev <mail@igusev.ru>
+ILYA Khlopotov <ilya.khlopotov@gmail.com>
+imre Fitos <imre.fitos+github@gmail.com>
+inglesp <peter.inglesby@gmail.com>
+Ingo Gottwald <in.gottwald@gmail.com>
+Isaac Dupree <antispam@idupree.com>
+Isabel Jimenez <contact.isabeljimenez@gmail.com>
+Isao Jonas <isao.jonas@gmail.com>
+Ivan Babrou <ibobrik@gmail.com>
+Ivan Fraixedes <ifcdev@gmail.com>
+Ivan Grcic <igrcic@gmail.com>
+J Bruni <joaohbruni@yahoo.com.br>
+J. Nunn <jbnunn@gmail.com>
+Jack Danger Canty <jackdanger@squareup.com>
+Jacob Atzen <jacob@jacobatzen.dk>
+Jacob Edelman <edelman.jd@gmail.com>
+Jake Champlin <jake.champlin.27@gmail.com>
+Jake Moshenko <jake@devtable.com>
+jakedt <jake@devtable.com>
+James Allen <jamesallen0108@gmail.com>
+James Carey <jecarey@us.ibm.com>
+James Carr <james.r.carr@gmail.com>
+James DeFelice <james.defelice@ishisystems.com>
+James Harrison Fisher <jameshfisher@gmail.com>
+James Kyburz <james.kyburz@gmail.com>
+James Kyle <james@jameskyle.org>
+James Lal <james@lightsofapollo.com>
+James Mills <prologic@shortcircuit.net.au>
+James Nugent <james@jen20.com>
+James Turnbull <james@lovedthanlost.net>
+Jamie Hannaford <jamie.hannaford@rackspace.com>
+Jamshid Afshar <jafshar@yahoo.com>
+Jan Keromnes <janx@linux.com>
+Jan Koprowski <jan.koprowski@gmail.com>
+Jan Pazdziora <jpazdziora@redhat.com>
+Jan Toebes <jan@toebes.info>
+Jan-Gerd Tenberge <janten@gmail.com>
+Jan-Jaap Driessen <janjaapdriessen@gmail.com>
+Jana Radhakrishnan <mrjana@docker.com>
+Januar Wayong <januar@gmail.com>
+Jared Biel <jared.biel@bolderthinking.com>
+Jared Hocutt <jaredh@netapp.com>
+Jaroslaw Zabiello <hipertracker@gmail.com>
+jaseg <jaseg@jaseg.net>
+Jasmine Hegman <jasmine@jhegman.com>
+Jason Divock <jdivock@gmail.com>
+Jason Giedymin <jasong@apache.org>
+Jason Green <Jason.Green@AverInformatics.Com>
+Jason Hall <imjasonh@gmail.com>
+Jason Heiss <jheiss@aput.net>
+Jason Livesay <ithkuil@gmail.com>
+Jason McVetta <jason.mcvetta@gmail.com>
+Jason Plum <jplum@devonit.com>
+Jason Shepherd <jason@jasonshepherd.net>
+Jason Smith <jasonrichardsmith@gmail.com>
+Jason Sommer <jsdirv@gmail.com>
+Jason Stangroome <jason@codeassassin.com>
+jaxgeller <jacksongeller@gmail.com>
+Jay <imjching@hotmail.com>
+Jay <teguhwpurwanto@gmail.com>
+Jay Kamat <github@jgkamat.33mail.com>
+Jean-Baptiste Barth <jeanbaptiste.barth@gmail.com>
+Jean-Baptiste Dalido <jeanbaptiste@appgratis.com>
+Jean-Paul Calderone <exarkun@twistedmatrix.com>
+Jean-Tiare Le Bigot <jt@yadutaf.fr>
+Jeff Anderson <jeff@docker.com>
+Jeff Johnston <jeff.johnston.mn@gmail.com>
+Jeff Lindsay <progrium@gmail.com>
+Jeff Mickey <j@codemac.net>
+Jeff Minard <jeff@creditkarma.com>
+Jeff Nickoloff <jeff.nickoloff@gmail.com>
+Jeff Welch <whatthejeff@gmail.com>
+Jeffrey Bolle <jeffreybolle@gmail.com>
+Jeffrey Morgan <jmorganca@gmail.com>
+Jeffrey van Gogh <jvg@google.com>
+Jenny Gebske <jennifer@gebske.de>
+Jeremy Grosser <jeremy@synack.me>
+Jeremy Price <jprice.rhit@gmail.com>
+Jeremy Qian <vanpire110@163.com>
+Jeremy Unruh <jeremybunruh@gmail.com>
+Jeroen Jacobs <github@jeroenj.be>
+Jesse Dearing <jesse.dearing@gmail.com>
+Jesse Dubay <jesse@thefortytwo.net>
+Jessica Frazelle <jess@mesosphere.com>
+Jezeniel Zapanta <jpzapanta22@gmail.com>
+jgeiger <jgeiger@gmail.com>
+Jhon Honce <jhonce@redhat.com>
+Jian Zhang <zhangjian.fnst@cn.fujitsu.com>
+jianbosun <wonderflow.sun@gmail.com>
+Jilles Oldenbeuving <ojilles@gmail.com>
+Jim Alateras <jima@comware.com.au>
+Jim Perrin <jperrin@centos.org>
+Jimmy Cuadra <jimmy@jimmycuadra.com>
+Jimmy Puckett <jimmy.puckett@spinen.com>
+jimmyxian <jimmyxian2004@yahoo.com.cn>
+Jinsoo Park <cellpjs@gmail.com>
+Jiri Popelka <jpopelka@redhat.com>
+Jiří Župka <jzupka@redhat.com>
+jjy <jiangjinyang@outlook.com>
+jmzwcn <jmzwcn@gmail.com>
+Joe Beda <joe.github@bedafamily.com>
+Joe Doliner <jdoliner@pachyderm.io>
+Joe Ferguson <joe@infosiftr.com>
+Joe Gordon <joe.gordon0@gmail.com>
+Joe Shaw <joe@joeshaw.org>
+Joe Van Dyk <joe@tanga.com>
+Joel Friedly <joelfriedly@gmail.com>
+Joel Handwell <joelhandwell@gmail.com>
+Joel Hansson <joel.hansson@ecraft.com>
+Joel Wurtz <jwurtz@jolicode.com>
+Joey Geiger <jgeiger@users.noreply.github.com>
+Joey Gibson <joey@joeygibson.com>
+Joffrey F <joffrey@docker.com>
+Johan Euphrosine <proppy@google.com>
+Johan Rydberg <johan.rydberg@gmail.com>
+Johannes 'fish' Ziemke <github@freigeist.org>
+John Costa <john.costa@gmail.com>
+John Feminella <jxf@jxf.me>
+John Gardiner Myers <jgmyers@proofpoint.com>
+John Gossman <johngos@microsoft.com>
+John Howard (VM) <John.Howard@microsoft.com>
+John OBrien III <jobrieniii@yahoo.com>
+John Starks <jostarks@microsoft.com>
+John Tims <john.k.tims@gmail.com>
+John Warwick <jwarwick@gmail.com>
+John Willis <john.willis@docker.com>
+Jon Wedaman <jweede@gmail.com>
+Jonas Pfenniger <jonas@pfenniger.name>
+Jonathan A. Sternberg <jonathansternberg@gmail.com>
+Jonathan Boulle <jonathanboulle@gmail.com>
+Jonathan Camp <jonathan@irondojo.com>
+Jonathan Dowland <jon+github@alcopop.org>
+Jonathan Lebon <jlebon@redhat.com>
+Jonathan McCrohan <jmccrohan@gmail.com>
+Jonathan Mueller <j.mueller@apoveda.ch>
+Jonathan Pares <jonathanpa@users.noreply.github.com>
+Jonathan Rudenberg <jonathan@titanous.com>
+Joost Cassee <joost@cassee.net>
+Jordan <jjn2009@users.noreply.github.com>
+Jordan Arentsen <blissdev@gmail.com>
+Jordan Sissel <jls@semicomplete.com>
+Jordan Williams <jordan@jwillikers.com>
+Jose Diaz-Gonzalez <josegonzalez@users.noreply.github.com>
+Joseph Anthony Pasquale Holsten <joseph@josephholsten.com>
+Joseph Hager <ajhager@gmail.com>
+Joseph Kern <jkern@semafour.net>
+Josh <jokajak@gmail.com>
+Josh Hawn <josh.hawn@docker.com>
+Josh Poimboeuf <jpoimboe@redhat.com>
+Josiah Kiehl <jkiehl@riotgames.com>
+José Tomás Albornoz <jojo@eljojo.net>
+JP <jpellerin@leapfrogonline.com>
+jrabbit <jackjrabbit@gmail.com>
+Julian Taylor <jtaylor.debian@googlemail.com>
+Julien Barbier <write0@gmail.com>
+Julien Bisconti <veggiemonk@users.noreply.github.com>
+Julien Bordellier <julienbordellier@gmail.com>
+Julien Dubois <julien.dubois@gmail.com>
+Julien Pervillé <julien.perville@perfect-memory.com>
+Julio Montes <imc.coder@gmail.com>
+Jun-Ru Chang <jrjang@gmail.com>
+Jussi Nummelin <jussi.nummelin@gmail.com>
+Justas Brazauskas <brazauskasjustas@gmail.com>
+Justin Cormack <justin.cormack@docker.com>
+Justin Force <justin.force@gmail.com>
+Justin Plock <jplock@users.noreply.github.com>
+Justin Simonelis <justin.p.simonelis@gmail.com>
+Justin Terry <juterry@microsoft.com>
+Jyrki Puttonen <jyrkiput@gmail.com>
+Jérôme Petazzoni <jerome.petazzoni@dotcloud.com>
+Jörg Thalheim <joerg@higgsboson.tk>
+Kai Blin <kai@samba.org>
+Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
+Kamil Domański <kamil@domanski.co>
+kamjar gerami <kami.gerami@gmail.com>
+Kanstantsin Shautsou <kanstantsin.sha@gmail.com>
+Karan Lyons <karan@karanlyons.com>
+Kareem Khazem <karkhaz@karkhaz.com>
+kargakis <kargakis@users.noreply.github.com>
+Karl Grzeszczak <karlgrz@gmail.com>
+Karol Duleba <mr.fuxi@gmail.com>
+Katie McLaughlin <katie@glasnt.com>
+Kato Kazuyoshi <kato.kazuyoshi@gmail.com>
+Katrina Owen <katrina.owen@gmail.com>
+Kawsar Saiyeed <kawsar.saiyeed@projiris.com>
+kayrus <kay.diam@gmail.com>
+Ke Xu <leonhartx.k@gmail.com>
+Keli Hu <dev@keli.hu>
+Ken Cochrane <kencochrane@gmail.com>
+Ken ICHIKAWA <ichikawa.ken@jp.fujitsu.com>
+Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
+Kenjiro Nakayama <nakayamakenjiro@gmail.com>
+Kent Johnson <kentoj@gmail.com>
+Kevin "qwazerty" Houdebert <kevin.houdebert@gmail.com>
+Kevin Clark <kevin.clark@gmail.com>
+Kevin J. Lynagh <kevin@keminglabs.com>
+Kevin Menard <kevin@nirvdrum.com>
+Kevin P. Kucharczyk <kevinkucharczyk@gmail.com>
+Kevin Shi <kshi@andrew.cmu.edu>
+Kevin Wallace <kevin@pentabarf.net>
+Kevin Yap <me@kevinyap.ca>
+kevinmeredith <kevin.m.meredith@gmail.com>
+Keyvan Fatehi <keyvanfatehi@gmail.com>
+kies <lleelm@gmail.com>
+Kim BKC Carlbacker <kim.carlbacker@gmail.com>
+Kim Eik <kim@heldig.org>
+Kimbro Staken <kstaken@kstaken.com>
+Kir Kolyshkin <kir@openvz.org>
+Kiran Gangadharan <kiran.daredevil@gmail.com>
+Kirill SIbirev <l0kix2@gmail.com>
+knappe <tyler.knappe@gmail.com>
+Kohei Tsuruta <coheyxyz@gmail.com>
+Koichi Shiraishi <k@zchee.io>
+Konrad Kleine <konrad.wilhelm.kleine@gmail.com>
+Konstantin Pelykh <kpelykh@zettaset.com>
+Krasimir Georgiev <support@vip-consult.co.uk>
+Kristian Haugene <kristian.haugene@capgemini.com>
+Kristina Zabunova <triara.xiii@gmail.com>
+krrg <krrgithub@gmail.com>
+Kun Zhang <zkazure@gmail.com>
+Kunal Kushwaha <kunal.kushwaha@gmail.com>
+Kyle Conroy <kyle.j.conroy@gmail.com>
+kyu <leehk1227@gmail.com>
+Lachlan Coote <lcoote@vmware.com>
+Lai Jiangshan <jiangshanlai@gmail.com>
+Lajos Papp <lajos.papp@sequenceiq.com>
+Lakshan Perera <lakshan@laktek.com>
+Lalatendu Mohanty <lmohanty@redhat.com>
+lalyos <lalyos@yahoo.com>
+Lance Chen <cyen0312@gmail.com>
+Lance Kinley <lkinley@loyaltymethods.com>
+Lars Butler <Lars.Butler@gmail.com>
+Lars Kellogg-Stedman <lars@redhat.com>
+Lars R. Damerow <lars@pixar.com>
+Laszlo Meszaros <lacienator@gmail.com>
+Laurent Erignoux <lerignoux@gmail.com>
+Laurie Voss <github@seldo.com>
+Leandro Siqueira <leandro.siqueira@gmail.com>
+Lee, Meng-Han <sunrisedm4@gmail.com>
+leeplay <hyeongkyu.lee@navercorp.com>
+Lei Jitang <leijitang@huawei.com>
+Len Weincier <len@cloudafrica.net>
+Lennie <github@consolejunkie.net>
+Leszek Kowalski <github@leszekkowalski.pl>
+Levi Blackstone <levi.blackstone@rackspace.com>
+Levi Gross <levi@levigross.com>
+Lewis Marshall <lewis@lmars.net>
+Lewis Peckover <lew+github@lew.io>
+Liana Lo <liana.lixia@gmail.com>
+Liang Mingqiang <mqliang.zju@gmail.com>
+Liang-Chi Hsieh <viirya@gmail.com>
+liaoqingwei <liaoqingwei@huawei.com>
+limsy <seongyeol37@gmail.com>
+Lin Lu <doraalin@163.com>
+LingFaKe <lingfake@huawei.com>
+Linus Heckemann <lheckemann@twig-world.com>
+Liran Tal <liran.tal@gmail.com>
+Liron Levin <liron@twistlock.com>
+Liu Bo <bo.li.liu@oracle.com>
+Liu Hua <sdu.liu@huawei.com>
+LIZAO LI <lzlarryli@gmail.com>
+Lloyd Dewolf <foolswisdom@gmail.com>
+Lokesh Mandvekar <lsm5@fedoraproject.org>
+longliqiang88 <394564827@qq.com>
+Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
+Lorenzo Fontana <fontanalorenzo@me.com>
+Louis Opter <kalessin@kalessin.fr>
+Luca Marturana <lucamarturana@gmail.com>
+Luca Orlandi <luca.orlandi@gmail.com>
+Luca-Bogdan Grigorescu <Luca-Bogdan Grigorescu>
+Lucas Chan <lucas-github@lucaschan.com>
+Luis Martínez de Bartolomé Izquierdo <lmartinez@biicode.com>
+Lukas Waslowski <cr7pt0gr4ph7@gmail.com>
+lukaspustina <lukas.pustina@centerdevice.com>
+Lukasz Zajaczkowski <Lukasz.Zajaczkowski@ts.fujitsu.com>
+lukemarsden <luke@digital-crocus.com>
+Lynda O'Leary <lyndaoleary29@gmail.com>
+Lénaïc Huard <lhuard@amadeus.com>
+Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
+Mabin <bin.ma@huawei.com>
+Madhav Puri <madhav.puri@gmail.com>
+Madhu Venugopal <madhu@socketplane.io>
+Mageee <21521230.zju.edu.cn>
+Mahesh Tiyyagura <tmahesh@gmail.com>
+malnick <malnick@gmail..com>
+Malte Janduda <mail@janduda.net>
+manchoz <giampaolo@trampolineup.com>
+Manfred Touron <m@42.am>
+Manfred Zabarauskas <manfredas@zabarauskas.com>
+mansinahar <mansinahar@users.noreply.github.com>
+Manuel Meurer <manuel@krautcomputing.com>
+Manuel Woelker <github@manuel.woelker.org>
+mapk0y <mapk0y@gmail.com>
+Marc Abramowitz <marc@marc-abramowitz.com>
+Marc Kuo <kuomarc2@gmail.com>
+Marc Tamsky <mtamsky@gmail.com>
+Marcelo Salazar <chelosalazar@gmail.com>
+Marco Hennings <marco.hennings@freiheit.com>
+Marcus Farkas <toothlessgear@finitebox.com>
+Marcus Linke <marcus.linke@gmx.de>
+Marcus Ramberg <marcus@nordaaker.com>
+Marek Goldmann <marek.goldmann@gmail.com>
+Marian Marinov <mm@yuhu.biz>
+Marianna Tessel <mtesselh@gmail.com>
+Mario Loriedo <mario.loriedo@gmail.com>
+Marius Gundersen <me@mariusgundersen.net>
+Marius Sturm <marius@graylog.com>
+Marius Voila <marius.voila@gmail.com>
+Mark Allen <mrallen1@yahoo.com>
+Mark McGranaghan <mmcgrana@gmail.com>
+Mark McKinstry <mmckinst@umich.edu>
+Mark West <markewest@gmail.com>
+Marko Mikulicic <mmikulicic@gmail.com>
+Marko Tibold <marko@tibold.nl>
+Markus Fix <lispmeister@gmail.com>
+Martijn Dwars <ikben@martijndwars.nl>
+Martijn van Oosterhout <kleptog@svana.org>
+Martin Honermeyer <maze@strahlungsfrei.de>
+Martin Kelly <martin@surround.io>
+Martin Mosegaard Amdisen <martin.amdisen@praqma.com>
+Martin Redmond <redmond.martin@gmail.com>
+Mary Anthony <mary.anthony@docker.com>
+Masahito Zembutsu <zembutsu@users.noreply.github.com>
+Mason Malone <mason.malone@gmail.com>
+Mateusz Sulima <sulima.mateusz@gmail.com>
+Mathias Monnerville <mathias@monnerville.com>
+Mathieu Le Marec - Pasquet <kiorky@cryptelium.net>
+Matt Apperson <me@mattapperson.com>
+Matt Bachmann <bachmann.matt@gmail.com>
+Matt Bentley <matt.bentley@docker.com>
+Matt Haggard <haggardii@gmail.com>
+Matt McCormick <matt.mccormick@kitware.com>
+Matt Moore <mattmoor@google.com>
+Matt Robenolt <matt@ydekproductions.com>
+Matthew Heon <mheon@redhat.com>
+Matthew Mayer <matthewkmayer@gmail.com>
+Matthew Mueller <mattmuelle@gmail.com>
+Matthew Riley <mattdr@google.com>
+Matthias Klumpp <matthias@tenstral.net>
+Matthias Kühnle <git.nivoc@neverbox.com>
+Matthias Rampke <mr@soundcloud.com>
+Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
+mattymo <raytrac3r@gmail.com>
+mattyw <mattyw@me.com>
+Mauricio Garavaglia <mauriciogaravaglia@gmail.com>
+mauriyouth <mauriyouth@gmail.com>
+Max Shytikov <mshytikov@gmail.com>
+Maxim Ivanov <ivanov.maxim@gmail.com>
+Maxim Kulkin <mkulkin@mirantis.com>
+Maxim Treskin <zerthurd@gmail.com>
+Maxime Petazzoni <max@signalfuse.com>
+Meaglith Ma <genedna@gmail.com>
+meejah <meejah@meejah.ca>
+Megan Kostick <mkostick@us.ibm.com>
+Mehul Kar <mehul.kar@gmail.com>
+Mengdi Gao <usrgdd@gmail.com>
+Mert Yazıcıoğlu <merty@users.noreply.github.com>
+Micah Zoltu <micah@newrelic.com>
+Michael A. Smith <michael@smith-li.com>
+Michael Bridgen <mikeb@squaremobius.net>
+Michael Brown <michael@netdirect.ca>
+Michael Chiang <mchiang@docker.com>
+Michael Crosby <michael@docker.com>
+Michael Currie <mcurrie@bruceforceresearch.com>
+Michael Friis <friism@gmail.com>
+Michael Gorsuch <gorsuch@github.com>
+Michael Grauer <michael.grauer@kitware.com>
+Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Michael Hudson-Doyle <michael.hudson@linaro.org>
+Michael Huettermann <michael@huettermann.net>
+Michael Käufl <docker@c.michael-kaeufl.de>
+Michael Neale <michael.neale@gmail.com>
+Michael Prokop <github@michael-prokop.at>
+Michael Scharf <github@scharf.gr>
+Michael Stapelberg <michael+gh@stapelberg.de>
+Michael Steinert <mike.steinert@gmail.com>
+Michael Thies <michaelthies78@gmail.com>
+Michael West <mwest@mdsol.com>
+Michal Fojtik <mfojtik@redhat.com>
+Michal Gebauer <mishak@mishak.net>
+Michal Jemala <michal.jemala@gmail.com>
+Michal Minar <miminar@redhat.com>
+Michaël Pailloncy <mpapo.dev@gmail.com>
+Michał Czeraszkiewicz <czerasz@gmail.com>
+Michiel@unhosted <michiel@unhosted.org>
+Miguel Angel Fernández <elmendalerenda@gmail.com>
+Miguel Morales <mimoralea@gmail.com>
+Mihai Borobocea <MihaiBorob@gmail.com>
+Mihuleacc Sergiu <mihuleac.sergiu@gmail.com>
+Mike Brown <brownwm@us.ibm.com>
+Mike Chelen <michael.chelen@gmail.com>
+Mike Danese <mikedanese@google.com>
+Mike Dillon <mike@embody.org>
+Mike Dougherty <mike.dougherty@docker.com>
+Mike Gaffney <mike@uberu.com>
+Mike Goelzer <mgoelzer@docker.com>
+Mike Leone <mleone896@gmail.com>
+Mike MacCana <mike.maccana@gmail.com>
+Mike Naberezny <mike@naberezny.com>
+Mike Snitzer <snitzer@redhat.com>
+mikelinjie <294893458@qq.com>
+Mikhail Sobolev <mss@mawhrin.net>
+Miloslav Trmač <mitr@redhat.com>
+mingqing <limingqing@cyou-inc.com>
+Mingzhen Feng <fmzhen@zju.edu.cn>
+Mitch Capper <mitch.capper@gmail.com>
+mlarcher <github@ringabell.org>
+Mohammad Banikazemi <mb@us.ibm.com>
+Mohammed Aaqib Ansari <maaquib@gmail.com>
+Mohit Soni <mosoni@ebay.com>
+Morgan Bauer <mbauer@us.ibm.com>
+Morgante Pell <morgante.pell@morgante.net>
+Morgy93 <thomas@ulfertsprygoda.de>
+Morten Siebuhr <sbhr@sbhr.dk>
+Morton Fox <github@qslw.com>
+Moysés Borges <moysesb@gmail.com>
+mqliang <mqliang.zju@gmail.com>
+Mrunal Patel <mrunalp@gmail.com>
+msabansal <sabansal@microsoft.com>
+mschurenko <matt.schurenko@gmail.com>
+muge <stevezhang2014@gmail.com>
+Mustafa Akın <mustafa91@gmail.com>
+Muthukumar R <muthur@gmail.com>
+Máximo Cuadros <mcuadros@gmail.com>
+Médi-Rémi Hashim <medimatrix@users.noreply.github.com>
+Nahum Shalman <nshalman@omniti.com>
+Nakul Pathak <nakulpathak3@hotmail.com>
+Nalin Dahyabhai <nalin@redhat.com>
+Nan Monnand Deng <monnand@gmail.com>
+Naoki Orii <norii@cs.cmu.edu>
+Natalie Parker <nparker@omnifone.com>
+Natanael Copa <natanael.copa@docker.com>
+Nate Brennand <nate.brennand@clever.com>
+Nate Eagleson <nate@nateeag.com>
+Nate Jones <nate@endot.org>
+Nathan Hsieh <hsieh.nathan@gmail.com>
+Nathan Kleyn <nathan@nathankleyn.com>
+Nathan LeClaire <nathan.leclaire@docker.com>
+Nathan McCauley <nathan.mccauley@docker.com>
+Nathan Williams <nathan@teamtreehouse.com>
+Neal McBurnett <neal@mcburnett.org>
+Nelson Chen <crazysim@gmail.com>
+Nghia Tran <nghia@google.com>
+Niall O'Higgins <niallo@unworkable.org>
+Nicholas E. Rabenau <nerab@gmx.at>
+Nick Irvine <nfirvine@nfirvine.com>
+Nick Parker <nikaios@gmail.com>
+Nick Payne <nick@kurai.co.uk>
+Nick Stenning <nick.stenning@digital.cabinet-office.gov.uk>
+Nick Stinemates <nick@stinemates.org>
+Nicolas Borboën <ponsfrilus@users.noreply.github.com>
+Nicolas De loof <nicolas.deloof@gmail.com>
+Nicolas Dudebout <nicolas.dudebout@gatech.edu>
+Nicolas Goy <kuon@goyman.com>
+Nicolas Kaiser <nikai@nikai.net>
+Nicolás Hock Isaza <nhocki@gmail.com>
+Nigel Poulton <nigelpoulton@hotmail.com>
+NikolaMandic <mn080202@gmail.com>
+nikolas <nnyby@columbia.edu>
+Nirmal Mehta <nirmalkmehta@gmail.com>
+Nishant Totla <nishanttotla@gmail.com>
+NIWA Hideyuki <niwa.niwa@nifty.ne.jp>
+noducks <onemannoducks@gmail.com>
+Nolan Darilek <nolan@thewordnerd.info>
+nponeccop <andy.melnikov@gmail.com>
+Nuutti Kotivuori <naked@iki.fi>
+nzwsch <hi@nzwsch.com>
+O.S. Tezer <ostezer@gmail.com>
+objectified <objectified@gmail.com>
+OddBloke <daniel@daniel-watkins.co.uk>
+odk- <github@odkurzacz.org>
+Oguz Bilgic <fisyonet@gmail.com>
+Oh Jinkyun <tintypemolly@gmail.com>
+Ohad Schneider <ohadschn@users.noreply.github.com>
+Ole Reifschneider <mail@ole-reifschneider.de>
+Oliver Neal <ItsVeryWindy@users.noreply.github.com>
+Olivier Gambier <dmp42@users.noreply.github.com>
+Olle Jonsson <olle.jonsson@gmail.com>
+Oriol Francès <oriolfa@gmail.com>
+Otto Kekäläinen <otto@seravo.fi>
+oyld <oyld0210@163.com>
+ozlerhakan <hakan.ozler@kodcu.com>
+paetling <paetling@gmail.com>
+pandrew <letters@paulnotcom.se>
+panticz <mail@konczalski.de>
+Paolo G. Giarrusso <p.giarrusso@gmail.com>
+Pascal Borreli <pascal@borreli.com>
+Pascal Hartig <phartig@rdrei.net>
+Patrick Devine <patrick.devine@docker.com>
+Patrick Hemmer <patrick.hemmer@gmail.com>
+Patrick Stapleton <github@gdi2290.com>
+pattichen <craftsbear@gmail.com>
+Paul <paul9869@gmail.com>
+paul <paul@inkling.com>
+Paul Annesley <paul@annesley.cc>
+Paul Bellamy <paul.a.bellamy@gmail.com>
+Paul Bowsher <pbowsher@globalpersonals.co.uk>
+Paul Hammond <paul@paulhammond.org>
+Paul Jimenez <pj@place.org>
+Paul Lietar <paul@lietar.net>
+Paul Liljenberg <liljenberg.paul@gmail.com>
+Paul Morie <pmorie@gmail.com>
+Paul Nasrat <pnasrat@gmail.com>
+Paul Weaver <pauweave@cisco.com>
+Pavel Lobashov <ShockwaveNN@gmail.com>
+Pavel Pospisil <pospispa@gmail.com>
+Pavel Sutyrin <pavel.sutyrin@gmail.com>
+Pavel Tikhomirov <ptikhomirov@parallels.com>
+Pavlos Ratis <dastergon@gentoo.org>
+Peeyush Gupta <gpeeyush@linux.vnet.ibm.com>
+Peggy Li <peggyli.224@gmail.com>
+Pei Su <sillyousu@gmail.com>
+Penghan Wang <ph.wang@daocloud.io>
+perhapszzy@sina.com <perhapszzy@sina.com>
+Peter Bourgon <peter@bourgon.org>
+Peter Braden <peterbraden@peterbraden.co.uk>
+Peter Choi <reikani@Peters-MacBook-Pro.local>
+Peter Dave Hello <PeterDaveHello@users.noreply.github.com>
+Peter Edge <peter.edge@gmail.com>
+Peter Ericson <pdericson@gmail.com>
+Peter Esbensen <pkesbensen@gmail.com>
+Peter Malmgren <ptmalmgren@gmail.com>
+Peter Salvatore <peter@psftw.com>
+Peter Volpe <petervo@redhat.com>
+Peter Waller <p@pwaller.net>
+Phil <underscorephil@gmail.com>
+Phil Estes <estesp@linux.vnet.ibm.com>
+Phil Spitler <pspitler@gmail.com>
+Philip Monroe <phil@philmonroe.com>
+Philipp Wahala <philipp.wahala@gmail.com>
+Philipp Weissensteiner <mail@philippweissensteiner.com>
+Phillip Alexander <git@phillipalexander.io>
+pidster <pid@pidster.com>
+Piergiuliano Bossi <pgbossi@gmail.com>
+Pierre <py@poujade.org>
+Pierre Carrier <pierre@meteor.com>
+Pierre Wacrenier <pierre.wacrenier@gmail.com>
+Pierre-Alain RIVIERE <pariviere@ippon.fr>
+Piotr Bogdan <ppbogdan@gmail.com>
+pixelistik <pixelistik@users.noreply.github.com>
+Porjo <porjo38@yahoo.com.au>
+Poul Kjeldager Sørensen <pks@s-innovations.net>
+Pradeep Chhetri <pradeep@indix.com>
+Prasanna Gautam <prasannagautam@gmail.com>
+Prayag Verma <prayag.verma@gmail.com>
+Przemek Hejman <przemyslaw.hejman@gmail.com>
+pysqz <randomq@126.com>
+qg <1373319223@qq.com>
+qhuang <h.huangqiang@huawei.com>
+Qiang Huang <h.huangqiang@huawei.com>
+qq690388648 <690388648@qq.com>
+Quentin Brossard <qbrossard@gmail.com>
+Quentin Perez <qperez@ocs.online.net>
+Quentin Tayssier <qtayssier@gmail.com>
+r0n22 <cameron.regan@gmail.com>
+Rafal Jeczalik <rjeczalik@gmail.com>
+Rafe Colton <rafael.colton@gmail.com>
+Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
+Raghuram Devarakonda <draghuram@gmail.com>
+Rajat Pandit <rp@rajatpandit.com>
+Rajdeep Dua <dua_rajdeep@yahoo.com>
+Ralle <spam@rasmusa.net>
+Ralph Bean <rbean@redhat.com>
+Ramkumar Ramachandra <artagnon@gmail.com>
+Ramon van Alteren <ramon@vanalteren.nl>
+Ray Tsang <saturnism@users.noreply.github.com>
+ReadmeCritic <frankensteinbot@gmail.com>
+Recursive Madman <recursive.madman@gmx.de>
+Regan McCooey <rmccooey27@aol.com>
+Remi Rampin <remirampin@gmail.com>
+Renato Riccieri Santos Zannon <renato.riccieri@gmail.com>
+resouer <resouer@163.com>
+rgstephens <greg@udon.org>
+Rhys Hiltner <rhys@twitch.tv>
+Rich Seymour <rseymour@gmail.com>
+Richard <richard.scothern@gmail.com>
+Richard Burnison <rburnison@ebay.com>
+Richard Harvey <richard@squarecows.com>
+Richard Metzler <richard@paadee.com>
+Richard Scothern <richard.scothern@gmail.com>
+Richo Healey <richo@psych0tik.net>
+Rick Bradley <rick@users.noreply.github.com>
+Rick van de Loo <rickvandeloo@gmail.com>
+Rick Wieman <git@rickw.nl>
+Rik Nijessen <rik@keefo.nl>
+Riku Voipio <riku.voipio@linaro.org>
+Riley Guerin <rileytg.dev@gmail.com>
+Ritesh H Shukla <sritesh@vmware.com>
+Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
+Rob Vesse <rvesse@dotnetrdf.org>
+Robert Bachmann <rb@robertbachmann.at>
+Robert Bittle <guywithnose@gmail.com>
+Robert Obryk <robryk@gmail.com>
+Robert Stern <lexandro2000@gmail.com>
+Robert Wallis <smilingrob@gmail.com>
+Roberto G. Hashioka <roberto.hashioka@docker.com>
+Robin Naundorf <r.naundorf@fh-muenster.de>
+Robin Schneider <ypid@riseup.net>
+Robin Speekenbrink <robin@kingsquare.nl>
+robpc <rpcann@gmail.com>
+Rodolfo Carvalho <rhcarvalho@gmail.com>
+Rodrigo Vaz <rodrigo.vaz@gmail.com>
+Roel Van Nyen <roel.vannyen@gmail.com>
+Roger Peppe <rogpeppe@gmail.com>
+Rohit Jnagal <jnagal@google.com>
+Rohit Kadam <rohit.d.kadam@gmail.com>
+Roland Huß <roland@jolokia.org>
+Roland Kammerer <roland.kammerer@linbit.com>
+Roland Moriz <rmoriz@users.noreply.github.com>
+Roma Sokolov <sokolov.r.v@gmail.com>
+Roman Strashkin <roman.strashkin@gmail.com>
+Ron Smits <ron.smits@gmail.com>
+root <docker-dummy@example.com>
+root <root@localhost>
+root <root@ubuntu-14.04-amd64-vbox>
+root <root@webm215.cluster016.ha.ovh.net>
+Rory Hunter <roryhunter2@gmail.com>
+Rory McCune <raesene@gmail.com>
+Ross Boucher <rboucher@gmail.com>
+Rovanion Luckey <rovanion.luckey@gmail.com>
+Rozhnov Alexandr <nox73@ya.ru>
+rsmoorthy <rsmoorthy@users.noreply.github.com>
+Rudolph Gottesheim <r.gottesheim@loot.at>
+Rui Lopes <rgl@ruilopes.com>
+Ryan Anderson <anderson.ryanc@gmail.com>
+Ryan Aslett <github@mixologic.com>
+Ryan Belgrave <rmb1993@gmail.com>
+Ryan Detzel <ryan.detzel@gmail.com>
+Ryan Fowler <rwfowler@gmail.com>
+Ryan McLaughlin <rmclaughlin@insidesales.com>
+Ryan O'Donnell <odonnellryanc@gmail.com>
+Ryan Seto <ryanseto@yak.net>
+Ryan Thomas <rthomas@atlassian.com>
+Ryan Trauntvein <rtrauntvein@novacoast.com>
+Ryan Wallner <ryan.wallner@clusterhq.com>
+RyanDeng <sheldon.d1018@gmail.com>
+Rémy Greinhofer <remy.greinhofer@livelovely.com>
+s. rannou <mxs@sbrk.org>
+s00318865 <sunyuan3@huawei.com>
+Sabin Basyal <sabin.basyal@gmail.com>
+Sachin Joshi <sachin_jayant_joshi@hotmail.com>
+Sagar Hani <sagarhani33@gmail.com>
+Sainath Grandhi <sainath.grandhi@intel.com>
+Sally O'Malley <somalley@redhat.com>
+Sam Abed <sam.abed@gmail.com>
+Sam Alba <sam.alba@gmail.com>
+Sam Bailey <cyprix@cyprix.com.au>
+Sam J Sharpe <sam.sharpe@digital.cabinet-office.gov.uk>
+Sam Neirinck <sam@samneirinck.com>
+Sam Reis <sreis@atlassian.com>
+Sam Rijs <srijs@airpost.net>
+Sambuddha Basu <sambuddhabasu1@gmail.com>
+Sami Wagiaalla <swagiaal@redhat.com>
+Samuel Andaya <samuel@andaya.net>
+Samuel Dion-Girardeau <samuel.diongirardeau@gmail.com>
+Samuel Karp <skarp@amazon.com>
+Samuel PHAN <samuel-phan@users.noreply.github.com>
+Sankar சங்கர் <sankar.curiosity@gmail.com>
+Sanket Saurav <sanketsaurav@gmail.com>
+Santhosh Manohar <santhosh@docker.com>
+sapphiredev <se.imas.kr@gmail.com>
+Satnam Singh <satnam@raintown.org>
+satoru <satorulogic@gmail.com>
+Satoshi Amemiya <satoshi_amemiya@voyagegroup.com>
+scaleoutsean <scaleoutsean@users.noreply.github.com>
+Scott Bessler <scottbessler@gmail.com>
+Scott Collier <emailscottcollier@gmail.com>
+Scott Johnston <scott@docker.com>
+Scott Stamp <scottstamp851@gmail.com>
+Scott Walls <sawalls@umich.edu>
+sdreyesg <sdreyesg@gmail.com>
+Sean Christopherson <sean.j.christopherson@intel.com>
+Sean Cronin <seancron@gmail.com>
+Sean OMeara <sean@chef.io>
+Sean P. Kane <skane@newrelic.com>
+Sebastiaan van Steenis <mail@superseb.nl>
+Sebastiaan van Stijn <github@gone.nl>
+Senthil Kumar Selvaraj <senthil.thecoder@gmail.com>
+Senthil Kumaran <senthil@uthcode.com>
+SeongJae Park <sj38.park@gmail.com>
+Seongyeol Lim <seongyeol37@gmail.com>
+Serge Hallyn <serge.hallyn@ubuntu.com>
+Sergey Alekseev <sergey.alekseev.minsk@gmail.com>
+Sergey Evstifeev <sergey.evstifeev@gmail.com>
+Sevki Hasirci <s@sevki.org>
+Shane Canon <scanon@lbl.gov>
+Shane da Silva <shane@dasilva.io>
+shaunol <shaunol@gmail.com>
+Shawn Landden <shawn@churchofgit.com>
+Shawn Siefkas <shawn.siefkas@meredith.com>
+Shekhar Gulati <shekhargulati84@gmail.com>
+Sheng Yang <sheng@yasker.org>
+Shengbo Song <thomassong@tencent.com>
+Shih-Yuan Lee <fourdollars@gmail.com>
+Shijiang Wei <mountkin@gmail.com>
+Shishir Mahajan <shishir.mahajan@redhat.com>
+shuai-z <zs.broccoli@gmail.com>
+Shuwei Hao <haosw@cn.ibm.com>
+Sian Lerk Lau <kiawin@gmail.com>
+sidharthamani <sid@rancher.com>
+Silas Sewell <silas@sewell.org>
+Simei He <hesimei@zju.edu.cn>
+Simon Eskildsen <sirup@sirupsen.com>
+Simon Leinen <simon.leinen@gmail.com>
+Simon Taranto <simon.taranto@gmail.com>
+Sindhu S <sindhus@live.in>
+Sjoerd Langkemper <sjoerd-github@linuxonly.nl>
+Solganik Alexander <solganik@gmail.com>
+Solomon Hykes <solomon@docker.com>
+Song Gao <song@gao.io>
+Soshi Katsuta <soshi.katsuta@gmail.com>
+Soulou <leo@unbekandt.eu>
+Spencer Brown <spencer@spencerbrown.org>
+Spencer Smith <robertspencersmith@gmail.com>
+Sridatta Thatipamala <sthatipamala@gmail.com>
+Sridhar Ratnakumar <sridharr@activestate.com>
+Srini Brahmaroutu <srbrahma@us.ibm.com>
+srinsriv <srinsriv@users.noreply.github.com>
+Steeve Morin <steeve.morin@gmail.com>
+Stefan Berger <stefanb@linux.vnet.ibm.com>
+Stefan J. Wernli <swernli@microsoft.com>
+Stefan Praszalowicz <stefan@greplin.com>
+Stefan Scherer <scherer_stefan@icloud.com>
+Stefan Staudenmeyer <doerte@instana.com>
+Stefan Weil <sw@weilnetz.de>
+Stephen Crosby <stevecrozz@gmail.com>
+Stephen Day <stephen.day@docker.com>
+Stephen Rust <srust@blockbridge.com>
+Steve Durrheimer <s.durrheimer@gmail.com>
+Steve Francia <steve.francia@gmail.com>
+Steve Koch <stevekochscience@gmail.com>
+Steven Burgess <steven.a.burgess@hotmail.com>
+Steven Iveson <sjiveson@outlook.com>
+Steven Merrill <steven.merrill@gmail.com>
+Steven Richards <steven@axiomzen.co>
+Steven Taylor <steven.taylor@me.com>
+Subhajit Ghosh <isubuz.g@gmail.com>
+Sujith Haridasan <sujith.h@gmail.com>
+Suryakumar Sudar <surya.trunks@gmail.com>
+Sven Dowideit <SvenDowideit@home.org.au>
+Swapnil Daingade <swapnil.daingade@gmail.com>
+Sylvain Baubeau <sbaubeau@redhat.com>
+Sylvain Bellemare <sylvain@ascribe.io>
+Sébastien <sebastien@yoozio.com>
+Sébastien Luttringer <seblu@seblu.net>
+Sébastien Stormacq <sebsto@users.noreply.github.com>
+TAGOMORI Satoshi <tagomoris@gmail.com>
+tang0th <tang0th@gmx.com>
+Tangi COLIN <tangicolin@gmail.com>
+Tatsuki Sugiura <sugi@nemui.org>
+Tatsushi Inagaki <e29253@jp.ibm.com>
+Taylor Jones <monitorjbl@gmail.com>
+tbonza <tylers.pile@gmail.com>
+Ted M. Young <tedyoung@gmail.com>
+Tehmasp Chaudhri <tehmasp@gmail.com>
+Tejesh Mehta <tejesh.mehta@gmail.com>
+terryding77 <550147740@qq.com>
+tgic <farmer1992@gmail.com>
+Thatcher Peskens <thatcher@docker.com>
+theadactyl <thea.lamkin@gmail.com>
+Thell 'Bo' Fowler <thell@tbfowler.name>
+Thermionix <bond711@gmail.com>
+Thijs Terlouw <thijsterlouw@gmail.com>
+Thomas Bikeev <thomas.bikeev@mac.com>
+Thomas Frössman <thomasf@jossystem.se>
+Thomas Gazagnaire <thomas@gazagnaire.org>
+Thomas Grainger <tagrain@gmail.com>
+Thomas Hansen <thomas.hansen@gmail.com>
+Thomas Leonard <thomas.leonard@docker.com>
+Thomas LEVEIL <thomasleveil@gmail.com>
+Thomas Orozco <thomas@orozco.fr>
+Thomas Riccardi <riccardi@systran.fr>
+Thomas Schroeter <thomas@cliqz.com>
+Thomas Sjögren <konstruktoid@users.noreply.github.com>
+Thomas Swift <tgs242@gmail.com>
+Thomas Tanaka <thomas.tanaka@oracle.com>
+Thomas Texier <sharkone@en-mousse.org>
+Tianon Gravi <admwiggin@gmail.com>
+Tibor Vass <teabee89@gmail.com>
+Tiffany Low <tiffany@box.com>
+Tim Bosse <taim@bosboot.org>
+Tim Dettrick <t.dettrick@uq.edu.au>
+Tim Düsterhus <tim@bastelstu.be>
+Tim Hockin <thockin@google.com>
+Tim Ruffles <oi@truffles.me.uk>
+Tim Smith <timbot@google.com>
+Tim Terhorst <mynamewastaken+git@gmail.com>
+Tim Wang <timwangdev@gmail.com>
+Tim Waugh <twaugh@redhat.com>
+Tim Wraight <tim.wraight@tangentlabs.co.uk>
+Timothy Hobbs <timothyhobbs@seznam.cz>
+tjwebb123 <tjwebb123@users.noreply.github.com>
+tobe <tobegit3hub@gmail.com>
+Tobias Bieniek <Tobias.Bieniek@gmx.de>
+Tobias Bradtke <webwurst@gmail.com>
+Tobias Gesellchen <tobias@gesellix.de>
+Tobias Klauser <tklauser@distanz.ch>
+Tobias Schmidt <ts@soundcloud.com>
+Tobias Schwab <tobias.schwab@dynport.de>
+Todd Crane <todd@toddcrane.com>
+Todd Lunter <tlunter@gmail.com>
+Todd Whiteman <todd.whiteman@joyent.com>
+Toli Kuznets <toli@docker.com>
+Tom Barlow <tomwbarlow@gmail.com>
+Tom Denham <tom@tomdee.co.uk>
+Tom Fotherby <tom+github@peopleperhour.com>
+Tom Howe <tom.howe@enstratius.com>
+Tom Hulihan <hulihan.tom159@gmail.com>
+Tom Maaswinkel <tom.maaswinkel@12wiki.eu>
+Tom X. Tobin <tomxtobin@tomxtobin.com>
+Tomas Tomecek <ttomecek@redhat.com>
+Tomasz Kopczynski <tomek@kopczynski.net.pl>
+Tomasz Lipinski <tlipinski@users.noreply.github.com>
+Tomasz Nurkiewicz <nurkiewicz@gmail.com>
+Tommaso Visconti <tommaso.visconti@gmail.com>
+Tomáš Hrčka <thrcka@redhat.com>
+Tonis Tiigi <tonistiigi@gmail.com>
+Tonny Xu <tonny.xu@gmail.com>
+Tony Daws <tony@daws.ca>
+Tony Miller <mcfiredrill@gmail.com>
+toogley <toogley@mailbox.org>
+Torstein Husebø <torstein@huseboe.net>
+tpng <benny.tpng@gmail.com>
+tracylihui <793912329@qq.com>
+Travis Cline <travis.cline@gmail.com>
+Travis Thieman <travis.thieman@gmail.com>
+Trent Ogren <tedwardo2@gmail.com>
+Trevor <trevinwoodstock@gmail.com>
+Trevor Pounds <trevor.pounds@gmail.com>
+trishnaguha <trishnaguha17@gmail.com>
+Tristan Carel <tristan@cogniteev.com>
+Troy Denton <trdenton@gmail.com>
+Tyler Brock <tyler.brock@gmail.com>
+Tzu-Jung Lee <roylee17@gmail.com>
+Tõnis Tiigi <tonistiigi@gmail.com>
+Ulysse Carion <ulyssecarion@gmail.com>
+unknown <sebastiaan@ws-key-sebas3.dpi1.dpi>
+vagrant <vagrant@ubuntu-14.04-amd64-vbox>
+Vaidas Jablonskis <jablonskis@gmail.com>
+Veres Lajos <vlajos@gmail.com>
+vgeta <gopikannan.venugopalsamy@gmail.com>
+Victor Coisne <victor.coisne@dotcloud.com>
+Victor Costan <costan@gmail.com>
+Victor I. Wood <viw@t2am.com>
+Victor Lyuboslavsky <victor@victoreda.com>
+Victor Marmol <vmarmol@google.com>
+Victor Palma <palma.victor@gmail.com>
+Victor Vieux <victor.vieux@docker.com>
+Victoria Bialas <victoria.bialas@docker.com>
+Vijaya Kumar K <vijayak@caviumnetworks.com>
+Viktor Stanchev <me@viktorstanchev.com>
+Viktor Vojnovski <viktor.vojnovski@amadeus.com>
+VinayRaghavanKS <raghavan.vinay@gmail.com>
+Vincent Batts <vbatts@redhat.com>
+Vincent Bernat <bernat@luffy.cx>
+Vincent Bernat <Vincent.Bernat@exoscale.ch>
+Vincent Demeester <vincent@sbr.pm>
+Vincent Giersch <vincent.giersch@ovh.net>
+Vincent Mayers <vincent.mayers@inbloom.org>
+Vincent Woo <me@vincentwoo.com>
+Vinod Kulkarni <vinod.kulkarni@gmail.com>
+Vishal Doshi <vishal.doshi@gmail.com>
+Vishnu Kannan <vishnuk@google.com>
+Vitor Monteiro <vmrmonteiro@gmail.com>
+Vivek Agarwal <me@vivek.im>
+Vivek Dasgupta <vdasgupt@redhat.com>
+Vivek Goyal <vgoyal@redhat.com>
+Vladimir Bulyga <xx@ccxx.cc>
+Vladimir Kirillov <proger@wilab.org.ua>
+Vladimir Rutsky <altsysrq@gmail.com>
+Vladimir Varankin <nek.narqo+git@gmail.com>
+VladimirAus <v_roudakov@yahoo.com>
+Vojtech Vitek (V-Teq) <vvitek@redhat.com>
+waitingkuo <waitingkuo0527@gmail.com>
+Walter Leibbrandt <github@wrl.co.za>
+Walter Stanish <walter@pratyeka.org>
+WANG Chao <wcwxyz@gmail.com>
+Wang Xing <hzwangxing@corp.netease.com>
+Ward Vandewege <ward@jhvc.com>
+WarheadsSE <max@warheads.net>
+Wayne Chang <wayne@neverfear.org>
+Wei-Ting Kuo <waitingkuo0527@gmail.com>
+weiyan <weiyan3@huawei.com>
+Weiyang Zhu <cnresonant@gmail.com>
+Wen Cheng Ma <wenchma@cn.ibm.com>
+Wendel Fleming <wfleming@usc.edu>
+Wenxuan Zhao <viz@linux.com>
+Wenyu You <21551128@zju.edu.cn>
+Wes Morgan <cap10morgan@gmail.com>
+Will Dietz <w@wdtz.org>
+Will Rouesnel <w.rouesnel@gmail.com>
+Will Weaver <monkey@buildingbananas.com>
+willhf <willhf@gmail.com>
+William Delanoue <william.delanoue@gmail.com>
+William Henry <whenry@redhat.com>
+William Hubbs <w.d.hubbs@gmail.com>
+William Riancho <wr.wllm@gmail.com>
+William Thurston <thurstw@amazon.com>
+WiseTrem <shepelyov.g@gmail.com>
+wlan0 <sidharthamn@gmail.com>
+Wolfgang Powisch <powo@powo.priv.at>
+wonderflow <wonderflow.sun@gmail.com>
+xamyzhao <x.amy.zhao@gmail.com>
+XiaoBing Jiang <s7v7nislands@gmail.com>
+Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
+xiekeyang <xiekeyang@huawei.com>
+Xinzi Zhou <imdreamrunner@gmail.com>
+Xiuming Chen <cc@cxm.cc>
+xlgao-zju <xlgao@zju.edu.cn>
+xuzhaokui <cynicholas@gmail.com>
+Yahya <ya7yaz@gmail.com>
+YAMADA Tsuyoshi <tyamada@minimum2scp.org>
+Yan Feng <yanfeng2@huawei.com>
+Yang Bai <hamo.by@gmail.com>
+yangshukui <yangshukui@huawei.com>
+Yasunori Mahata <nori@mahata.net>
+Yestin Sun <sunyi0804@gmail.com>
+Yi EungJun <eungjun.yi@navercorp.com>
+Yibai Zhang <xm1994@gmail.com>
+Yihang Ho <hoyihang5@gmail.com>
+Ying Li <cyli@twistedmatrix.com>
+Yohei Ueda <yohei@jp.ibm.com>
+Yong Tang <yong.tang.github@outlook.com>
+Yongzhi Pan <panyongzhi@gmail.com>
+yorkie <yorkiefixer@gmail.com>
+Youcef YEKHLEF <yyekhlef@gmail.com>
+Yuan Sun <sunyuan3@huawei.com>
+yuchangchun <yuchangchun1@huawei.com>
+yuchengxia <yuchengxia@huawei.com>
+Yurii Rashkovskii <yrashk@gmail.com>
+yuzou <zouyu7@huawei.com>
+Zac Dover <zdover@redhat.com>
+Zach Borboa <zachborboa@gmail.com>
+Zachary Jaffee <zij@case.edu>
+Zain Memon <zain@inzain.net>
+Zaiste! <oh@zaiste.net>
+Zane DeGraffenried <zane.deg@gmail.com>
+Zefan Li <lizefan@huawei.com>
+Zen Lin(Zhinan Lin) <linzhinan@huawei.com>
+Zhang Kun <zkazure@gmail.com>
+Zhang Wei <zhangwei555@huawei.com>
+Zhang Wentao <zhangwentao234@huawei.com>
+Zhenan Ye <21551168@zju.edu.cn>
+Zhu Guihua <zhugh.fnst@cn.fujitsu.com>
+Zhuoyun Wei <wzyboy@wzyboy.org>
+Zilin Du <zilin.du@gmail.com>
+zimbatm <zimbatm@zimbatm.com>
+Ziming Dong <bnudzm@foxmail.com>
+ZJUshuaizhou <21551191@zju.edu.cn>
+zmarouf <zeid.marouf@gmail.com>
+Zoltan Tombol <zoltan.tombol@gmail.com>
+zqh <zqhxuyuan@gmail.com>
+Zuhayr Elahi <elahi.zuhayr@gmail.com>
+Zunayed Ali <zunayed@gmail.com>
+Álex González <agonzalezro@gmail.com>
+Álvaro Lázaro <alvaro.lazaro.g@gmail.com>
+Átila Camurça Alves <camurca.home@gmail.com>
+尹吉峰 <jifeng.yin@gmail.com>
+搏通 <yufeng.pyf@alibaba-inc.com>
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/LICENSE b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/LICENSE
new file mode 100644
index 00000000000..8f3fee627a4
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2013-2016 Docker, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/NOTICE b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/NOTICE
new file mode 100644
index 00000000000..8a37c1c7bc4
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/NOTICE
@@ -0,0 +1,19 @@
+Docker
+Copyright 2012-2016 Docker, Inc.
+
+This product includes software developed at Docker, Inc. (https://www.docker.com).
+
+This product contains software (https://github.com/kr/pty) developed
+by Keith Rarick, licensed under the MIT License.
+
+The following is courtesy of our legal counsel:
+
+
+Use and transfer of Docker may be subject to certain restrictions by the
+United States and other governments.
+It is your responsibility to ensure that your use and/or transfer does not
+violate applicable laws.
+
+For more information, please see https://www.bis.doc.gov
+
+See also https://www.apache.org/dev/crypto.html and/or seek legal counsel.
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/exists_unix.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/exists_unix.go
new file mode 100644
index 00000000000..f3087d7df6d
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/exists_unix.go
@@ -0,0 +1,34 @@
+//go:build !windows
+// +build !windows
+
+package fileutils
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+// Exists checks whether a file or directory exists at the given path.
+// If the path is a symlink, the symlink is followed.
+func Exists(path string) error {
+	// It uses unix.Faccessat which is a faster operation compared to os.Stat for
+	// simply checking the existence of a file.
+	err := unix.Faccessat(unix.AT_FDCWD, path, unix.F_OK, 0)
+	if err != nil {
+		return &os.PathError{Op: "faccessat", Path: path, Err: err}
+	}
+	return nil
+}
+
+// Lexists checks whether a file or directory exists at the given path.
+// If the path is a symlink, the symlink itself is checked.
+func Lexists(path string) error {
+	// It uses unix.Faccessat which is a faster operation compared to os.Stat for
+	// simply checking the existence of a file.
+	err := unix.Faccessat(unix.AT_FDCWD, path, unix.F_OK, unix.AT_SYMLINK_NOFOLLOW)
+	if err != nil {
+		return &os.PathError{Op: "faccessat", Path: path, Err: err}
+	}
+	return nil
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/exists_windows.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/exists_windows.go
new file mode 100644
index 00000000000..355cf046477
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/exists_windows.go
@@ -0,0 +1,18 @@
+package fileutils
+
+import (
+	"os"
+)
+
+// Exists checks whether a file or directory exists at the given path.
+func Exists(path string) error {
+	_, err := os.Stat(path)
+	return err
+}
+
+// Lexists checks whether a file or directory exists at the given path, without
+// resolving symlinks
+func Lexists(path string) error {
+	_, err := os.Lstat(path)
+	return err
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils.go
new file mode 100644
index 00000000000..85ce2d5260a
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils.go
@@ -0,0 +1,371 @@
+package fileutils
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"text/scanner"
+
+	"github.com/sirupsen/logrus"
+)
+
+// PatternMatcher allows checking paths against a list of patterns
+type PatternMatcher struct {
+	patterns   []*Pattern
+	exclusions bool
+}
+
+// NewPatternMatcher creates a new matcher object for specific patterns that can
+// be used later to match against patterns against paths
+func NewPatternMatcher(patterns []string) (*PatternMatcher, error) {
+	pm := &PatternMatcher{
+		patterns: make([]*Pattern, 0, len(patterns)),
+	}
+	for _, p := range patterns {
+		// Eliminate leading and trailing whitespace.
+		p = strings.TrimSpace(p)
+		if p == "" {
+			continue
+		}
+		p = filepath.Clean(p)
+		newp := &Pattern{}
+		if p[0] == '!' {
+			if len(p) == 1 {
+				return nil, errors.New("illegal exclusion pattern: \"!\"")
+			}
+			newp.exclusion = true
+			p = strings.TrimPrefix(filepath.Clean(p[1:]), "/")
+			pm.exclusions = true
+		}
+		// Do some syntax checking on the pattern.
+		// filepath's Match() has some really weird rules that are inconsistent
+		// so instead of trying to dup their logic, just call Match() for its
+		// error state and if there is an error in the pattern return it.
+		// If this becomes an issue we can remove this since its really only
+		// needed in the error (syntax) case - which isn't really critical.
+		if _, err := filepath.Match(p, "."); err != nil {
+			return nil, err
+		}
+		newp.cleanedPattern = p
+		newp.dirs = strings.Split(p, string(os.PathSeparator))
+		pm.patterns = append(pm.patterns, newp)
+	}
+	return pm, nil
+}
+
+// Deprecated: Please use the `MatchesResult` method instead.
+// Matches matches path against all the patterns. Matches is not safe to be
+// called concurrently
+func (pm *PatternMatcher) Matches(file string) (bool, error) {
+	matched := false
+	file = filepath.FromSlash(file)
+
+	for _, pattern := range pm.patterns {
+		negative := false
+
+		if pattern.exclusion {
+			negative = true
+		}
+
+		match, err := pattern.match(file)
+		if err != nil {
+			return false, err
+		}
+
+		if match {
+			matched = !negative
+		}
+	}
+
+	if matched {
+		logrus.Debugf("Skipping excluded path: %s", file)
+	}
+
+	return matched, nil
+}
+
+type MatchResult struct {
+	isMatched         bool
+	matches, excludes uint
+}
+
+// Excludes returns true if the overall result is matched
+func (m *MatchResult) IsMatched() bool {
+	return m.isMatched
+}
+
+// Excludes returns the amount of matches of an MatchResult
+func (m *MatchResult) Matches() uint {
+	return m.matches
+}
+
+// Excludes returns the amount of excludes of an MatchResult
+func (m *MatchResult) Excludes() uint {
+	return m.excludes
+}
+
+// MatchesResult verifies the provided filepath against all patterns.
+// It returns the `*MatchResult` result for the patterns on success, otherwise
+// an error. This method is not safe to be called concurrently.
+func (pm *PatternMatcher) MatchesResult(file string) (res *MatchResult, err error) {
+	file = filepath.FromSlash(file)
+	res = &MatchResult{false, 0, 0}
+
+	for _, pattern := range pm.patterns {
+		negative := false
+
+		if pattern.exclusion {
+			negative = true
+		}
+
+		match, err := pattern.match(file)
+		if err != nil {
+			return nil, err
+		}
+
+		if match {
+			res.isMatched = !negative
+			if negative {
+				res.excludes++
+			} else {
+				res.matches++
+			}
+		}
+	}
+
+	if res.matches > 0 {
+		logrus.Debugf("Skipping excluded path: %s", file)
+	}
+
+	return res, nil
+}
+
+// IsMatch verifies the provided filepath against all patterns and returns true
+// if it matches. A match is valid if the last match is a positive one.
+// It returns an error on failure and is not safe to be called concurrently.
+func (pm *PatternMatcher) IsMatch(file string) (matched bool, err error) {
+	res, err := pm.MatchesResult(file)
+	if err != nil {
+		return false, err
+	}
+	return res.isMatched, nil
+}
+
+// Exclusions returns true if any of the patterns define exclusions
+func (pm *PatternMatcher) Exclusions() bool {
+	return pm.exclusions
+}
+
+// Patterns returns array of active patterns
+func (pm *PatternMatcher) Patterns() []*Pattern {
+	return pm.patterns
+}
+
+// Pattern defines a single regexp used to filter file paths.
+type Pattern struct {
+	cleanedPattern string
+	dirs           []string
+	regexp         *regexp.Regexp
+	exclusion      bool
+}
+
+func (p *Pattern) String() string {
+	return p.cleanedPattern
+}
+
+// Exclusion returns true if this pattern defines exclusion
+func (p *Pattern) Exclusion() bool {
+	return p.exclusion
+}
+
+func (p *Pattern) match(path string) (bool, error) {
+	if p.regexp == nil {
+		if err := p.compile(); err != nil {
+			return false, filepath.ErrBadPattern
+		}
+	}
+
+	b := p.regexp.MatchString(path)
+
+	return b, nil
+}
+
+func (p *Pattern) compile() error {
+	regStr := "^"
+	pattern := p.cleanedPattern
+	// Go through the pattern and convert it to a regexp.
+	// We use a scanner so we can support utf-8 chars.
+	var scan scanner.Scanner
+	scan.Init(strings.NewReader(pattern))
+
+	sl := string(os.PathSeparator)
+	escSL := sl
+	const bs = `\`
+	if sl == bs {
+		escSL += bs
+	}
+
+	for scan.Peek() != scanner.EOF {
+		ch := scan.Next()
+
+		if ch == '*' {
+			if scan.Peek() == '*' {
+				// is some flavor of "**"
+				scan.Next()
+
+				// Treat **/ as ** so eat the "/"
+				if string(scan.Peek()) == sl {
+					scan.Next()
+				}
+
+				if scan.Peek() == scanner.EOF {
+					// is "**EOF" - to align with .gitignore just accept all
+					regStr += ".*"
+				} else {
+					// is "**"
+					// Note that this allows for any # of /'s (even 0) because
+					// the .* will eat everything, even /'s
+					regStr += "(.*" + escSL + ")?"
+				}
+			} else {
+				// is "*" so map it to anything but "/"
+				regStr += "[^" + escSL + "]*"
+			}
+		} else if ch == '?' {
+			// "?" is any char except "/"
+			regStr += "[^" + escSL + "]"
+		} else if ch == '.' || ch == '$' {
+			// Escape some regexp special chars that have no meaning
+			// in golang's filepath.Match
+			regStr += bs + string(ch)
+		} else if ch == '\\' {
+			// escape next char.
+			if sl == bs {
+				// On windows map "\" to "\\", meaning an escaped backslash,
+				// and then just continue because filepath.Match on
+				// Windows doesn't allow escaping at all
+				regStr += escSL
+				continue
+			}
+			if scan.Peek() != scanner.EOF {
+				regStr += bs + string(scan.Next())
+			} else {
+				return filepath.ErrBadPattern
+			}
+		} else {
+			regStr += string(ch)
+		}
+	}
+
+	regStr += "(" + escSL + ".*)?$"
+
+	re, err := regexp.Compile(regStr)
+	if err != nil {
+		return err
+	}
+
+	p.regexp = re
+	return nil
+}
+
+// Matches returns true if file matches any of the patterns
+// and isn't excluded by any of the subsequent patterns.
+func Matches(file string, patterns []string) (bool, error) {
+	pm, err := NewPatternMatcher(patterns)
+	if err != nil {
+		return false, err
+	}
+	file = filepath.Clean(file)
+
+	if file == "." {
+		// Don't let them exclude everything, kind of silly.
+		return false, nil
+	}
+
+	return pm.IsMatch(file)
+}
+
+// CopyFile copies from src to dst until either EOF is reached
+// on src or an error occurs. It verifies src exists and removes
+// the dst if it exists.
+func CopyFile(src, dst string) (int64, error) {
+	cleanSrc := filepath.Clean(src)
+	cleanDst := filepath.Clean(dst)
+	if cleanSrc == cleanDst {
+		return 0, nil
+	}
+	sf, err := os.Open(cleanSrc)
+	if err != nil {
+		return 0, err
+	}
+	defer sf.Close()
+	if err := os.Remove(cleanDst); err != nil && !os.IsNotExist(err) {
+		return 0, err
+	}
+	df, err := os.Create(cleanDst)
+	if err != nil {
+		return 0, err
+	}
+	defer df.Close()
+	return io.Copy(df, sf)
+}
+
+// ReadSymlinkedDirectory returns the target directory of a symlink.
+// The target of the symbolic link may not be a file.
+func ReadSymlinkedDirectory(path string) (string, error) {
+	var realPath string
+	var err error
+	if realPath, err = filepath.Abs(path); err != nil {
+		return "", fmt.Errorf("unable to get absolute path for %s: %w", path, err)
+	}
+	if realPath, err = filepath.EvalSymlinks(realPath); err != nil {
+		return "", fmt.Errorf("failed to canonicalise path for %s: %w", path, err)
+	}
+	realPathInfo, err := os.Stat(realPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to stat target '%s' of '%s': %w", realPath, path, err)
+	}
+	if !realPathInfo.Mode().IsDir() {
+		return "", fmt.Errorf("canonical path points to a file '%s'", realPath)
+	}
+	return realPath, nil
+}
+
+// ReadSymlinkedPath returns the target directory of a symlink.
+// The target of the symbolic link can be a file and a directory.
+func ReadSymlinkedPath(path string) (realPath string, err error) {
+	if realPath, err = filepath.Abs(path); err != nil {
+		return "", fmt.Errorf("unable to get absolute path for %q: %w", path, err)
+	}
+	if realPath, err = filepath.EvalSymlinks(realPath); err != nil {
+		return "", fmt.Errorf("failed to canonicalise path for %q: %w", path, err)
+	}
+	if err := Exists(realPath); err != nil {
+		return "", fmt.Errorf("failed to stat target %q of %q: %w", realPath, path, err)
+	}
+	return realPath, nil
+}
+
+// CreateIfNotExists creates a file or a directory only if it does not already exist.
+func CreateIfNotExists(path string, isDir bool) error {
+	if err := Exists(path); err != nil {
+		if os.IsNotExist(err) {
+			if isDir {
+				return os.MkdirAll(path, 0o755)
+			}
+			if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
+				return err
+			}
+			f, err := os.OpenFile(path, os.O_CREATE, 0o755)
+			if err != nil {
+				return err
+			}
+			f.Close()
+		}
+	}
+	return nil
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_darwin.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_darwin.go
new file mode 100644
index 00000000000..ccd648fac30
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_darwin.go
@@ -0,0 +1,27 @@
+package fileutils
+
+import (
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+)
+
+// GetTotalUsedFds returns the number of used File Descriptors by
+// executing `lsof -p PID`
+func GetTotalUsedFds() int {
+	pid := os.Getpid()
+
+	cmd := exec.Command("lsof", "-p", strconv.Itoa(pid))
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return -1
+	}
+
+	outputStr := strings.TrimSpace(string(output))
+
+	fds := strings.Split(outputStr, "\n")
+
+	return len(fds) - 1
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_solaris.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_solaris.go
new file mode 100644
index 00000000000..0f2cb7ab933
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_solaris.go
@@ -0,0 +1,7 @@
+package fileutils
+
+// GetTotalUsedFds Returns the number of used File Descriptors.
+// On Solaris these limits are per process and not systemwide
+func GetTotalUsedFds() int {
+	return -1
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_unix.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_unix.go
new file mode 100644
index 00000000000..92e0263d818
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_unix.go
@@ -0,0 +1,22 @@
+//go:build linux || freebsd
+// +build linux freebsd
+
+package fileutils
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/sirupsen/logrus"
+)
+
+// GetTotalUsedFds Returns the number of used File Descriptors by
+// reading it via /proc filesystem.
+func GetTotalUsedFds() int {
+	if fds, err := os.ReadDir(fmt.Sprintf("/proc/%d/fd", os.Getpid())); err != nil {
+		logrus.Errorf("%v", err)
+	} else {
+		return len(fds)
+	}
+	return -1
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_windows.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_windows.go
new file mode 100644
index 00000000000..5ec21cace52
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/containers/storage/pkg/fileutils/fileutils_windows.go
@@ -0,0 +1,7 @@
+package fileutils
+
+// GetTotalUsedFds Returns the number of used File Descriptors. Not supported
+// on Windows.
+func GetTotalUsedFds() int {
+	return -1
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
new file mode 100644
index 00000000000..7436896e137
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md
@@ -0,0 +1,138 @@
+# Changelog #
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/)
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [Unreleased] ##
+
+## [0.3.1] - 2024-07-23 ##
+
+### Changed ###
+- By allowing `Open(at)InRoot` to opt-out of the extra work done by `MkdirAll`
+  to do the necessary "partial lookups", `Open(at)InRoot` now does less work
+  for both implementations (resulting in a many-fold decrease in the number of
+  operations for `openat2`, and a modest improvement for non-`openat2`) and is
+  far more guaranteed to match the correct `openat2(RESOLVE_IN_ROOT)`
+  behaviour.
+- We now use `readlinkat(fd, "")` where possible. For `Open(at)InRoot` this
+  effectively just means that we no longer risk getting spurious errors during
+  rename races. However, for our hardened procfs handler, this in theory should
+  prevent mount attacks from tricking us when doing magic-link readlinks (even
+  when using the unsafe host `/proc` handle). Unfortunately `Reopen` is still
+  potentially vulnerable to those kinds of somewhat-esoteric attacks.
+
+  Technically this [will only work on post-2.6.39 kernels][linux-readlinkat-emptypath]
+  but it seems incredibly unlikely anyone is using `filepath-securejoin` on a
+  pre-2011 kernel.
+
+### Fixed ###
+- Several improvements were made to the errors returned by `Open(at)InRoot` and
+  `MkdirAll` when dealing with invalid paths under the emulated (ie.
+  non-`openat2`) implementation. Previously, some paths would return the wrong
+  error (`ENOENT` when the last component was a non-directory), and other paths
+  would be returned as though they were acceptable (trailing-slash components
+  after a non-directory would be ignored by `Open(at)InRoot`).
+
+  These changes were done to match `openat2`'s behaviour and purely is a
+  consistency fix (most users are going to be using `openat2` anyway).
+
+[linux-readlinkat-emptypath]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=65cfc6722361570bfe255698d9cd4dccaf47570d
+
+## [0.3.0] - 2024-07-11 ##
+
+### Added ###
+- A new set of `*os.File`-based APIs have been added. These are adapted from
+  [libpathrs][] and we strongly suggest using them if possible (as they provide
+  far more protection against attacks than `SecureJoin`):
+
+   - `Open(at)InRoot` resolves a path inside a rootfs and returns an `*os.File`
+     handle to the path. Note that the handle returned is an `O_PATH` handle,
+     which cannot be used for reading or writing (as well as some other
+     operations -- [see open(2) for more details][open.2])
+
+   - `Reopen` takes an `O_PATH` file handle and safely re-opens it to upgrade
+     it to a regular handle. This can also be used with non-`O_PATH` handles,
+     but `O_PATH` is the most obvious application.
+
+   - `MkdirAll` is an implementation of `os.MkdirAll` that is safe to use to
+     create a directory tree within a rootfs.
+
+  As these are new APIs, they may change in the future. However, they should be
+  safe to start migrating to as we have extensive tests ensuring they behave
+  correctly and are safe against various races and other attacks.
+
+[libpathrs]: https://github.com/openSUSE/libpathrs
+[open.2]: https://www.man7.org/linux/man-pages/man2/open.2.html
+
+## [0.2.5] - 2024-05-03 ##
+
+### Changed ###
+- Some minor changes were made to how lexical components (like `..` and `.`)
+  are handled during path generation in `SecureJoin`. There is no behaviour
+  change as a result of this fix (the resulting paths are the same).
+
+### Fixed ###
+- The error returned when we hit a symlink loop now references the correct
+  path. (#10)
+
+## [0.2.4] - 2023-09-06 ##
+
+### Security ###
+- This release fixes a potential security issue in filepath-securejoin when
+  used on Windows ([GHSA-6xv5-86q9-7xr8][], which could be used to generate
+  paths outside of the provided rootfs in certain cases), as well as improving
+  the overall behaviour of filepath-securejoin when dealing with Windows paths
+  that contain volume names. Thanks to Paulo Gomes for discovering and fixing
+  these issues.
+
+### Fixed ###
+- Switch to GitHub Actions for CI so we can test on Windows as well as Linux
+  and MacOS.
+
+[GHSA-6xv5-86q9-7xr8]: https://github.com/advisories/GHSA-6xv5-86q9-7xr8
+
+## [0.2.3] - 2021-06-04 ##
+
+### Changed ###
+- Switch to Go 1.13-style `%w` error wrapping, letting us drop the dependency
+  on `github.com/pkg/errors`.
+
+## [0.2.2] - 2018-09-05 ##
+
+### Changed ###
+- Use `syscall.ELOOP` as the base error for symlink loops, rather than our own
+  (internal) error. This allows callers to more easily use `errors.Is` to check
+  for this case.
+
+## [0.2.1] - 2018-09-05 ##
+
+### Fixed ###
+- Use our own `IsNotExist` implementation, which lets us handle `ENOTDIR`
+  properly within `SecureJoin`.
+
+## [0.2.0] - 2017-07-19 ##
+
+We now have 100% test coverage!
+
+### Added ###
+- Add a `SecureJoinVFS` API that can be used for mocking (as we do in our new
+  tests) or for implementing custom handling of lookup operations (such as for
+  rootless containers, where work is necessary to access directories with weird
+  modes because we don't have `CAP_DAC_READ_SEARCH` or `CAP_DAC_OVERRIDE`).
+
+## 0.1.0 - 2017-07-19
+
+This is our first release of `github.com/cyphar/filepath-securejoin`,
+containing a full implementation with a coverage of 93.5% (the only missing
+cases are the error cases, which are hard to mocktest at the moment).
+
+[Unreleased]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.1...HEAD
+[0.3.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.0...v0.3.1
+[0.3.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.5...v0.3.0
+[0.2.5]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.4...v0.2.5
+[0.2.4]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4
+[0.2.3]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.2...v0.2.3
+[0.2.2]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.1...v0.2.2
+[0.2.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.0...v0.2.1
+[0.2.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.1.0...v0.2.0
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/LICENSE b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/LICENSE
index bec842f294f..cb1ab88da0f 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/LICENSE
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/LICENSE
@@ -1,5 +1,5 @@
 Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
-Copyright (C) 2017 SUSE LLC. All rights reserved.
+Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/README.md b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/README.md
index 4eca0f23550..253956f8657 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/README.md
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/README.md
@@ -2,31 +2,24 @@
 
 [![Build Status](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml/badge.svg)](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml)
 
-An implementation of `SecureJoin`, a [candidate for inclusion in the Go
-standard library][go#20126]. The purpose of this function is to be a "secure"
-alternative to `filepath.Join`, and in particular it provides certain
-guarantees that are not provided by `filepath.Join`.
-
-> **NOTE**: This code is *only* safe if you are not at risk of other processes
-> modifying path components after you've used `SecureJoin`. If it is possible
-> for a malicious process to modify path components of the resolved path, then
-> you will be vulnerable to some fairly trivial TOCTOU race conditions. [There
-> are some Linux kernel patches I'm working on which might allow for a better
-> solution.][lwn-obeneath]
->
-> In addition, with a slightly modified API it might be possible to use
-> `O_PATH` and verify that the opened path is actually the resolved one -- but
-> I have not done that yet. I might add it in the future as a helper function
-> to help users verify the path (we can't just return `/proc/self/fd/<foo>`
-> because that doesn't always work transparently for all users).
-
-This is the function prototype:
+### Old API ###
 
-```go
-func SecureJoin(root, unsafePath string) (string, error)
-```
+This library was originally just an implementation of `SecureJoin` which was
+[intended to be included in the Go standard library][go#20126] as a safer
+`filepath.Join` that would restrict the path lookup to be inside a root
+directory.
+
+The implementation was based on code that existed in several container
+runtimes. Unfortunately, this API is **fundamentally unsafe** against attackers
+that can modify path components after `SecureJoin` returns and before the
+caller uses the path, allowing for some fairly trivial TOCTOU attacks.
+
+`SecureJoin` (and `SecureJoinVFS`) are still provided by this library to
+support legacy users, but new users are strongly suggested to avoid using
+`SecureJoin` and instead use the [new api](#new-api) or switch to
+[libpathrs][libpathrs].
 
-This library **guarantees** the following:
+With the above limitations in mind, this library guarantees the following:
 
 * If no error is set, the resulting string **must** be a child path of
   `root` and will not contain any symlink path components (they will all be
@@ -47,7 +40,7 @@ This library **guarantees** the following:
 A (trivial) implementation of this function on GNU/Linux systems could be done
 with the following (note that this requires root privileges and is far more
 opaque than the implementation in this library, and also requires that
-`readlink` is inside the `root` path):
+`readlink` is inside the `root` path and is trustworthy):
 
 ```go
 package securejoin
@@ -70,9 +63,105 @@ func SecureJoin(root, unsafePath string) (string, error) {
 }
 ```
 
-[lwn-obeneath]: https://lwn.net/Articles/767547/
+[libpathrs]: https://github.com/openSUSE/libpathrs
 [go#20126]: https://github.com/golang/go/issues/20126
 
+### New API ###
+
+While we recommend users switch to [libpathrs][libpathrs] as soon as it has a
+stable release, some methods implemented by libpathrs have been ported to this
+library to ease the transition. These APIs are only supported on Linux.
+
+These APIs are implemented such that `filepath-securejoin` will
+opportunistically use certain newer kernel APIs that make these operations far
+more secure. In particular:
+
+* All of the lookup operations will use [`openat2`][openat2.2] on new enough
+  kernels (Linux 5.6 or later) to restrict lookups through magic-links and
+  bind-mounts (for certain operations) and to make use of `RESOLVE_IN_ROOT` to
+  efficiently resolve symlinks within a rootfs.
+
+* The APIs provide hardening against a malicious `/proc` mount to either detect
+  or avoid being tricked by a `/proc` that is not legitimate. This is done
+  using [`openat2`][openat2.2] for all users, and privileged users will also be
+  further protected by using [`fsopen`][fsopen.2] and [`open_tree`][open_tree.2]
+  (Linux 4.18 or later).
+
+[openat2.2]: https://www.man7.org/linux/man-pages/man2/openat2.2.html
+[fsopen.2]: https://github.com/brauner/man-pages-md/blob/main/fsopen.md
+[open_tree.2]: https://github.com/brauner/man-pages-md/blob/main/open_tree.md
+
+#### `OpenInRoot` ####
+
+```go
+func OpenInRoot(root, unsafePath string) (*os.File, error)
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error)
+func Reopen(handle *os.File, flags int) (*os.File, error)
+```
+
+`OpenInRoot` is a much safer version of
+
+```go
+path, err := securejoin.SecureJoin(root, unsafePath)
+file, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)
+```
+
+that protects against various race attacks that could lead to serious security
+issues, depending on the application. Note that the returned `*os.File` is an
+`O_PATH` file descriptor, which is quite restricted. Callers will probably need
+to use `Reopen` to get a more usable handle (this split is done to provide
+useful features like PTY spawning and to avoid users accidentally opening bad
+inodes that could cause a DoS).
+
+Callers need to be careful in how they use the returned `*os.File`. Usually it
+is only safe to operate on the handle directly, and it is very easy to create a
+security issue. [libpathrs][libpathrs] provides far more helpers to make using
+these handles safer -- there is currently no plan to port them to
+`filepath-securejoin`.
+
+`OpenatInRoot` is like `OpenInRoot` except that the root is provided using an
+`*os.File`. This allows you to ensure that multiple `OpenatInRoot` (or
+`MkdirAllHandle`) calls are operating on the same rootfs.
+
+> **NOTE**: Unlike `SecureJoin`, `OpenInRoot` will error out as soon as it hits
+> a dangling symlink or non-existent path. This is in contrast to `SecureJoin`
+> which treated non-existent components as though they were real directories,
+> and would allow for partial resolution of dangling symlinks. These behaviours
+> are at odds with how Linux treats non-existent paths and dangling symlinks,
+> and so these are no longer allowed.
+
+#### `MkdirAll` ####
+
+```go
+func MkdirAll(root, unsafePath string, mode int) error
+func MkdirAllHandle(root *os.File, unsafePath string, mode int) (*os.File, error)
+```
+
+`MkdirAll` is a much safer version of
+
+```go
+path, err := securejoin.SecureJoin(root, unsafePath)
+err = os.MkdirAll(path, mode)
+```
+
+that protects against the same kinds of races that `OpenInRoot` protects
+against.
+
+`MkdirAllHandle` is like `MkdirAll` except that the root is provided using an
+`*os.File` (the reason for this is the same as with `OpenatInRoot`) and an
+`*os.File` of the final created directory is returned (this directory is
+guaranteed to be effectively identical to the directory created by
+`MkdirAllHandle`, which is not possible to ensure by just using `OpenatInRoot`
+after `MkdirAll`).
+
+> **NOTE**: Unlike `SecureJoin`, `MkdirAll` will error out as soon as it hits
+> a dangling symlink or non-existent path. This is in contrast to `SecureJoin`
+> which treated non-existent components as though they were real directories,
+> and would allow for partial resolution of dangling symlinks. These behaviours
+> are at odds with how Linux treats non-existent paths and dangling symlinks,
+> and so these are no longer allowed. This means that `MkdirAll` will not
+> create non-existent directories referenced by a dangling symlink.
+
 ### License ###
 
 The license of this project is the same as Go, which is a BSD 3-clause license
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/VERSION b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/VERSION
index abd410582de..9e11b32fcaa 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/VERSION
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/VERSION
@@ -1 +1 @@
-0.2.4
+0.3.1
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/join.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/join.go
index aa32b85fb84..bd86a48b0cc 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/join.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/join.go
@@ -1,5 +1,5 @@
 // Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
-// Copyright (C) 2017 SUSE LLC. All rights reserved.
+// Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
@@ -11,7 +11,6 @@
 package securejoin
 
 import (
-	"bytes"
 	"errors"
 	"os"
 	"path/filepath"
@@ -19,6 +18,8 @@ import (
 	"syscall"
 )
 
+const maxSymlinkLimit = 255
+
 // IsNotExist tells you if err is an error that implies that either the path
 // accessed does not exist (or path components don't exist). This is
 // effectively a more broad version of os.IsNotExist.
@@ -40,6 +41,12 @@ func IsNotExist(err error) bool {
 // replaced with symlinks on the filesystem) after this function has returned.
 // Such a symlink race is necessarily out-of-scope of SecureJoin.
 //
+// NOTE: Due to the above limitation, Linux users are strongly encouraged to
+// use OpenInRoot instead, which does safely protect against these kinds of
+// attacks. There is no way to solve this problem with SecureJoinVFS because
+// the API is fundamentally wrong (you cannot return a "safe" path string and
+// guarantee it won't be modified afterwards).
+//
 // Volume names in unsafePath are always discarded, regardless if they are
 // provided via direct input or when evaluating symlinks. Therefore:
 //
@@ -51,71 +58,69 @@ func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {
 	}
 
 	unsafePath = filepath.FromSlash(unsafePath)
-	var path bytes.Buffer
-	n := 0
-	for unsafePath != "" {
-		if n > 255 {
-			return "", &os.PathError{Op: "SecureJoin", Path: root + string(filepath.Separator) + unsafePath, Err: syscall.ELOOP}
+	var (
+		currentPath   string
+		remainingPath = unsafePath
+		linksWalked   int
+	)
+	for remainingPath != "" {
+		if v := filepath.VolumeName(remainingPath); v != "" {
+			remainingPath = remainingPath[len(v):]
 		}
 
-		if v := filepath.VolumeName(unsafePath); v != "" {
-			unsafePath = unsafePath[len(v):]
-		}
-
-		// Next path component, p.
-		i := strings.IndexRune(unsafePath, filepath.Separator)
-		var p string
-		if i == -1 {
-			p, unsafePath = unsafePath, ""
+		// Get the next path component.
+		var part string
+		if i := strings.IndexRune(remainingPath, filepath.Separator); i == -1 {
+			part, remainingPath = remainingPath, ""
 		} else {
-			p, unsafePath = unsafePath[:i], unsafePath[i+1:]
+			part, remainingPath = remainingPath[:i], remainingPath[i+1:]
 		}
 
-		// Create a cleaned path, using the lexical semantics of /../a, to
-		// create a "scoped" path component which can safely be joined to fullP
-		// for evaluation. At this point, path.String() doesn't contain any
-		// symlink components.
-		cleanP := filepath.Clean(string(filepath.Separator) + path.String() + p)
-		if cleanP == string(filepath.Separator) {
-			path.Reset()
+		// Apply the component lexically to the path we are building.
+		// currentPath does not contain any symlinks, and we are lexically
+		// dealing with a single component, so it's okay to do a filepath.Clean
+		// here.
+		nextPath := filepath.Join(string(filepath.Separator), currentPath, part)
+		if nextPath == string(filepath.Separator) {
+			currentPath = ""
 			continue
 		}
-		fullP := filepath.Clean(root + cleanP)
+		fullPath := root + string(filepath.Separator) + nextPath
 
 		// Figure out whether the path is a symlink.
-		fi, err := vfs.Lstat(fullP)
+		fi, err := vfs.Lstat(fullPath)
 		if err != nil && !IsNotExist(err) {
 			return "", err
 		}
 		// Treat non-existent path components the same as non-symlinks (we
 		// can't do any better here).
 		if IsNotExist(err) || fi.Mode()&os.ModeSymlink == 0 {
-			path.WriteString(p)
-			path.WriteRune(filepath.Separator)
+			currentPath = nextPath
 			continue
 		}
 
-		// Only increment when we actually dereference a link.
-		n++
+		// It's a symlink, so get its contents and expand it by prepending it
+		// to the yet-unparsed path.
+		linksWalked++
+		if linksWalked > maxSymlinkLimit {
+			return "", &os.PathError{Op: "SecureJoin", Path: root + string(filepath.Separator) + unsafePath, Err: syscall.ELOOP}
+		}
 
-		// It's a symlink, expand it by prepending it to the yet-unparsed path.
-		dest, err := vfs.Readlink(fullP)
+		dest, err := vfs.Readlink(fullPath)
 		if err != nil {
 			return "", err
 		}
+		remainingPath = dest + string(filepath.Separator) + remainingPath
 		// Absolute symlinks reset any work we've already done.
 		if filepath.IsAbs(dest) {
-			path.Reset()
+			currentPath = ""
 		}
-		unsafePath = dest + string(filepath.Separator) + unsafePath
 	}
 
-	// We have to clean path.String() here because it may contain '..'
-	// components that are entirely lexical, but would be misleading otherwise.
-	// And finally do a final clean to ensure that root is also lexically
-	// clean.
-	fullP := filepath.Clean(string(filepath.Separator) + path.String())
-	return filepath.Clean(root + fullP), nil
+	// There should be no lexical components like ".." left in the path here,
+	// but for safety clean up the path before joining it to the root.
+	finalPath := filepath.Join(string(filepath.Separator), currentPath)
+	return filepath.Join(root, finalPath), nil
 }
 
 // SecureJoin is a wrapper around SecureJoinVFS that just uses the os.* library
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go
new file mode 100644
index 00000000000..290befa1547
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go
@@ -0,0 +1,389 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"slices"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+type symlinkStackEntry struct {
+	// (dir, remainingPath) is what we would've returned if the link didn't
+	// exist. This matches what openat2(RESOLVE_IN_ROOT) would return in
+	// this case.
+	dir           *os.File
+	remainingPath string
+	// linkUnwalked is the remaining path components from the original
+	// Readlink which we have yet to walk. When this slice is empty, we
+	// drop the link from the stack.
+	linkUnwalked []string
+}
+
+func (se symlinkStackEntry) String() string {
+	return fmt.Sprintf("<%s>/%s [->%s]", se.dir.Name(), se.remainingPath, strings.Join(se.linkUnwalked, "/"))
+}
+
+func (se symlinkStackEntry) Close() {
+	_ = se.dir.Close()
+}
+
+type symlinkStack []*symlinkStackEntry
+
+func (s *symlinkStack) IsEmpty() bool {
+	return s == nil || len(*s) == 0
+}
+
+func (s *symlinkStack) Close() {
+	if s != nil {
+		for _, link := range *s {
+			link.Close()
+		}
+		// TODO: Switch to clear once we switch to Go 1.21.
+		*s = nil
+	}
+}
+
+var (
+	errEmptyStack         = errors.New("[internal] stack is empty")
+	errBrokenSymlinkStack = errors.New("[internal error] broken symlink stack")
+)
+
+func (s *symlinkStack) popPart(part string) error {
+	if s == nil || s.IsEmpty() {
+		// If there is nothing in the symlink stack, then the part was from the
+		// real path provided by the user, and this is a no-op.
+		return errEmptyStack
+	}
+	if part == "." {
+		// "." components are no-ops -- we drop them when doing SwapLink.
+		return nil
+	}
+
+	tailEntry := (*s)[len(*s)-1]
+
+	// Double-check that we are popping the component we expect.
+	if len(tailEntry.linkUnwalked) == 0 {
+		return fmt.Errorf("%w: trying to pop component %q of empty stack entry %s", errBrokenSymlinkStack, part, tailEntry)
+	}
+	headPart := tailEntry.linkUnwalked[0]
+	if headPart != part {
+		return fmt.Errorf("%w: trying to pop component %q but the last stack entry is %s (%q)", errBrokenSymlinkStack, part, tailEntry, headPart)
+	}
+
+	// Drop the component, but keep the entry around in case we are dealing
+	// with a "tail-chained" symlink.
+	tailEntry.linkUnwalked = tailEntry.linkUnwalked[1:]
+	return nil
+}
+
+func (s *symlinkStack) PopPart(part string) error {
+	if err := s.popPart(part); err != nil {
+		if errors.Is(err, errEmptyStack) {
+			// Skip empty stacks.
+			err = nil
+		}
+		return err
+	}
+
+	// Clean up any of the trailing stack entries that are empty.
+	for lastGood := len(*s) - 1; lastGood >= 0; lastGood-- {
+		entry := (*s)[lastGood]
+		if len(entry.linkUnwalked) > 0 {
+			break
+		}
+		entry.Close()
+		(*s) = (*s)[:lastGood]
+	}
+	return nil
+}
+
+func (s *symlinkStack) push(dir *os.File, remainingPath, linkTarget string) error {
+	if s == nil {
+		return nil
+	}
+	// Split the link target and clean up any "" parts.
+	linkTargetParts := slices.DeleteFunc(
+		strings.Split(linkTarget, "/"),
+		func(part string) bool { return part == "" || part == "." })
+
+	// Copy the directory so the caller doesn't close our copy.
+	dirCopy, err := dupFile(dir)
+	if err != nil {
+		return err
+	}
+
+	// Add to the stack.
+	*s = append(*s, &symlinkStackEntry{
+		dir:           dirCopy,
+		remainingPath: remainingPath,
+		linkUnwalked:  linkTargetParts,
+	})
+	return nil
+}
+
+func (s *symlinkStack) SwapLink(linkPart string, dir *os.File, remainingPath, linkTarget string) error {
+	// If we are currently inside a symlink resolution, remove the symlink
+	// component from the last symlink entry, but don't remove the entry even
+	// if it's empty. If we are a "tail-chained" symlink (a trailing symlink we
+	// hit during a symlink resolution) we need to keep the old symlink until
+	// we finish the resolution.
+	if err := s.popPart(linkPart); err != nil {
+		if !errors.Is(err, errEmptyStack) {
+			return err
+		}
+		// Push the component regardless of whether the stack was empty.
+	}
+	return s.push(dir, remainingPath, linkTarget)
+}
+
+func (s *symlinkStack) PopTopSymlink() (*os.File, string, bool) {
+	if s == nil || s.IsEmpty() {
+		return nil, "", false
+	}
+	tailEntry := (*s)[0]
+	*s = (*s)[1:]
+	return tailEntry.dir, tailEntry.remainingPath, true
+}
+
+// partialLookupInRoot tries to lookup as much of the request path as possible
+// within the provided root (a-la RESOLVE_IN_ROOT) and opens the final existing
+// component of the requested path, returning a file handle to the final
+// existing component and a string containing the remaining path components.
+func partialLookupInRoot(root *os.File, unsafePath string) (*os.File, string, error) {
+	return lookupInRoot(root, unsafePath, true)
+}
+
+func completeLookupInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	handle, remainingPath, err := lookupInRoot(root, unsafePath, false)
+	if remainingPath != "" && err == nil {
+		// should never happen
+		err = fmt.Errorf("[bug] non-empty remaining path when doing a non-partial lookup: %q", remainingPath)
+	}
+	// lookupInRoot(partial=false) will always close the handle if an error is
+	// returned, so no need to double-check here.
+	return handle, err
+}
+
+func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.File, _ string, _ error) {
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+
+	// This is very similar to SecureJoin, except that we operate on the
+	// components using file descriptors. We then return the last component we
+	// managed open, along with the remaining path components not opened.
+
+	// Try to use openat2 if possible.
+	if hasOpenat2() {
+		return lookupOpenat2(root, unsafePath, partial)
+	}
+
+	// Get the "actual" root path from /proc/self/fd. This is necessary if the
+	// root is some magic-link like /proc/$pid/root, in which case we want to
+	// make sure when we do checkProcSelfFdPath that we are using the correct
+	// root path.
+	logicalRootPath, err := procSelfFdReadlink(root)
+	if err != nil {
+		return nil, "", fmt.Errorf("get real root path: %w", err)
+	}
+
+	currentDir, err := dupFile(root)
+	if err != nil {
+		return nil, "", fmt.Errorf("clone root fd: %w", err)
+	}
+	defer func() {
+		// If a handle is not returned, close the internal handle.
+		if Handle == nil {
+			_ = currentDir.Close()
+		}
+	}()
+
+	// symlinkStack is used to emulate how openat2(RESOLVE_IN_ROOT) treats
+	// dangling symlinks. If we hit a non-existent path while resolving a
+	// symlink, we need to return the (dir, remainingPath) that we had when we
+	// hit the symlink (treating the symlink as though it were a regular file).
+	// The set of (dir, remainingPath) sets is stored within the symlinkStack
+	// and we add and remove parts when we hit symlink and non-symlink
+	// components respectively. We need a stack because of recursive symlinks
+	// (symlinks that contain symlink components in their target).
+	//
+	// Note that the stack is ONLY used for book-keeping. All of the actual
+	// path walking logic is still based on currentPath/remainingPath and
+	// currentDir (as in SecureJoin).
+	var symStack *symlinkStack
+	if partial {
+		symStack = new(symlinkStack)
+		defer symStack.Close()
+	}
+
+	var (
+		linksWalked   int
+		currentPath   string
+		remainingPath = unsafePath
+	)
+	for remainingPath != "" {
+		// Save the current remaining path so if the part is not real we can
+		// return the path including the component.
+		oldRemainingPath := remainingPath
+
+		// Get the next path component.
+		var part string
+		if i := strings.IndexByte(remainingPath, '/'); i == -1 {
+			part, remainingPath = remainingPath, ""
+		} else {
+			part, remainingPath = remainingPath[:i], remainingPath[i+1:]
+		}
+		// If we hit an empty component, we need to treat it as though it is
+		// "." so that trailing "/" and "//" components on a non-directory
+		// correctly return the right error code.
+		if part == "" {
+			part = "."
+		}
+
+		// Apply the component lexically to the path we are building.
+		// currentPath does not contain any symlinks, and we are lexically
+		// dealing with a single component, so it's okay to do a filepath.Clean
+		// here.
+		nextPath := path.Join("/", currentPath, part)
+		// If we logically hit the root, just clone the root rather than
+		// opening the part and doing all of the other checks.
+		if nextPath == "/" {
+			if err := symStack.PopPart(part); err != nil {
+				return nil, "", fmt.Errorf("walking into root with part %q failed: %w", part, err)
+			}
+			// Jump to root.
+			rootClone, err := dupFile(root)
+			if err != nil {
+				return nil, "", fmt.Errorf("clone root fd: %w", err)
+			}
+			_ = currentDir.Close()
+			currentDir = rootClone
+			currentPath = nextPath
+			continue
+		}
+
+		// Try to open the next component.
+		nextDir, err := openatFile(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		switch {
+		case err == nil:
+			st, err := nextDir.Stat()
+			if err != nil {
+				_ = nextDir.Close()
+				return nil, "", fmt.Errorf("stat component %q: %w", part, err)
+			}
+
+			switch st.Mode() & os.ModeType {
+			case os.ModeSymlink:
+				// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See
+				// Linux commit 65cfc6722361 ("readlinkat(), fchownat() and
+				// fstatat() with empty relative pathnames").
+				linkDest, err := readlinkatFile(nextDir, "")
+				// We don't need the handle anymore.
+				_ = nextDir.Close()
+				if err != nil {
+					return nil, "", err
+				}
+
+				linksWalked++
+				if linksWalked > maxSymlinkLimit {
+					return nil, "", &os.PathError{Op: "securejoin.lookupInRoot", Path: logicalRootPath + "/" + unsafePath, Err: unix.ELOOP}
+				}
+
+				// Swap out the symlink's component for the link entry itself.
+				if err := symStack.SwapLink(part, currentDir, oldRemainingPath, linkDest); err != nil {
+					return nil, "", fmt.Errorf("walking into symlink %q failed: push symlink: %w", part, err)
+				}
+
+				// Update our logical remaining path.
+				remainingPath = linkDest + "/" + remainingPath
+				// Absolute symlinks reset any work we've already done.
+				if path.IsAbs(linkDest) {
+					// Jump to root.
+					rootClone, err := dupFile(root)
+					if err != nil {
+						return nil, "", fmt.Errorf("clone root fd: %w", err)
+					}
+					_ = currentDir.Close()
+					currentDir = rootClone
+					currentPath = "/"
+				}
+
+			default:
+				// If we are dealing with a directory, simply walk into it.
+				_ = currentDir.Close()
+				currentDir = nextDir
+				currentPath = nextPath
+
+				// The part was real, so drop it from the symlink stack.
+				if err := symStack.PopPart(part); err != nil {
+					return nil, "", fmt.Errorf("walking into directory %q failed: %w", part, err)
+				}
+
+				// If we are operating on a .., make sure we haven't escaped.
+				// We only have to check for ".." here because walking down
+				// into a regular component component cannot cause you to
+				// escape. This mirrors the logic in RESOLVE_IN_ROOT, except we
+				// have to check every ".." rather than only checking after a
+				// rename or mount on the system.
+				if part == ".." {
+					// Make sure the root hasn't moved.
+					if err := checkProcSelfFdPath(logicalRootPath, root); err != nil {
+						return nil, "", fmt.Errorf("root path moved during lookup: %w", err)
+					}
+					// Make sure the path is what we expect.
+					fullPath := logicalRootPath + nextPath
+					if err := checkProcSelfFdPath(fullPath, currentDir); err != nil {
+						return nil, "", fmt.Errorf("walking into %q had unexpected result: %w", part, err)
+					}
+				}
+			}
+
+		default:
+			if !partial {
+				return nil, "", err
+			}
+			// If there are any remaining components in the symlink stack, we
+			// are still within a symlink resolution and thus we hit a dangling
+			// symlink. So pretend that the first symlink in the stack we hit
+			// was an ENOENT (to match openat2).
+			if oldDir, remainingPath, ok := symStack.PopTopSymlink(); ok {
+				_ = currentDir.Close()
+				return oldDir, remainingPath, err
+			}
+			// We have hit a final component that doesn't exist, so we have our
+			// partial open result. Note that we have to use the OLD remaining
+			// path, since the lookup failed.
+			return currentDir, oldRemainingPath, err
+		}
+	}
+
+	// If the unsafePath had a trailing slash, we need to make sure we try to
+	// do a relative "." open so that we will correctly return an error when
+	// the final component is a non-directory (to match openat2). In the
+	// context of openat2, a trailing slash and a trailing "/." are completely
+	// equivalent.
+	if strings.HasSuffix(unsafePath, "/") {
+		nextDir, err := openatFile(currentDir, ".", unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		if err != nil {
+			if !partial {
+				_ = currentDir.Close()
+				currentDir = nil
+			}
+			return currentDir, "", err
+		}
+		_ = currentDir.Close()
+		currentDir = nextDir
+	}
+
+	// All of the components existed!
+	return currentDir, "", nil
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go
new file mode 100644
index 00000000000..ad2bd7973ab
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go
@@ -0,0 +1,229 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+var (
+	errInvalidMode    = errors.New("invalid permission mode")
+	errPossibleAttack = errors.New("possible attack detected")
+)
+
+// MkdirAllHandle is equivalent to MkdirAll, except that it is safer to use in
+// two respects:
+//
+//   - The caller provides the root directory as an *os.File (preferably O_PATH)
+//     handle. This means that the caller can be sure which root directory is
+//     being used. Note that this can be emulated by using /proc/self/fd/... as
+//     the root path with MkdirAll.
+//
+//   - Once all of the directories have been created, an *os.File (O_PATH) handle
+//     to the directory at unsafePath is returned to the caller. This is done in
+//     an effectively-race-free way (an attacker would only be able to swap the
+//     final directory component), which is not possible to emulate with
+//     MkdirAll.
+//
+// In addition, the returned handle is obtained far more efficiently than doing
+// a brand new lookup of unsafePath (such as with SecureJoin or openat2) after
+// doing MkdirAll. If you intend to open the directory after creating it, you
+// should use MkdirAllHandle.
+func MkdirAllHandle(root *os.File, unsafePath string, mode int) (_ *os.File, Err error) {
+	// Make sure there are no os.FileMode bits set.
+	if mode&^0o7777 != 0 {
+		return nil, fmt.Errorf("%w for mkdir 0o%.3o", errInvalidMode, mode)
+	}
+
+	// Try to open as much of the path as possible.
+	currentDir, remainingPath, err := partialLookupInRoot(root, unsafePath)
+	defer func() {
+		if Err != nil {
+			_ = currentDir.Close()
+		}
+	}()
+	if err != nil && !errors.Is(err, unix.ENOENT) {
+		return nil, fmt.Errorf("find existing subpath of %q: %w", unsafePath, err)
+	}
+
+	// If there is an attacker deleting directories as we walk into them,
+	// detect this proactively. Note this is guaranteed to detect if the
+	// attacker deleted any part of the tree up to currentDir.
+	//
+	// Once we walk into a dead directory, partialLookupInRoot would not be
+	// able to walk further down the tree (directories must be empty before
+	// they are deleted), and if the attacker has removed the entire tree we
+	// can be sure that anything that was originally inside a dead directory
+	// must also be deleted and thus is a dead directory in its own right.
+	//
+	// This is mostly a quality-of-life check, because mkdir will simply fail
+	// later if the attacker deletes the tree after this check.
+	if err := isDeadInode(currentDir); err != nil {
+		return nil, fmt.Errorf("finding existing subpath of %q: %w", unsafePath, err)
+	}
+
+	// Re-open the path to match the O_DIRECTORY reopen loop later (so that we
+	// always return a non-O_PATH handle). We also check that we actually got a
+	// directory.
+	if reopenDir, err := Reopen(currentDir, unix.O_DIRECTORY|unix.O_CLOEXEC); errors.Is(err, unix.ENOTDIR) {
+		return nil, fmt.Errorf("cannot create subdirectories in %q: %w", currentDir.Name(), unix.ENOTDIR)
+	} else if err != nil {
+		return nil, fmt.Errorf("re-opening handle to %q: %w", currentDir.Name(), err)
+	} else {
+		_ = currentDir.Close()
+		currentDir = reopenDir
+	}
+
+	remainingParts := strings.Split(remainingPath, string(filepath.Separator))
+	if slices.Contains(remainingParts, "..") {
+		// The path contained ".." components after the end of the "real"
+		// components. We could try to safely resolve ".." here but that would
+		// add a bunch of extra logic for something that it's not clear even
+		// needs to be supported. So just return an error.
+		//
+		// If we do filepath.Clean(remainingPath) then we end up with the
+		// problem that ".." can erase a trailing dangling symlink and produce
+		// a path that doesn't quite match what the user asked for.
+		return nil, fmt.Errorf("%w: yet-to-be-created path %q contains '..' components", unix.ENOENT, remainingPath)
+	}
+
+	// Make sure the mode doesn't have any type bits.
+	mode &^= unix.S_IFMT
+	// What properties do we expect any newly created directories to have?
+	var (
+		// While umask(2) is a per-thread property, and thus this value could
+		// vary between threads, a functioning Go program would LockOSThread
+		// threads with different umasks and so we don't need to LockOSThread
+		// for this entire mkdirat loop (if we are in the locked thread with a
+		// different umask, we are already locked and there's nothing for us to
+		// do -- and if not then it doesn't matter which thread we run on and
+		// there's nothing for us to do).
+		expectedMode = uint32(unix.S_IFDIR | (mode &^ getUmask()))
+
+		// We would want to get the fs[ug]id here, but we can't access those
+		// from userspace. In practice, nobody uses setfs[ug]id() anymore, so
+		// just use the effective [ug]id (which is equivalent to the fs[ug]id
+		// for programs that don't use setfs[ug]id).
+		expectedUid = uint32(unix.Geteuid())
+		expectedGid = uint32(unix.Getegid())
+	)
+
+	// Create the remaining components.
+	for _, part := range remainingParts {
+		switch part {
+		case "", ".":
+			// Skip over no-op paths.
+			continue
+		}
+
+		// NOTE: mkdir(2) will not follow trailing symlinks, so we can safely
+		// create the finaly component without worrying about symlink-exchange
+		// attacks.
+		if err := unix.Mkdirat(int(currentDir.Fd()), part, uint32(mode)); err != nil {
+			err = &os.PathError{Op: "mkdirat", Path: currentDir.Name() + "/" + part, Err: err}
+			// Make the error a bit nicer if the directory is dead.
+			if err2 := isDeadInode(currentDir); err2 != nil {
+				err = fmt.Errorf("%w (%w)", err, err2)
+			}
+			return nil, err
+		}
+
+		// Get a handle to the next component. O_DIRECTORY means we don't need
+		// to use O_PATH.
+		var nextDir *os.File
+		if hasOpenat2() {
+			nextDir, err = openat2File(currentDir, part, &unix.OpenHow{
+				Flags:   unix.O_NOFOLLOW | unix.O_DIRECTORY | unix.O_CLOEXEC,
+				Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_NO_XDEV,
+			})
+		} else {
+			nextDir, err = openatFile(currentDir, part, unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+		}
+		if err != nil {
+			return nil, err
+		}
+		_ = currentDir.Close()
+		currentDir = nextDir
+
+		// Make sure that the directory matches what we expect. An attacker
+		// could have swapped the directory between us making it and opening
+		// it. There's no way for us to be sure that the directory is
+		// _precisely_ the same as the directory we created, but if we are in
+		// an empty directory with the same owner and mode as the one we
+		// created then there is nothing the attacker could do with this new
+		// directory that they couldn't do with the old one.
+		if stat, err := fstat(currentDir); err != nil {
+			return nil, fmt.Errorf("check newly created directory: %w", err)
+		} else {
+			if stat.Mode != expectedMode {
+				return nil, fmt.Errorf("%w: newly created directory %q has incorrect mode 0o%.3o (expected 0o%.3o)", errPossibleAttack, currentDir.Name(), stat.Mode, expectedMode)
+			}
+			if stat.Uid != expectedUid || stat.Gid != expectedGid {
+				return nil, fmt.Errorf("%w: newly created directory %q has incorrect owner %d:%d (expected %d:%d)", errPossibleAttack, currentDir.Name(), stat.Uid, stat.Gid, expectedUid, expectedGid)
+			}
+			// Check that the directory is empty. We only need to check for
+			// a single entry, and we should get EOF if the directory is
+			// empty.
+			_, err := currentDir.Readdirnames(1)
+			if !errors.Is(err, io.EOF) {
+				if err == nil {
+					err = fmt.Errorf("%w: newly created directory %q is non-empty", errPossibleAttack, currentDir.Name())
+				}
+				return nil, fmt.Errorf("check if newly created directory %q is empty: %w", currentDir.Name(), err)
+			}
+			// Reset the offset.
+			_, _ = currentDir.Seek(0, unix.SEEK_SET)
+		}
+	}
+	return currentDir, nil
+}
+
+// MkdirAll is a race-safe alternative to the Go stdlib's os.MkdirAll function,
+// where the new directory is guaranteed to be within the root directory (if an
+// attacker can move directories from inside the root to outside the root, the
+// created directory tree might be outside of the root but the key constraint
+// is that at no point will we walk outside of the directory tree we are
+// creating).
+//
+// Effectively, MkdirAll(root, unsafePath, mode) is equivalent to
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	err := os.MkdirAll(path, mode)
+//
+// But is much safer. The above implementation is unsafe because if an attacker
+// can modify the filesystem tree between SecureJoin and MkdirAll, it is
+// possible for MkdirAll to resolve unsafe symlink components and create
+// directories outside of the root.
+//
+// If you plan to open the directory after you have created it or want to use
+// an open directory handle as the root, you should use MkdirAllHandle instead.
+// This function is a wrapper around MkdirAllHandle.
+//
+// NOTE: The mode argument must be set the unix mode bits (unix.S_I...), not
+// the Go generic mode bits (os.Mode...).
+func MkdirAll(root, unsafePath string, mode int) error {
+	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return err
+	}
+	defer rootDir.Close()
+
+	f, err := MkdirAllHandle(rootDir, unsafePath, mode)
+	if err != nil {
+		return err
+	}
+	_ = f.Close()
+	return nil
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/open_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/open_linux.go
new file mode 100644
index 00000000000..52dce76f3f4
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/open_linux.go
@@ -0,0 +1,101 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+
+	"golang.org/x/sys/unix"
+)
+
+// OpenatInRoot is equivalent to OpenInRoot, except that the root is provided
+// using an *os.File handle, to ensure that the correct root directory is used.
+func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
+	handle, err := completeLookupInRoot(root, unsafePath)
+	if err != nil {
+		return nil, &os.PathError{Op: "securejoin.OpenInRoot", Path: unsafePath, Err: err}
+	}
+	return handle, nil
+}
+
+// OpenInRoot safely opens the provided unsafePath within the root.
+// Effectively, OpenInRoot(root, unsafePath) is equivalent to
+//
+//	path, _ := securejoin.SecureJoin(root, unsafePath)
+//	handle, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)
+//
+// But is much safer. The above implementation is unsafe because if an attacker
+// can modify the filesystem tree between SecureJoin and OpenFile, it is
+// possible for the returned file to be outside of the root.
+//
+// Note that the returned handle is an O_PATH handle, meaning that only a very
+// limited set of operations will work on the handle. This is done to avoid
+// accidentally opening an untrusted file that could cause issues (such as a
+// disconnected TTY that could cause a DoS, or some other issue). In order to
+// use the returned handle, you can "upgrade" it to a proper handle using
+// Reopen.
+func OpenInRoot(root, unsafePath string) (*os.File, error) {
+	rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer rootDir.Close()
+	return OpenatInRoot(rootDir, unsafePath)
+}
+
+// Reopen takes an *os.File handle and re-opens it through /proc/self/fd.
+// Reopen(file, flags) is effectively equivalent to
+//
+//	fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
+//	os.OpenFile(fdPath, flags|unix.O_CLOEXEC)
+//
+// But with some extra hardenings to ensure that we are not tricked by a
+// maliciously-configured /proc mount. While this attack scenario is not
+// common, in container runtimes it is possible for higher-level runtimes to be
+// tricked into configuring an unsafe /proc that can be used to attack file
+// operations. See CVE-2019-19921 for more details.
+func Reopen(handle *os.File, flags int) (*os.File, error) {
+	procRoot, err := getProcRoot()
+	if err != nil {
+		return nil, err
+	}
+
+	// We can't operate on /proc/thread-self/fd/$n directly when doing a
+	// re-open, so we need to open /proc/thread-self/fd and then open a single
+	// final component.
+	procFdDir, closer, err := procThreadSelf(procRoot, "fd/")
+	if err != nil {
+		return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err)
+	}
+	defer procFdDir.Close()
+	defer closer()
+
+	// Try to detect if there is a mount on top of the magic-link we are about
+	// to open. If we are using unsafeHostProcRoot(), this could change after
+	// we check it (and there's nothing we can do about that) but for
+	// privateProcRoot() this should be guaranteed to be safe (at least since
+	// Linux 5.12[1], when anonymous mount namespaces were completely isolated
+	// from external mounts including mount propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	fdStr := strconv.Itoa(int(handle.Fd()))
+	if err := checkSymlinkOvermount(procRoot, procFdDir, fdStr); err != nil {
+		return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)
+	}
+
+	flags |= unix.O_CLOEXEC
+	// Rather than just wrapping openatFile, open-code it so we can copy
+	// handle.Name().
+	reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0)
+	if err != nil {
+		return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err)
+	}
+	return os.NewFile(uintptr(reopenFd), handle.Name()), nil
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
new file mode 100644
index 00000000000..921b3e1d449
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
@@ -0,0 +1,141 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"testing"
+
+	"golang.org/x/sys/unix"
+)
+
+var (
+	hasOpenat2Bool bool
+	hasOpenat2Once sync.Once
+
+	testingForceHasOpenat2 *bool
+)
+
+func hasOpenat2() bool {
+	if testing.Testing() && testingForceHasOpenat2 != nil {
+		return *testingForceHasOpenat2
+	}
+	hasOpenat2Once.Do(func() {
+		fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT,
+		})
+		if err == nil {
+			hasOpenat2Bool = true
+			_ = unix.Close(fd)
+		}
+	})
+	return hasOpenat2Bool
+}
+
+func scopedLookupShouldRetry(how *unix.OpenHow, err error) bool {
+	// RESOLVE_IN_ROOT (and RESOLVE_BENEATH) can return -EAGAIN if we resolve
+	// ".." while a mount or rename occurs anywhere on the system. This could
+	// happen spuriously, or as the result of an attacker trying to mess with
+	// us during lookup.
+	//
+	// In addition, scoped lookups have a "safety check" at the end of
+	// complete_walk which will return -EXDEV if the final path is not in the
+	// root.
+	return how.Resolve&(unix.RESOLVE_IN_ROOT|unix.RESOLVE_BENEATH) != 0 &&
+		(errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EXDEV))
+}
+
+const scopedLookupMaxRetries = 10
+
+func openat2File(dir *os.File, path string, how *unix.OpenHow) (*os.File, error) {
+	fullPath := dir.Name() + "/" + path
+	// Make sure we always set O_CLOEXEC.
+	how.Flags |= unix.O_CLOEXEC
+	var tries int
+	for tries < scopedLookupMaxRetries {
+		fd, err := unix.Openat2(int(dir.Fd()), path, how)
+		if err != nil {
+			if scopedLookupShouldRetry(how, err) {
+				// We retry a couple of times to avoid the spurious errors, and
+				// if we are being attacked then returning -EAGAIN is the best
+				// we can do.
+				tries++
+				continue
+			}
+			return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: err}
+		}
+		// If we are using RESOLVE_IN_ROOT, the name we generated may be wrong.
+		// NOTE: The procRoot code MUST NOT use RESOLVE_IN_ROOT, otherwise
+		//       you'll get infinite recursion here.
+		if how.Resolve&unix.RESOLVE_IN_ROOT == unix.RESOLVE_IN_ROOT {
+			if actualPath, err := rawProcSelfFdReadlink(fd); err == nil {
+				fullPath = actualPath
+			}
+		}
+		return os.NewFile(uintptr(fd), fullPath), nil
+	}
+	return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: errPossibleAttack}
+}
+
+func lookupOpenat2(root *os.File, unsafePath string, partial bool) (*os.File, string, error) {
+	if !partial {
+		file, err := openat2File(root, unsafePath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		return file, "", err
+	}
+	return partialLookupOpenat2(root, unsafePath)
+}
+
+// partialLookupOpenat2 is an alternative implementation of
+// partialLookupInRoot, using openat2(RESOLVE_IN_ROOT) to more safely get a
+// handle to the deepest existing child of the requested path within the root.
+func partialLookupOpenat2(root *os.File, unsafePath string) (*os.File, string, error) {
+	// TODO: Implement this as a git-bisect-like binary search.
+
+	unsafePath = filepath.ToSlash(unsafePath) // noop
+	endIdx := len(unsafePath)
+	var lastError error
+	for endIdx > 0 {
+		subpath := unsafePath[:endIdx]
+
+		handle, err := openat2File(root, subpath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		if err == nil {
+			// Jump over the slash if we have a non-"" remainingPath.
+			if endIdx < len(unsafePath) {
+				endIdx += 1
+			}
+			// We found a subpath!
+			return handle, unsafePath[endIdx:], lastError
+		}
+		if errors.Is(err, unix.ENOENT) || errors.Is(err, unix.ENOTDIR) {
+			// That path doesn't exist, let's try the next directory up.
+			endIdx = strings.LastIndexByte(subpath, '/')
+			lastError = err
+			continue
+		}
+		return nil, "", fmt.Errorf("open subpath: %w", err)
+	}
+	// If we couldn't open anything, the whole subpath is missing. Return a
+	// copy of the root fd so that the caller doesn't close this one by
+	// accident.
+	rootClone, err := dupFile(root)
+	if err != nil {
+		return nil, "", err
+	}
+	return rootClone, unsafePath, lastError
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go
new file mode 100644
index 00000000000..949fb5f2d82
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go
@@ -0,0 +1,59 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"os"
+	"path/filepath"
+
+	"golang.org/x/sys/unix"
+)
+
+func dupFile(f *os.File) (*os.File, error) {
+	fd, err := unix.FcntlInt(f.Fd(), unix.F_DUPFD_CLOEXEC, 0)
+	if err != nil {
+		return nil, os.NewSyscallError("fcntl(F_DUPFD_CLOEXEC)", err)
+	}
+	return os.NewFile(uintptr(fd), f.Name()), nil
+}
+
+func openatFile(dir *os.File, path string, flags int, mode int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.O_CLOEXEC
+	fd, err := unix.Openat(int(dir.Fd()), path, flags, uint32(mode))
+	if err != nil {
+		return nil, &os.PathError{Op: "openat", Path: dir.Name() + "/" + path, Err: err}
+	}
+	// All of the paths we use with openatFile(2) are guaranteed to be
+	// lexically safe, so we can use path.Join here.
+	fullPath := filepath.Join(dir.Name(), path)
+	return os.NewFile(uintptr(fd), fullPath), nil
+}
+
+func fstatatFile(dir *os.File, path string, flags int) (unix.Stat_t, error) {
+	var stat unix.Stat_t
+	if err := unix.Fstatat(int(dir.Fd()), path, &stat, flags); err != nil {
+		return stat, &os.PathError{Op: "fstatat", Path: dir.Name() + "/" + path, Err: err}
+	}
+	return stat, nil
+}
+
+func readlinkatFile(dir *os.File, path string) (string, error) {
+	size := 4096
+	for {
+		linkBuf := make([]byte, size)
+		n, err := unix.Readlinkat(int(dir.Fd()), path, linkBuf)
+		if err != nil {
+			return "", &os.PathError{Op: "readlinkat", Path: dir.Name() + "/" + path, Err: err}
+		}
+		if n != size {
+			return string(linkBuf[:n]), nil
+		}
+		// Possible truncation, resize the buffer.
+		size *= 2
+	}
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go
new file mode 100644
index 00000000000..adf0bd08f3b
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go
@@ -0,0 +1,474 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"runtime"
+	"strconv"
+	"sync"
+
+	"golang.org/x/sys/unix"
+)
+
+func fstat(f *os.File) (unix.Stat_t, error) {
+	var stat unix.Stat_t
+	if err := unix.Fstat(int(f.Fd()), &stat); err != nil {
+		return stat, &os.PathError{Op: "fstat", Path: f.Name(), Err: err}
+	}
+	return stat, nil
+}
+
+func fstatfs(f *os.File) (unix.Statfs_t, error) {
+	var statfs unix.Statfs_t
+	if err := unix.Fstatfs(int(f.Fd()), &statfs); err != nil {
+		return statfs, &os.PathError{Op: "fstatfs", Path: f.Name(), Err: err}
+	}
+	return statfs, nil
+}
+
+// The kernel guarantees that the root inode of a procfs mount has an
+// f_type of PROC_SUPER_MAGIC and st_ino of PROC_ROOT_INO.
+const (
+	procSuperMagic = 0x9fa0 // PROC_SUPER_MAGIC
+	procRootIno    = 1      // PROC_ROOT_INO
+)
+
+func verifyProcRoot(procRoot *os.File) error {
+	if statfs, err := fstatfs(procRoot); err != nil {
+		return err
+	} else if statfs.Type != procSuperMagic {
+		return fmt.Errorf("%w: incorrect procfs root filesystem type 0x%x", errUnsafeProcfs, statfs.Type)
+	}
+	if stat, err := fstat(procRoot); err != nil {
+		return err
+	} else if stat.Ino != procRootIno {
+		return fmt.Errorf("%w: incorrect procfs root inode number %d", errUnsafeProcfs, stat.Ino)
+	}
+	return nil
+}
+
+var (
+	hasNewMountApiBool bool
+	hasNewMountApiOnce sync.Once
+)
+
+func hasNewMountApi() bool {
+	hasNewMountApiOnce.Do(func() {
+		// All of the pieces of the new mount API we use (fsopen, fsconfig,
+		// fsmount, open_tree) were added together in Linux 5.1[1,2], so we can
+		// just check for one of the syscalls and the others should also be
+		// available.
+		//
+		// Just try to use open_tree(2) to open a file without OPEN_TREE_CLONE.
+		// This is equivalent to openat(2), but tells us if open_tree is
+		// available (and thus all of the other basic new mount API syscalls).
+		// open_tree(2) is most light-weight syscall to test here.
+		//
+		// [1]: merge commit 400913252d09
+		// [2]: <https://lore.kernel.org/lkml/153754740781.17872.7869536526927736855.stgit@warthog.procyon.org.uk/>
+		fd, err := unix.OpenTree(-int(unix.EBADF), "/", unix.OPEN_TREE_CLOEXEC)
+		if err == nil {
+			hasNewMountApiBool = true
+			_ = unix.Close(fd)
+		}
+	})
+	return hasNewMountApiBool
+}
+
+func fsopen(fsName string, flags int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.FSOPEN_CLOEXEC
+	fd, err := unix.Fsopen(fsName, flags)
+	if err != nil {
+		return nil, os.NewSyscallError("fsopen "+fsName, err)
+	}
+	return os.NewFile(uintptr(fd), "fscontext:"+fsName), nil
+}
+
+func fsmount(ctx *os.File, flags, mountAttrs int) (*os.File, error) {
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.FSMOUNT_CLOEXEC
+	fd, err := unix.Fsmount(int(ctx.Fd()), flags, mountAttrs)
+	if err != nil {
+		return nil, os.NewSyscallError("fsmount "+ctx.Name(), err)
+	}
+	return os.NewFile(uintptr(fd), "fsmount:"+ctx.Name()), nil
+}
+
+func newPrivateProcMount() (*os.File, error) {
+	procfsCtx, err := fsopen("proc", unix.FSOPEN_CLOEXEC)
+	if err != nil {
+		return nil, err
+	}
+	defer procfsCtx.Close()
+
+	// Try to configure hidepid=ptraceable,subset=pid if possible, but ignore errors.
+	_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "hidepid", "ptraceable")
+	_ = unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid")
+
+	// Get an actual handle.
+	if err := unix.FsconfigCreate(int(procfsCtx.Fd())); err != nil {
+		return nil, os.NewSyscallError("fsconfig create procfs", err)
+	}
+	return fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID)
+}
+
+func openTree(dir *os.File, path string, flags uint) (*os.File, error) {
+	dirFd := -int(unix.EBADF)
+	dirName := "."
+	if dir != nil {
+		dirFd = int(dir.Fd())
+		dirName = dir.Name()
+	}
+	// Make sure we always set O_CLOEXEC.
+	flags |= unix.OPEN_TREE_CLOEXEC
+	fd, err := unix.OpenTree(dirFd, path, flags)
+	if err != nil {
+		return nil, &os.PathError{Op: "open_tree", Path: path, Err: err}
+	}
+	return os.NewFile(uintptr(fd), dirName+"/"+path), nil
+}
+
+func clonePrivateProcMount() (_ *os.File, Err error) {
+	// Try to make a clone without using AT_RECURSIVE if we can. If this works,
+	// we can be sure there are no over-mounts and so if the root is valid then
+	// we're golden. Otherwise, we have to deal with over-mounts.
+	procfsHandle, err := openTree(nil, "/proc", unix.OPEN_TREE_CLONE)
+	if err != nil || testingForcePrivateProcRootOpenTreeAtRecursive(procfsHandle) {
+		procfsHandle, err = openTree(nil, "/proc", unix.OPEN_TREE_CLONE|unix.AT_RECURSIVE)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("creating a detached procfs clone: %w", err)
+	}
+	defer func() {
+		if Err != nil {
+			_ = procfsHandle.Close()
+		}
+	}()
+	if err := verifyProcRoot(procfsHandle); err != nil {
+		return nil, err
+	}
+	return procfsHandle, nil
+}
+
+func privateProcRoot() (*os.File, error) {
+	if !hasNewMountApi() || testingForceGetProcRootUnsafe() {
+		return nil, fmt.Errorf("new mount api: %w", unix.ENOTSUP)
+	}
+	// Try to create a new procfs mount from scratch if we can. This ensures we
+	// can get a procfs mount even if /proc is fake (for whatever reason).
+	procRoot, err := newPrivateProcMount()
+	if err != nil || testingForcePrivateProcRootOpenTree(procRoot) {
+		// Try to clone /proc then...
+		procRoot, err = clonePrivateProcMount()
+	}
+	return procRoot, err
+}
+
+var (
+	procRootHandle *os.File
+	procRootError  error
+	procRootOnce   sync.Once
+
+	errUnsafeProcfs = errors.New("unsafe procfs detected")
+)
+
+func unsafeHostProcRoot() (_ *os.File, Err error) {
+	procRoot, err := os.OpenFile("/proc", unix.O_PATH|unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		if Err != nil {
+			_ = procRoot.Close()
+		}
+	}()
+	if err := verifyProcRoot(procRoot); err != nil {
+		return nil, err
+	}
+	return procRoot, nil
+}
+
+func doGetProcRoot() (*os.File, error) {
+	procRoot, err := privateProcRoot()
+	if err != nil {
+		// Fall back to using a /proc handle if making a private mount failed.
+		// If we have openat2, at least we can avoid some kinds of over-mount
+		// attacks, but without openat2 there's not much we can do.
+		procRoot, err = unsafeHostProcRoot()
+	}
+	return procRoot, err
+}
+
+func getProcRoot() (*os.File, error) {
+	procRootOnce.Do(func() {
+		procRootHandle, procRootError = doGetProcRoot()
+	})
+	return procRootHandle, procRootError
+}
+
+var (
+	haveProcThreadSelf     bool
+	haveProcThreadSelfOnce sync.Once
+)
+
+type procThreadSelfCloser func()
+
+// procThreadSelf returns a handle to /proc/thread-self/<subpath> (or an
+// equivalent handle on older kernels where /proc/thread-self doesn't exist).
+// Once finished with the handle, you must call the returned closer function
+// (runtime.UnlockOSThread). You must not pass the returned *os.File to other
+// Go threads or use the handle after calling the closer.
+//
+// This is similar to ProcThreadSelf from runc, but with extra hardening
+// applied and using *os.File.
+func procThreadSelf(procRoot *os.File, subpath string) (_ *os.File, _ procThreadSelfCloser, Err error) {
+	haveProcThreadSelfOnce.Do(func() {
+		// If the kernel doesn't support thread-self, it doesn't matter which
+		// /proc handle we use.
+		_, err := fstatatFile(procRoot, "thread-self", unix.AT_SYMLINK_NOFOLLOW)
+		haveProcThreadSelf = (err == nil)
+	})
+
+	// We need to lock our thread until the caller is done with the handle
+	// because between getting the handle and using it we could get interrupted
+	// by the Go runtime and hit the case where the underlying thread is
+	// swapped out and the original thread is killed, resulting in
+	// pull-your-hair-out-hard-to-debug issues in the caller.
+	runtime.LockOSThread()
+	defer func() {
+		if Err != nil {
+			runtime.UnlockOSThread()
+		}
+	}()
+
+	// Figure out what prefix we want to use.
+	threadSelf := "thread-self/"
+	if !haveProcThreadSelf || testingForceProcSelfTask() {
+		/// Pre-3.17 kernels don't have /proc/thread-self, so do it manually.
+		threadSelf = "self/task/" + strconv.Itoa(unix.Gettid()) + "/"
+		if _, err := fstatatFile(procRoot, threadSelf, unix.AT_SYMLINK_NOFOLLOW); err != nil || testingForceProcSelf() {
+			// In this case, we running in a pid namespace that doesn't match
+			// the /proc mount we have. This can happen inside runc.
+			//
+			// Unfortunately, there is no nice way to get the correct TID to
+			// use here because of the age of the kernel, so we have to just
+			// use /proc/self and hope that it works.
+			threadSelf = "self/"
+		}
+	}
+
+	// Grab the handle.
+	var (
+		handle *os.File
+		err    error
+	)
+	if hasOpenat2() {
+		// We prefer being able to use RESOLVE_NO_XDEV if we can, to be
+		// absolutely sure we are operating on a clean /proc handle that
+		// doesn't have any cheeky overmounts that could trick us (including
+		// symlink mounts on top of /proc/thread-self). RESOLVE_BENEATH isn't
+		// stricly needed, but just use it since we have it.
+		//
+		// NOTE: /proc/self is technically a magic-link (the contents of the
+		//       symlink are generated dynamically), but it doesn't use
+		//       nd_jump_link() so RESOLVE_NO_MAGICLINKS allows it.
+		//
+		// NOTE: We MUST NOT use RESOLVE_IN_ROOT here, as openat2File uses
+		//       procSelfFdReadlink to clean up the returned f.Name() if we use
+		//       RESOLVE_IN_ROOT (which would lead to an infinite recursion).
+		handle, err = openat2File(procRoot, threadSelf+subpath, &unix.OpenHow{
+			Flags:   unix.O_PATH | unix.O_NOFOLLOW | unix.O_CLOEXEC,
+			Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_XDEV | unix.RESOLVE_NO_MAGICLINKS,
+		})
+		if err != nil {
+			return nil, nil, fmt.Errorf("%w: %w", errUnsafeProcfs, err)
+		}
+	} else {
+		handle, err = openatFile(procRoot, threadSelf+subpath, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0)
+		if err != nil {
+			return nil, nil, fmt.Errorf("%w: %w", errUnsafeProcfs, err)
+		}
+		defer func() {
+			if Err != nil {
+				_ = handle.Close()
+			}
+		}()
+		// We can't detect bind-mounts of different parts of procfs on top of
+		// /proc (a-la RESOLVE_NO_XDEV), but we can at least be sure that we
+		// aren't on the wrong filesystem here.
+		if statfs, err := fstatfs(handle); err != nil {
+			return nil, nil, err
+		} else if statfs.Type != procSuperMagic {
+			return nil, nil, fmt.Errorf("%w: incorrect /proc/self/fd filesystem type 0x%x", errUnsafeProcfs, statfs.Type)
+		}
+	}
+	return handle, runtime.UnlockOSThread, nil
+}
+
+var (
+	hasStatxMountIdBool bool
+	hasStatxMountIdOnce sync.Once
+)
+
+func hasStatxMountId() bool {
+	hasStatxMountIdOnce.Do(func() {
+		var (
+			stx unix.Statx_t
+			// We don't care which mount ID we get. The kernel will give us the
+			// unique one if it is supported.
+			wantStxMask uint32 = unix.STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID
+		)
+		err := unix.Statx(-int(unix.EBADF), "/", 0, int(wantStxMask), &stx)
+		hasStatxMountIdBool = (err == nil && (stx.Mask&wantStxMask != 0))
+	})
+	return hasStatxMountIdBool
+}
+
+func getMountId(dir *os.File, path string) (uint64, error) {
+	// If we don't have statx(STATX_MNT_ID*) support, we can't do anything.
+	if !hasStatxMountId() {
+		return 0, nil
+	}
+
+	var (
+		stx unix.Statx_t
+		// We don't care which mount ID we get. The kernel will give us the
+		// unique one if it is supported.
+		wantStxMask uint32 = unix.STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID
+	)
+
+	err := unix.Statx(int(dir.Fd()), path, unix.AT_EMPTY_PATH|unix.AT_SYMLINK_NOFOLLOW, int(wantStxMask), &stx)
+	if stx.Mask&wantStxMask == 0 {
+		// It's not a kernel limitation, for some reason we couldn't get a
+		// mount ID. Assume it's some kind of attack.
+		err = fmt.Errorf("%w: could not get mount id", errUnsafeProcfs)
+	}
+	if err != nil {
+		return 0, &os.PathError{Op: "statx(STATX_MNT_ID_...)", Path: dir.Name() + "/" + path, Err: err}
+	}
+	return stx.Mnt_id, nil
+}
+
+func checkSymlinkOvermount(procRoot *os.File, dir *os.File, path string) error {
+	// Get the mntId of our procfs handle.
+	expectedMountId, err := getMountId(procRoot, "")
+	if err != nil {
+		return err
+	}
+	// Get the mntId of the target magic-link.
+	gotMountId, err := getMountId(dir, path)
+	if err != nil {
+		return err
+	}
+	// As long as the directory mount is alive, even with wrapping mount IDs,
+	// we would expect to see a different mount ID here. (Of course, if we're
+	// using unsafeHostProcRoot() then an attaker could change this after we
+	// did this check.)
+	if expectedMountId != gotMountId {
+		return fmt.Errorf("%w: symlink %s/%s has an overmount obscuring the real link (mount ids do not match %d != %d)", errUnsafeProcfs, dir.Name(), path, expectedMountId, gotMountId)
+	}
+	return nil
+}
+
+func doRawProcSelfFdReadlink(procRoot *os.File, fd int) (string, error) {
+	fdPath := fmt.Sprintf("fd/%d", fd)
+	procFdLink, closer, err := procThreadSelf(procRoot, fdPath)
+	if err != nil {
+		return "", fmt.Errorf("get safe /proc/thread-self/%s handle: %w", fdPath, err)
+	}
+	defer procFdLink.Close()
+	defer closer()
+
+	// Try to detect if there is a mount on top of the magic-link. Since we use the handle directly
+	// provide to the closure. If the closure uses the handle directly, this
+	// should be safe in general (a mount on top of the path afterwards would
+	// not affect the handle itself) and will definitely be safe if we are
+	// using privateProcRoot() (at least since Linux 5.12[1], when anonymous
+	// mount namespaces were completely isolated from external mounts including
+	// mount propagation events).
+	//
+	// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
+	// onto targets that reside on shared mounts").
+	if err := checkSymlinkOvermount(procRoot, procFdLink, ""); err != nil {
+		return "", fmt.Errorf("check safety of /proc/thread-self/fd/%d magiclink: %w", fd, err)
+	}
+
+	// readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See Linux commit
+	// 65cfc6722361 ("readlinkat(), fchownat() and fstatat() with empty
+	// relative pathnames").
+	return readlinkatFile(procFdLink, "")
+}
+
+func rawProcSelfFdReadlink(fd int) (string, error) {
+	procRoot, err := getProcRoot()
+	if err != nil {
+		return "", err
+	}
+	return doRawProcSelfFdReadlink(procRoot, fd)
+}
+
+func procSelfFdReadlink(f *os.File) (string, error) {
+	return rawProcSelfFdReadlink(int(f.Fd()))
+}
+
+var (
+	errPossibleBreakout = errors.New("possible breakout detected")
+	errInvalidDirectory = errors.New("wandered into deleted directory")
+	errDeletedInode     = errors.New("cannot verify path of deleted inode")
+)
+
+func isDeadInode(file *os.File) error {
+	// If the nlink of a file drops to 0, there is an attacker deleting
+	// directories during our walk, which could result in weird /proc values.
+	// It's better to error out in this case.
+	stat, err := fstat(file)
+	if err != nil {
+		return fmt.Errorf("check for dead inode: %w", err)
+	}
+	if stat.Nlink == 0 {
+		err := errDeletedInode
+		if stat.Mode&unix.S_IFMT == unix.S_IFDIR {
+			err = errInvalidDirectory
+		}
+		return fmt.Errorf("%w %q", err, file.Name())
+	}
+	return nil
+}
+
+func getUmask() int {
+	// umask is a per-thread property, but it is inherited by children, so we
+	// need to lock our OS thread to make sure that no other goroutine runs in
+	// this thread and no goroutines are spawned from this thread until we
+	// revert to the old umask.
+	//
+	// We could parse /proc/self/status to avoid this get-set problem, but
+	// /proc/thread-self requires LockOSThread anyway, so there's no real
+	// benefit over just using umask(2).
+	runtime.LockOSThread()
+	umask := unix.Umask(0)
+	unix.Umask(umask)
+	runtime.UnlockOSThread()
+	return umask
+}
+
+func checkProcSelfFdPath(path string, file *os.File) error {
+	if err := isDeadInode(file); err != nil {
+		return err
+	}
+	actualPath, err := procSelfFdReadlink(file)
+	if err != nil {
+		return fmt.Errorf("get path of handle: %w", err)
+	}
+	if actualPath != path {
+		return fmt.Errorf("%w: handle path %q doesn't match expected path %q", errPossibleBreakout, actualPath, path)
+	}
+	return nil
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/testing_mocks_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/testing_mocks_linux.go
new file mode 100644
index 00000000000..a3aedf03d1b
--- /dev/null
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/testing_mocks_linux.go
@@ -0,0 +1,68 @@
+//go:build linux
+
+// Copyright (C) 2024 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"os"
+	"testing"
+)
+
+type forceGetProcRootLevel int
+
+const (
+	forceGetProcRootDefault             forceGetProcRootLevel = iota
+	forceGetProcRootOpenTree                                  // force open_tree()
+	forceGetProcRootOpenTreeAtRecursive                       // force open_tree(AT_RECURSIVE)
+	forceGetProcRootUnsafe                                    // force open()
+)
+
+var testingForceGetProcRoot *forceGetProcRootLevel
+
+func testingCheckClose(check bool, f *os.File) bool {
+	if check {
+		if f != nil {
+			_ = f.Close()
+		}
+		return true
+	}
+	return false
+}
+
+func testingForcePrivateProcRootOpenTree(f *os.File) bool {
+	return testing.Testing() && testingForceGetProcRoot != nil &&
+		testingCheckClose(*testingForceGetProcRoot >= forceGetProcRootOpenTree, f)
+}
+
+func testingForcePrivateProcRootOpenTreeAtRecursive(f *os.File) bool {
+	return testing.Testing() && testingForceGetProcRoot != nil &&
+		testingCheckClose(*testingForceGetProcRoot >= forceGetProcRootOpenTreeAtRecursive, f)
+}
+
+func testingForceGetProcRootUnsafe() bool {
+	return testing.Testing() && testingForceGetProcRoot != nil &&
+		*testingForceGetProcRoot >= forceGetProcRootUnsafe
+}
+
+type forceProcThreadSelfLevel int
+
+const (
+	forceProcThreadSelfDefault forceProcThreadSelfLevel = iota
+	forceProcSelfTask
+	forceProcSelf
+)
+
+var testingForceProcThreadSelf *forceProcThreadSelfLevel
+
+func testingForceProcSelfTask() bool {
+	return testing.Testing() && testingForceProcThreadSelf != nil &&
+		*testingForceProcThreadSelf >= forceProcSelfTask
+}
+
+func testingForceProcSelf() bool {
+	return testing.Testing() && testingForceProcThreadSelf != nil &&
+		*testingForceProcThreadSelf >= forceProcSelf
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/vfs.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/vfs.go
index a82a5eae11e..6e27c7dd8e1 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/vfs.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/vfs.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2017 SUSE LLC. All rights reserved.
+// Copyright (C) 2017-2024 SUSE LLC. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/moby/sys/mountinfo/mounted_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/moby/sys/mountinfo/mounted_linux.go
index e78e726196e..58f13c269d3 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/moby/sys/mountinfo/mounted_linux.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/moby/sys/mountinfo/mounted_linux.go
@@ -51,7 +51,7 @@ func mountedByOpenat2(path string) (bool, error) {
 		Resolve: unix.RESOLVE_NO_XDEV,
 	})
 	_ = unix.Close(dirfd)
-	switch err { //nolint:errorlint // unix errors are bare
+	switch err {
 	case nil: // definitely not a mount
 		_ = unix.Close(fd)
 		return false, nil
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go
index 6c79f899b48..72c9cd70b50 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go
@@ -35,15 +35,31 @@ func (s *CpuGroup) Apply(path string, r *configs.Resources, pid int) error {
 }
 
 func (s *CpuGroup) SetRtSched(path string, r *configs.Resources) error {
+	var period string
 	if r.CpuRtPeriod != 0 {
-		if err := cgroups.WriteFile(path, "cpu.rt_period_us", strconv.FormatUint(r.CpuRtPeriod, 10)); err != nil {
-			return err
+		period = strconv.FormatUint(r.CpuRtPeriod, 10)
+		if err := cgroups.WriteFile(path, "cpu.rt_period_us", period); err != nil {
+			// The values of cpu.rt_period_us and cpu.rt_runtime_us
+			// are inter-dependent and need to be set in a proper order.
+			// If the kernel rejects the new period value with EINVAL
+			// and the new runtime value is also being set, let's
+			// ignore the error for now and retry later.
+			if !errors.Is(err, unix.EINVAL) || r.CpuRtRuntime == 0 {
+				return err
+			}
+		} else {
+			period = ""
 		}
 	}
 	if r.CpuRtRuntime != 0 {
 		if err := cgroups.WriteFile(path, "cpu.rt_runtime_us", strconv.FormatInt(r.CpuRtRuntime, 10)); err != nil {
 			return err
 		}
+		if period != "" {
+			if err := cgroups.WriteFile(path, "cpu.rt_period_us", period); err != nil {
+				return err
+			}
+		}
 	}
 	return nil
 }
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/opencontainers/runc/libcontainer/user/user.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
index 984466d1ab5..198c4936795 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
@@ -197,7 +197,6 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
 		for {
 			var line []byte
 			line, isPrefix, err = rd.ReadLine()
-
 			if err != nil {
 				// We should return no error if EOF is reached
 				// without a match.
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/exp/LICENSE b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/exp/LICENSE
index 6a66aea5eaf..2a7cf70da6e 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/exp/LICENSE
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/exp/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/exp/slices/sort.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/exp/slices/sort.go
index b67897f76b5..f58bbc7ba4d 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/exp/slices/sort.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/exp/slices/sort.go
@@ -22,10 +22,12 @@ func Sort[S ~[]E, E constraints.Ordered](x S) {
 // SortFunc sorts the slice x in ascending order as determined by the cmp
 // function. This sort is not guaranteed to be stable.
 // cmp(a, b) should return a negative number when a < b, a positive number when
-// a > b and zero when a == b.
+// a > b and zero when a == b or when a is not comparable to b in the sense
+// of the formal definition of Strict Weak Ordering.
 //
 // SortFunc requires that cmp is a strict weak ordering.
 // See https://en.wikipedia.org/wiki/Weak_ordering#Strict_weak_orderings.
+// To indicate 'uncomparable', return 0 from the function.
 func SortFunc[S ~[]E, E any](x S, cmp func(a, b E) int) {
 	n := len(x)
 	pdqsortCmpFunc(x, 0, n, bits.Len(uint(n)), cmp)
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/net/LICENSE b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/net/LICENSE
index 6a66aea5eaf..2a7cf70da6e 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/net/LICENSE
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/net/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/net/http2/transport.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/net/http2/transport.go
index 98a49c6b6ee..61f511f97aa 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/net/http2/transport.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/net/http2/transport.go
@@ -827,10 +827,6 @@ func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, erro
 	cc.henc.SetMaxDynamicTableSizeLimit(t.maxEncoderHeaderTableSize())
 	cc.peerMaxHeaderTableSize = initialHeaderTableSize
 
-	if t.AllowHTTP {
-		cc.nextStreamID = 3
-	}
-
 	if cs, ok := c.(connectionStater); ok {
 		state := cs.ConnectionState()
 		cc.tlsState = &state
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/LICENSE b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/LICENSE
index 6a66aea5eaf..2a7cf70da6e 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/LICENSE
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/mkerrors.sh b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/mkerrors.sh
index 4ed2e488b61..d07dd09eb50 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/mkerrors.sh
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/mkerrors.sh
@@ -58,6 +58,7 @@ includes_Darwin='
 #define _DARWIN_USE_64_BIT_INODE
 #define __APPLE_USE_RFC_3542
 #include <stdint.h>
+#include <sys/stdio.h>
 #include <sys/attr.h>
 #include <sys/clonefile.h>
 #include <sys/kern_control.h>
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_darwin.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_darwin.go
index 4cc7b005967..2d15200adb4 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_darwin.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_darwin.go
@@ -402,6 +402,18 @@ func IoctlSetIfreqMTU(fd int, ifreq *IfreqMTU) error {
 	return ioctlPtr(fd, SIOCSIFMTU, unsafe.Pointer(ifreq))
 }
 
+//sys	renamexNp(from string, to string, flag uint32) (err error)
+
+func RenamexNp(from string, to string, flag uint32) (err error) {
+	return renamexNp(from, to, flag)
+}
+
+//sys	renameatxNp(fromfd int, from string, tofd int, to string, flag uint32) (err error)
+
+func RenameatxNp(fromfd int, from string, tofd int, to string, flag uint32) (err error) {
+	return renameatxNp(fromfd, from, tofd, to, flag)
+}
+
 //sys	sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS_SYSCTL
 
 func Uname(uname *Utsname) error {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_linux.go
index 5682e2628ad..3f1d3d4cb25 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_linux.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_linux.go
@@ -2592,3 +2592,4 @@ func SchedGetAttr(pid int, flags uint) (*SchedAttr, error) {
 }
 
 //sys	Cachestat(fd uint, crange *CachestatRange, cstat *Cachestat_t, flags uint) (err error)
+//sys	Mseal(b []byte, flags uint) (err error)
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_openbsd.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_openbsd.go
index b25343c71a4..b86ded549c6 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_openbsd.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/syscall_openbsd.go
@@ -293,6 +293,7 @@ func Uname(uname *Utsname) error {
 //sys	Mkfifoat(dirfd int, path string, mode uint32) (err error)
 //sys	Mknod(path string, mode uint32, dev int) (err error)
 //sys	Mknodat(dirfd int, path string, mode uint32, dev int) (err error)
+//sys	Mount(fsType string, dir string, flags int, data unsafe.Pointer) (err error)
 //sys	Nanosleep(time *Timespec, leftover *Timespec) (err error)
 //sys	Open(path string, mode int, perm uint32) (fd int, err error)
 //sys	Openat(dirfd int, path string, mode int, perm uint32) (fd int, err error)
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_darwin_amd64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_darwin_amd64.go
index e40fa85245f..4308ac1772b 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_darwin_amd64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_darwin_amd64.go
@@ -1169,6 +1169,11 @@ const (
 	PT_WRITE_D                              = 0x5
 	PT_WRITE_I                              = 0x4
 	PT_WRITE_U                              = 0x6
+	RENAME_EXCL                             = 0x4
+	RENAME_NOFOLLOW_ANY                     = 0x10
+	RENAME_RESERVED1                        = 0x8
+	RENAME_SECLUDE                          = 0x1
+	RENAME_SWAP                             = 0x2
 	RLIMIT_AS                               = 0x5
 	RLIMIT_CORE                             = 0x4
 	RLIMIT_CPU                              = 0x0
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_darwin_arm64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_darwin_arm64.go
index bb02aa6c056..c8068a7a169 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_darwin_arm64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_darwin_arm64.go
@@ -1169,6 +1169,11 @@ const (
 	PT_WRITE_D                              = 0x5
 	PT_WRITE_I                              = 0x4
 	PT_WRITE_U                              = 0x6
+	RENAME_EXCL                             = 0x4
+	RENAME_NOFOLLOW_ANY                     = 0x10
+	RENAME_RESERVED1                        = 0x8
+	RENAME_SECLUDE                          = 0x1
+	RENAME_SWAP                             = 0x2
 	RLIMIT_AS                               = 0x5
 	RLIMIT_CORE                             = 0x4
 	RLIMIT_CPU                              = 0x0
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux.go
index 877a62b479a..01a70b24638 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux.go
@@ -457,6 +457,7 @@ const (
 	B600                                        = 0x8
 	B75                                         = 0x2
 	B9600                                       = 0xd
+	BCACHEFS_SUPER_MAGIC                        = 0xca451a4e
 	BDEVFS_MAGIC                                = 0x62646576
 	BINDERFS_SUPER_MAGIC                        = 0x6c6f6f70
 	BINFMTFS_MAGIC                              = 0x42494e4d
@@ -928,6 +929,7 @@ const (
 	EPOLL_CTL_ADD                               = 0x1
 	EPOLL_CTL_DEL                               = 0x2
 	EPOLL_CTL_MOD                               = 0x3
+	EPOLL_IOC_TYPE                              = 0x8a
 	EROFS_SUPER_MAGIC_V1                        = 0xe0f5e1e2
 	ESP_V4_FLOW                                 = 0xa
 	ESP_V6_FLOW                                 = 0xc
@@ -941,9 +943,6 @@ const (
 	ETHTOOL_FEC_OFF                             = 0x4
 	ETHTOOL_FEC_RS                              = 0x8
 	ETHTOOL_FLAG_ALL                            = 0x7
-	ETHTOOL_FLAG_COMPACT_BITSETS                = 0x1
-	ETHTOOL_FLAG_OMIT_REPLY                     = 0x2
-	ETHTOOL_FLAG_STATS                          = 0x4
 	ETHTOOL_FLASHDEV                            = 0x33
 	ETHTOOL_FLASH_MAX_FILENAME                  = 0x80
 	ETHTOOL_FWVERS_LEN                          = 0x20
@@ -1705,6 +1704,7 @@ const (
 	KEXEC_ARCH_S390                             = 0x160000
 	KEXEC_ARCH_SH                               = 0x2a0000
 	KEXEC_ARCH_X86_64                           = 0x3e0000
+	KEXEC_CRASH_HOTPLUG_SUPPORT                 = 0x8
 	KEXEC_FILE_DEBUG                            = 0x8
 	KEXEC_FILE_NO_INITRAMFS                     = 0x4
 	KEXEC_FILE_ON_CRASH                         = 0x2
@@ -1780,6 +1780,7 @@ const (
 	KEY_SPEC_USER_KEYRING                       = -0x4
 	KEY_SPEC_USER_SESSION_KEYRING               = -0x5
 	LANDLOCK_ACCESS_FS_EXECUTE                  = 0x1
+	LANDLOCK_ACCESS_FS_IOCTL_DEV                = 0x8000
 	LANDLOCK_ACCESS_FS_MAKE_BLOCK               = 0x800
 	LANDLOCK_ACCESS_FS_MAKE_CHAR                = 0x40
 	LANDLOCK_ACCESS_FS_MAKE_DIR                 = 0x80
@@ -1861,6 +1862,19 @@ const (
 	MAP_FILE                                    = 0x0
 	MAP_FIXED                                   = 0x10
 	MAP_FIXED_NOREPLACE                         = 0x100000
+	MAP_HUGE_16GB                               = 0x88000000
+	MAP_HUGE_16KB                               = 0x38000000
+	MAP_HUGE_16MB                               = 0x60000000
+	MAP_HUGE_1GB                                = 0x78000000
+	MAP_HUGE_1MB                                = 0x50000000
+	MAP_HUGE_256MB                              = 0x70000000
+	MAP_HUGE_2GB                                = 0x7c000000
+	MAP_HUGE_2MB                                = 0x54000000
+	MAP_HUGE_32MB                               = 0x64000000
+	MAP_HUGE_512KB                              = 0x4c000000
+	MAP_HUGE_512MB                              = 0x74000000
+	MAP_HUGE_64KB                               = 0x40000000
+	MAP_HUGE_8MB                                = 0x5c000000
 	MAP_HUGE_MASK                               = 0x3f
 	MAP_HUGE_SHIFT                              = 0x1a
 	MAP_PRIVATE                                 = 0x2
@@ -2498,6 +2512,23 @@ const (
 	PR_PAC_GET_ENABLED_KEYS                     = 0x3d
 	PR_PAC_RESET_KEYS                           = 0x36
 	PR_PAC_SET_ENABLED_KEYS                     = 0x3c
+	PR_PPC_DEXCR_CTRL_CLEAR                     = 0x4
+	PR_PPC_DEXCR_CTRL_CLEAR_ONEXEC              = 0x10
+	PR_PPC_DEXCR_CTRL_EDITABLE                  = 0x1
+	PR_PPC_DEXCR_CTRL_MASK                      = 0x1f
+	PR_PPC_DEXCR_CTRL_SET                       = 0x2
+	PR_PPC_DEXCR_CTRL_SET_ONEXEC                = 0x8
+	PR_PPC_DEXCR_IBRTPD                         = 0x1
+	PR_PPC_DEXCR_NPHIE                          = 0x3
+	PR_PPC_DEXCR_SBHE                           = 0x0
+	PR_PPC_DEXCR_SRAPD                          = 0x2
+	PR_PPC_GET_DEXCR                            = 0x48
+	PR_PPC_SET_DEXCR                            = 0x49
+	PR_RISCV_CTX_SW_FENCEI_OFF                  = 0x1
+	PR_RISCV_CTX_SW_FENCEI_ON                   = 0x0
+	PR_RISCV_SCOPE_PER_PROCESS                  = 0x0
+	PR_RISCV_SCOPE_PER_THREAD                   = 0x1
+	PR_RISCV_SET_ICACHE_FLUSH_CTX               = 0x47
 	PR_RISCV_V_GET_CONTROL                      = 0x46
 	PR_RISCV_V_SET_CONTROL                      = 0x45
 	PR_RISCV_V_VSTATE_CTRL_CUR_MASK             = 0x3
@@ -3192,6 +3223,7 @@ const (
 	STATX_MTIME                                 = 0x40
 	STATX_NLINK                                 = 0x4
 	STATX_SIZE                                  = 0x200
+	STATX_SUBVOL                                = 0x8000
 	STATX_TYPE                                  = 0x1
 	STATX_UID                                   = 0x8
 	STATX__RESERVED                             = 0x80000000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_386.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
index e4bc0bd57c7..684a5168dac 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
index 689317afdbf..61d74b592d6 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
index 5cca668ac30..a28c9e3e893 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
index 14270508b04..ab5d1fe8ead 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	ESR_MAGIC                        = 0x45535201
 	EXTPROC                          = 0x10000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
index 28e39afdcb4..c523090e7c1 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
index cd66e92cb42..01e6ea7804b 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x80
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
index c1595eba78e..7aa610b1e71 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x80
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
index ee9456b0da7..92af771b44a 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x80
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
index 8cfca81e1b5..b27ef5e6f11 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x80
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
index 60b0deb3af7..237a2cefb3e 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x20
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000000
 	FF1                              = 0x4000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
index f90aa7281bf..4a5c555a36e 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x20
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000000
 	FF1                              = 0x4000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
index ba9e0150338..a02fb49a5f8 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x20
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000000
 	FF1                              = 0x4000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
index 07cdfd6e9fd..e26a7c61b2b 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
index 2f1dd214a74..c48f7c2103b 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
@@ -78,6 +78,8 @@ const (
 	ECHOPRT                          = 0x400
 	EFD_CLOEXEC                      = 0x80000
 	EFD_NONBLOCK                     = 0x800
+	EPIOCGPARAMS                     = 0x80088a02
+	EPIOCSPARAMS                     = 0x40088a01
 	EPOLL_CLOEXEC                    = 0x80000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
index f40519d9018..ad4b9aace7b 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
@@ -82,6 +82,8 @@ const (
 	EFD_CLOEXEC                      = 0x400000
 	EFD_NONBLOCK                     = 0x4000
 	EMT_TAGOVF                       = 0x1
+	EPIOCGPARAMS                     = 0x40088a02
+	EPIOCSPARAMS                     = 0x80088a01
 	EPOLL_CLOEXEC                    = 0x400000
 	EXTPROC                          = 0x10000
 	FF1                              = 0x8000
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go
index 07642c308d3..b622533ef2c 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go
@@ -740,6 +740,54 @@ func ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func renamexNp(from string, to string, flag uint32) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(from)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(to)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall(libc_renamex_np_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(flag))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_renamex_np_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_renamex_np renamex_np "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func renameatxNp(fromfd int, from string, tofd int, to string, flag uint32) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(from)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(to)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall6(libc_renameatx_np_trampoline_addr, uintptr(fromfd), uintptr(unsafe.Pointer(_p0)), uintptr(tofd), uintptr(unsafe.Pointer(_p1)), uintptr(flag), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_renameatx_np_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_renameatx_np renameatx_np "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) {
 	var _p0 unsafe.Pointer
 	if len(mib) > 0 {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s
index 923e08cb792..cfe6646baf2 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s
@@ -223,6 +223,16 @@ TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ioctl_trampoline_addr(SB)/8, $libc_ioctl_trampoline<>(SB)
 
+TEXT libc_renamex_np_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_renamex_np(SB)
+GLOBL	·libc_renamex_np_trampoline_addr(SB), RODATA, $8
+DATA	·libc_renamex_np_trampoline_addr(SB)/8, $libc_renamex_np_trampoline<>(SB)
+
+TEXT libc_renameatx_np_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_renameatx_np(SB)
+GLOBL	·libc_renameatx_np_trampoline_addr(SB), RODATA, $8
+DATA	·libc_renameatx_np_trampoline_addr(SB)/8, $libc_renameatx_np_trampoline<>(SB)
+
 TEXT libc_sysctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sysctl(SB)
 GLOBL	·libc_sysctl_trampoline_addr(SB), RODATA, $8
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go
index 7d73dda6473..13f624f69f1 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go
@@ -740,6 +740,54 @@ func ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func renamexNp(from string, to string, flag uint32) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(from)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(to)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall(libc_renamex_np_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(flag))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_renamex_np_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_renamex_np renamex_np "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func renameatxNp(fromfd int, from string, tofd int, to string, flag uint32) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(from)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(to)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall6(libc_renameatx_np_trampoline_addr, uintptr(fromfd), uintptr(unsafe.Pointer(_p0)), uintptr(tofd), uintptr(unsafe.Pointer(_p1)), uintptr(flag), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_renameatx_np_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_renameatx_np renameatx_np "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) {
 	var _p0 unsafe.Pointer
 	if len(mib) > 0 {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s
index 057700111e7..fe222b75df0 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s
@@ -223,6 +223,16 @@ TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $8
 DATA	·libc_ioctl_trampoline_addr(SB)/8, $libc_ioctl_trampoline<>(SB)
 
+TEXT libc_renamex_np_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_renamex_np(SB)
+GLOBL	·libc_renamex_np_trampoline_addr(SB), RODATA, $8
+DATA	·libc_renamex_np_trampoline_addr(SB)/8, $libc_renamex_np_trampoline<>(SB)
+
+TEXT libc_renameatx_np_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_renameatx_np(SB)
+GLOBL	·libc_renameatx_np_trampoline_addr(SB), RODATA, $8
+DATA	·libc_renameatx_np_trampoline_addr(SB)/8, $libc_renameatx_np_trampoline<>(SB)
+
 TEXT libc_sysctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sysctl(SB)
 GLOBL	·libc_sysctl_trampoline_addr(SB), RODATA, $8
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_linux.go
index 87d8612a1dc..1bc1a5adb25 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_linux.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_linux.go
@@ -2229,3 +2229,19 @@ func Cachestat(fd uint, crange *CachestatRange, cstat *Cachestat_t, flags uint)
 	}
 	return
 }
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func Mseal(b []byte, flags uint) (err error) {
+	var _p0 unsafe.Pointer
+	if len(b) > 0 {
+		_p0 = unsafe.Pointer(&b[0])
+	} else {
+		_p0 = unsafe.Pointer(&_zero)
+	}
+	_, _, e1 := Syscall(SYS_MSEAL, uintptr(_p0), uintptr(len(b)), uintptr(flags))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
index 9dc42410b78..1851df14e87 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
@@ -1493,6 +1493,30 @@ var libc_mknodat_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func Mount(fsType string, dir string, flags int, data unsafe.Pointer) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(fsType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(dir)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall6(libc_mount_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(flags), uintptr(data), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_mount_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mount mount "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Nanosleep(time *Timespec, leftover *Timespec) (err error) {
 	_, _, e1 := syscall_syscall(libc_nanosleep_trampoline_addr, uintptr(unsafe.Pointer(time)), uintptr(unsafe.Pointer(leftover)), 0)
 	if e1 != 0 {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s
index 41b5617316c..0b43c693656 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s
@@ -463,6 +463,11 @@ TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mknodat_trampoline_addr(SB)/4, $libc_mknodat_trampoline<>(SB)
 
+TEXT libc_mount_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mount(SB)
+GLOBL	·libc_mount_trampoline_addr(SB), RODATA, $4
+DATA	·libc_mount_trampoline_addr(SB)/4, $libc_mount_trampoline<>(SB)
+
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $4
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
index 0d3a0751cd4..e1ec0dbe4ec 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
@@ -1493,6 +1493,30 @@ var libc_mknodat_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func Mount(fsType string, dir string, flags int, data unsafe.Pointer) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(fsType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(dir)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall6(libc_mount_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(flags), uintptr(data), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_mount_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mount mount "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Nanosleep(time *Timespec, leftover *Timespec) (err error) {
 	_, _, e1 := syscall_syscall(libc_nanosleep_trampoline_addr, uintptr(unsafe.Pointer(time)), uintptr(unsafe.Pointer(leftover)), 0)
 	if e1 != 0 {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s
index 4019a656f6d..880c6d6e316 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s
@@ -463,6 +463,11 @@ TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknodat_trampoline_addr(SB)/8, $libc_mknodat_trampoline<>(SB)
 
+TEXT libc_mount_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mount(SB)
+GLOBL	·libc_mount_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mount_trampoline_addr(SB)/8, $libc_mount_trampoline<>(SB)
+
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $8
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
index c39f7776db3..7c8452a63e9 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
@@ -1493,6 +1493,30 @@ var libc_mknodat_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func Mount(fsType string, dir string, flags int, data unsafe.Pointer) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(fsType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(dir)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall6(libc_mount_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(flags), uintptr(data), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_mount_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mount mount "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Nanosleep(time *Timespec, leftover *Timespec) (err error) {
 	_, _, e1 := syscall_syscall(libc_nanosleep_trampoline_addr, uintptr(unsafe.Pointer(time)), uintptr(unsafe.Pointer(leftover)), 0)
 	if e1 != 0 {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s
index ac4af24f908..b8ef95b0fa1 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s
@@ -463,6 +463,11 @@ TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $4
 DATA	·libc_mknodat_trampoline_addr(SB)/4, $libc_mknodat_trampoline<>(SB)
 
+TEXT libc_mount_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mount(SB)
+GLOBL	·libc_mount_trampoline_addr(SB), RODATA, $4
+DATA	·libc_mount_trampoline_addr(SB)/4, $libc_mount_trampoline<>(SB)
+
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $4
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
index 57571d072fe..2ffdf861f75 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
@@ -1493,6 +1493,30 @@ var libc_mknodat_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func Mount(fsType string, dir string, flags int, data unsafe.Pointer) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(fsType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(dir)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall6(libc_mount_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(flags), uintptr(data), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_mount_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mount mount "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Nanosleep(time *Timespec, leftover *Timespec) (err error) {
 	_, _, e1 := syscall_syscall(libc_nanosleep_trampoline_addr, uintptr(unsafe.Pointer(time)), uintptr(unsafe.Pointer(leftover)), 0)
 	if e1 != 0 {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s
index f77d532121b..2af3b5c762f 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s
@@ -463,6 +463,11 @@ TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknodat_trampoline_addr(SB)/8, $libc_mknodat_trampoline<>(SB)
 
+TEXT libc_mount_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mount(SB)
+GLOBL	·libc_mount_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mount_trampoline_addr(SB)/8, $libc_mount_trampoline<>(SB)
+
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $8
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
index e62963e67e2..1da08d52675 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
@@ -1493,6 +1493,30 @@ var libc_mknodat_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func Mount(fsType string, dir string, flags int, data unsafe.Pointer) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(fsType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(dir)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall6(libc_mount_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(flags), uintptr(data), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_mount_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mount mount "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Nanosleep(time *Timespec, leftover *Timespec) (err error) {
 	_, _, e1 := syscall_syscall(libc_nanosleep_trampoline_addr, uintptr(unsafe.Pointer(time)), uintptr(unsafe.Pointer(leftover)), 0)
 	if e1 != 0 {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s
index fae140b62c9..b7a251353b0 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s
@@ -463,6 +463,11 @@ TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknodat_trampoline_addr(SB)/8, $libc_mknodat_trampoline<>(SB)
 
+TEXT libc_mount_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mount(SB)
+GLOBL	·libc_mount_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mount_trampoline_addr(SB)/8, $libc_mount_trampoline<>(SB)
+
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $8
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
index 00831354c82..6e85b0aac95 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
@@ -1493,6 +1493,30 @@ var libc_mknodat_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func Mount(fsType string, dir string, flags int, data unsafe.Pointer) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(fsType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(dir)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall6(libc_mount_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(flags), uintptr(data), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_mount_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mount mount "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Nanosleep(time *Timespec, leftover *Timespec) (err error) {
 	_, _, e1 := syscall_syscall(libc_nanosleep_trampoline_addr, uintptr(unsafe.Pointer(time)), uintptr(unsafe.Pointer(leftover)), 0)
 	if e1 != 0 {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s
index 9d1e0ff06d0..f15dadf0552 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s
@@ -555,6 +555,12 @@ TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknodat_trampoline_addr(SB)/8, $libc_mknodat_trampoline<>(SB)
 
+TEXT libc_mount_trampoline<>(SB),NOSPLIT,$0-0
+	CALL	libc_mount(SB)
+	RET
+GLOBL	·libc_mount_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mount_trampoline_addr(SB)/8, $libc_mount_trampoline<>(SB)
+
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	CALL	libc_nanosleep(SB)
 	RET
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
index 79029ed5848..28b487df251 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
@@ -1493,6 +1493,30 @@ var libc_mknodat_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func Mount(fsType string, dir string, flags int, data unsafe.Pointer) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(fsType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(dir)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall6(libc_mount_trampoline_addr, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), uintptr(flags), uintptr(data), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_mount_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_mount mount "libc.so"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Nanosleep(time *Timespec, leftover *Timespec) (err error) {
 	_, _, e1 := syscall_syscall(libc_nanosleep_trampoline_addr, uintptr(unsafe.Pointer(time)), uintptr(unsafe.Pointer(leftover)), 0)
 	if e1 != 0 {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s
index da115f9a4b6..1e7f321e436 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s
@@ -463,6 +463,11 @@ TEXT libc_mknodat_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_mknodat_trampoline_addr(SB), RODATA, $8
 DATA	·libc_mknodat_trampoline_addr(SB)/8, $libc_mknodat_trampoline<>(SB)
 
+TEXT libc_mount_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_mount(SB)
+GLOBL	·libc_mount_trampoline_addr(SB), RODATA, $8
+DATA	·libc_mount_trampoline_addr(SB)/8, $libc_mount_trampoline<>(SB)
+
 TEXT libc_nanosleep_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_nanosleep(SB)
 GLOBL	·libc_nanosleep_trampoline_addr(SB), RODATA, $8
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
index 53aef5dc58d..524b0820cbc 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go
@@ -457,4 +457,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR            = 459
 	SYS_LSM_SET_SELF_ATTR            = 460
 	SYS_LSM_LIST_MODULES             = 461
+	SYS_MSEAL                        = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
index 71d524763d3..d3e38f681ab 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go
@@ -379,4 +379,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR       = 459
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
index c747706131c..70b35bf3b09 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go
@@ -421,4 +421,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR            = 459
 	SYS_LSM_SET_SELF_ATTR            = 460
 	SYS_LSM_LIST_MODULES             = 461
+	SYS_MSEAL                        = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
index f96e214f6d4..6c778c23278 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go
@@ -324,4 +324,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR       = 459
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
index 28425346cf1..37281cf51a8 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go
@@ -318,4 +318,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR       = 459
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
index d0953018dae..7e567f1efff 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go
@@ -441,4 +441,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR            = 4459
 	SYS_LSM_SET_SELF_ATTR            = 4460
 	SYS_LSM_LIST_MODULES             = 4461
+	SYS_MSEAL                        = 4462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
index 295c7f4b818..38ae55e5ef8 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go
@@ -371,4 +371,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR       = 5459
 	SYS_LSM_SET_SELF_ATTR       = 5460
 	SYS_LSM_LIST_MODULES        = 5461
+	SYS_MSEAL                   = 5462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
index d1a9eaca7a4..55e92e60a82 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go
@@ -371,4 +371,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR       = 5459
 	SYS_LSM_SET_SELF_ATTR       = 5460
 	SYS_LSM_LIST_MODULES        = 5461
+	SYS_MSEAL                   = 5462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
index bec157c39fd..60658d6a021 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go
@@ -441,4 +441,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR            = 4459
 	SYS_LSM_SET_SELF_ATTR            = 4460
 	SYS_LSM_LIST_MODULES             = 4461
+	SYS_MSEAL                        = 4462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
index 7ee7bdc435c..e203e8a7ed4 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go
@@ -448,4 +448,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR            = 459
 	SYS_LSM_SET_SELF_ATTR            = 460
 	SYS_LSM_LIST_MODULES             = 461
+	SYS_MSEAL                        = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
index fad1f25b449..5944b97d546 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go
@@ -420,4 +420,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR       = 459
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
index 7d3e16357d6..c66d416dad1 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go
@@ -420,4 +420,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR       = 459
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
index 0ed53ad9f7e..9889f6a5591 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go
@@ -325,4 +325,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR       = 459
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
index 2fba04ad500..01d86825bb9 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
@@ -386,4 +386,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR       = 459
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
index 621d00d741b..7b703e77cda 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go
@@ -399,4 +399,5 @@ const (
 	SYS_LSM_GET_SELF_ATTR       = 459
 	SYS_LSM_SET_SELF_ATTR       = 460
 	SYS_LSM_LIST_MODULES        = 461
+	SYS_MSEAL                   = 462
 )
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/ztypes_linux.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/ztypes_linux.go
index 4740b834854..7f1961b907a 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/ztypes_linux.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/unix/ztypes_linux.go
@@ -110,7 +110,8 @@ type Statx_t struct {
 	Mnt_id           uint64
 	Dio_mem_align    uint32
 	Dio_offset_align uint32
-	_                [12]uint64
+	Subvol           uint64
+	_                [11]uint64
 }
 
 type Fsid struct {
@@ -3473,7 +3474,7 @@ const (
 	DEVLINK_PORT_FN_ATTR_STATE                         = 0x2
 	DEVLINK_PORT_FN_ATTR_OPSTATE                       = 0x3
 	DEVLINK_PORT_FN_ATTR_CAPS                          = 0x4
-	DEVLINK_PORT_FUNCTION_ATTR_MAX                     = 0x5
+	DEVLINK_PORT_FUNCTION_ATTR_MAX                     = 0x6
 )
 
 type FsverityDigest struct {
@@ -3806,6 +3807,9 @@ const (
 	ETHTOOL_MSG_PSE_GET_REPLY                 = 0x25
 	ETHTOOL_MSG_RSS_GET_REPLY                 = 0x26
 	ETHTOOL_MSG_KERNEL_MAX                    = 0x2b
+	ETHTOOL_FLAG_COMPACT_BITSETS              = 0x1
+	ETHTOOL_FLAG_OMIT_REPLY                   = 0x2
+	ETHTOOL_FLAG_STATS                        = 0x4
 	ETHTOOL_A_HEADER_UNSPEC                   = 0x0
 	ETHTOOL_A_HEADER_DEV_INDEX                = 0x1
 	ETHTOOL_A_HEADER_DEV_NAME                 = 0x2
@@ -3975,7 +3979,7 @@ const (
 	ETHTOOL_A_TSINFO_TX_TYPES                 = 0x3
 	ETHTOOL_A_TSINFO_RX_FILTERS               = 0x4
 	ETHTOOL_A_TSINFO_PHC_INDEX                = 0x5
-	ETHTOOL_A_TSINFO_MAX                      = 0x5
+	ETHTOOL_A_TSINFO_MAX                      = 0x6
 	ETHTOOL_A_CABLE_TEST_UNSPEC               = 0x0
 	ETHTOOL_A_CABLE_TEST_HEADER               = 0x1
 	ETHTOOL_A_CABLE_TEST_MAX                  = 0x1
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/security_windows.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/security_windows.go
index 97651b5bd04..b6e1ab76f82 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/security_windows.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/security_windows.go
@@ -1179,7 +1179,7 @@ type OBJECTS_AND_NAME struct {
 //sys	makeSelfRelativeSD(absoluteSD *SECURITY_DESCRIPTOR, selfRelativeSD *SECURITY_DESCRIPTOR, selfRelativeSDSize *uint32) (err error) = advapi32.MakeSelfRelativeSD
 
 //sys	setEntriesInAcl(countExplicitEntries uint32, explicitEntries *EXPLICIT_ACCESS, oldACL *ACL, newACL **ACL) (ret error) = advapi32.SetEntriesInAclW
-//sys	GetAce(acl *ACL, aceIndex uint32, pAce **ACCESS_ALLOWED_ACE) (ret error) = advapi32.GetAce
+//sys	GetAce(acl *ACL, aceIndex uint32, pAce **ACCESS_ALLOWED_ACE) (err error) = advapi32.GetAce
 
 // Control returns the security descriptor control bits.
 func (sd *SECURITY_DESCRIPTOR) Control() (control SECURITY_DESCRIPTOR_CONTROL, revision uint32, err error) {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/syscall_windows.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/syscall_windows.go
index 6525c62f3c2..1fa34fd17c5 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/syscall_windows.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/syscall_windows.go
@@ -17,8 +17,10 @@ import (
 	"unsafe"
 )
 
-type Handle uintptr
-type HWND uintptr
+type (
+	Handle uintptr
+	HWND   uintptr
+)
 
 const (
 	InvalidHandle = ^Handle(0)
@@ -211,6 +213,10 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	OpenProcess(desiredAccess uint32, inheritHandle bool, processId uint32) (handle Handle, err error)
 //sys	ShellExecute(hwnd Handle, verb *uint16, file *uint16, args *uint16, cwd *uint16, showCmd int32) (err error) [failretval<=32] = shell32.ShellExecuteW
 //sys	GetWindowThreadProcessId(hwnd HWND, pid *uint32) (tid uint32, err error) = user32.GetWindowThreadProcessId
+//sys	LoadKeyboardLayout(name *uint16, flags uint32) (hkl Handle, err error) [failretval==0] = user32.LoadKeyboardLayoutW
+//sys	UnloadKeyboardLayout(hkl Handle) (err error) = user32.UnloadKeyboardLayout
+//sys	GetKeyboardLayout(tid uint32) (hkl Handle) = user32.GetKeyboardLayout
+//sys	ToUnicodeEx(vkey uint32, scancode uint32, keystate *byte, pwszBuff *uint16, cchBuff int32, flags uint32, hkl Handle) (ret int32) = user32.ToUnicodeEx
 //sys	GetShellWindow() (shellWindow HWND) = user32.GetShellWindow
 //sys	MessageBox(hwnd HWND, text *uint16, caption *uint16, boxtype uint32) (ret int32, err error) [failretval==0] = user32.MessageBoxW
 //sys	ExitWindowsEx(flags uint32, reason uint32) (err error) = user32.ExitWindowsEx
@@ -1368,9 +1374,11 @@ func SetsockoptLinger(fd Handle, level, opt int, l *Linger) (err error) {
 func SetsockoptInet4Addr(fd Handle, level, opt int, value [4]byte) (err error) {
 	return Setsockopt(fd, int32(level), int32(opt), (*byte)(unsafe.Pointer(&value[0])), 4)
 }
+
 func SetsockoptIPMreq(fd Handle, level, opt int, mreq *IPMreq) (err error) {
 	return Setsockopt(fd, int32(level), int32(opt), (*byte)(unsafe.Pointer(mreq)), int32(unsafe.Sizeof(*mreq)))
 }
+
 func SetsockoptIPv6Mreq(fd Handle, level, opt int, mreq *IPv6Mreq) (err error) {
 	return syscall.EWINDOWS
 }
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/types_windows.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/types_windows.go
index d8cb71db0a6..3f03b3d57cc 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/types_windows.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/types_windows.go
@@ -2003,7 +2003,21 @@ const (
 	MOVEFILE_FAIL_IF_NOT_TRACKABLE = 0x20
 )
 
-const GAA_FLAG_INCLUDE_PREFIX = 0x00000010
+// Flags for GetAdaptersAddresses, see
+// https://learn.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getadaptersaddresses.
+const (
+	GAA_FLAG_SKIP_UNICAST                = 0x1
+	GAA_FLAG_SKIP_ANYCAST                = 0x2
+	GAA_FLAG_SKIP_MULTICAST              = 0x4
+	GAA_FLAG_SKIP_DNS_SERVER             = 0x8
+	GAA_FLAG_INCLUDE_PREFIX              = 0x10
+	GAA_FLAG_SKIP_FRIENDLY_NAME          = 0x20
+	GAA_FLAG_INCLUDE_WINS_INFO           = 0x40
+	GAA_FLAG_INCLUDE_GATEWAYS            = 0x80
+	GAA_FLAG_INCLUDE_ALL_INTERFACES      = 0x100
+	GAA_FLAG_INCLUDE_ALL_COMPARTMENTS    = 0x200
+	GAA_FLAG_INCLUDE_TUNNEL_BINDINGORDER = 0x400
+)
 
 const (
 	IF_TYPE_OTHER              = 1
@@ -2017,6 +2031,50 @@ const (
 	IF_TYPE_IEEE1394           = 144
 )
 
+// Enum NL_PREFIX_ORIGIN for [IpAdapterUnicastAddress], see
+// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_prefix_origin
+const (
+	IpPrefixOriginOther               = 0
+	IpPrefixOriginManual              = 1
+	IpPrefixOriginWellKnown           = 2
+	IpPrefixOriginDhcp                = 3
+	IpPrefixOriginRouterAdvertisement = 4
+	IpPrefixOriginUnchanged           = 1 << 4
+)
+
+// Enum NL_SUFFIX_ORIGIN for [IpAdapterUnicastAddress], see
+// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_suffix_origin
+const (
+	NlsoOther                      = 0
+	NlsoManual                     = 1
+	NlsoWellKnown                  = 2
+	NlsoDhcp                       = 3
+	NlsoLinkLayerAddress           = 4
+	NlsoRandom                     = 5
+	IpSuffixOriginOther            = 0
+	IpSuffixOriginManual           = 1
+	IpSuffixOriginWellKnown        = 2
+	IpSuffixOriginDhcp             = 3
+	IpSuffixOriginLinkLayerAddress = 4
+	IpSuffixOriginRandom           = 5
+	IpSuffixOriginUnchanged        = 1 << 4
+)
+
+// Enum NL_DAD_STATE for [IpAdapterUnicastAddress], see
+// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_dad_state
+const (
+	NldsInvalid          = 0
+	NldsTentative        = 1
+	NldsDuplicate        = 2
+	NldsDeprecated       = 3
+	NldsPreferred        = 4
+	IpDadStateInvalid    = 0
+	IpDadStateTentative  = 1
+	IpDadStateDuplicate  = 2
+	IpDadStateDeprecated = 3
+	IpDadStatePreferred  = 4
+)
+
 type SocketAddress struct {
 	Sockaddr       *syscall.RawSockaddrAny
 	SockaddrLength int32
@@ -3404,3 +3462,14 @@ type DCB struct {
 	EvtChar    byte
 	wReserved1 uint16
 }
+
+// Keyboard Layout Flags.
+// See https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-loadkeyboardlayoutw
+const (
+	KLF_ACTIVATE      = 0x00000001
+	KLF_SUBSTITUTE_OK = 0x00000002
+	KLF_REORDER       = 0x00000008
+	KLF_REPLACELANG   = 0x00000010
+	KLF_NOTELLSHELL   = 0x00000080
+	KLF_SETFORPROCESS = 0x00000100
+)
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/zsyscall_windows.go b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/zsyscall_windows.go
index eba761018aa..9bb979a3e47 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/zsyscall_windows.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/sys/windows/zsyscall_windows.go
@@ -478,12 +478,16 @@ var (
 	procGetDesktopWindow                                     = moduser32.NewProc("GetDesktopWindow")
 	procGetForegroundWindow                                  = moduser32.NewProc("GetForegroundWindow")
 	procGetGUIThreadInfo                                     = moduser32.NewProc("GetGUIThreadInfo")
+	procGetKeyboardLayout                                    = moduser32.NewProc("GetKeyboardLayout")
 	procGetShellWindow                                       = moduser32.NewProc("GetShellWindow")
 	procGetWindowThreadProcessId                             = moduser32.NewProc("GetWindowThreadProcessId")
 	procIsWindow                                             = moduser32.NewProc("IsWindow")
 	procIsWindowUnicode                                      = moduser32.NewProc("IsWindowUnicode")
 	procIsWindowVisible                                      = moduser32.NewProc("IsWindowVisible")
+	procLoadKeyboardLayoutW                                  = moduser32.NewProc("LoadKeyboardLayoutW")
 	procMessageBoxW                                          = moduser32.NewProc("MessageBoxW")
+	procToUnicodeEx                                          = moduser32.NewProc("ToUnicodeEx")
+	procUnloadKeyboardLayout                                 = moduser32.NewProc("UnloadKeyboardLayout")
 	procCreateEnvironmentBlock                               = moduserenv.NewProc("CreateEnvironmentBlock")
 	procDestroyEnvironmentBlock                              = moduserenv.NewProc("DestroyEnvironmentBlock")
 	procGetUserProfileDirectoryW                             = moduserenv.NewProc("GetUserProfileDirectoryW")
@@ -789,6 +793,14 @@ func FreeSid(sid *SID) (err error) {
 	return
 }
 
+func GetAce(acl *ACL, aceIndex uint32, pAce **ACCESS_ALLOWED_ACE) (err error) {
+	r1, _, e1 := syscall.Syscall(procGetAce.Addr(), 3, uintptr(unsafe.Pointer(acl)), uintptr(aceIndex), uintptr(unsafe.Pointer(pAce)))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func GetLengthSid(sid *SID) (len uint32) {
 	r0, _, _ := syscall.Syscall(procGetLengthSid.Addr(), 1, uintptr(unsafe.Pointer(sid)), 0, 0)
 	len = uint32(r0)
@@ -1225,14 +1237,6 @@ func setEntriesInAcl(countExplicitEntries uint32, explicitEntries *EXPLICIT_ACCE
 	return
 }
 
-func GetAce(acl *ACL, aceIndex uint32, pAce **ACCESS_ALLOWED_ACE) (ret error) {
-	r0, _, _ := syscall.Syscall(procGetAce.Addr(), 3, uintptr(unsafe.Pointer(acl)), uintptr(aceIndex), uintptr(unsafe.Pointer(pAce)))
-	if r0 == 0 {
-		ret = GetLastError()
-	}
-	return
-}
-
 func SetKernelObjectSecurity(handle Handle, securityInformation SECURITY_INFORMATION, securityDescriptor *SECURITY_DESCRIPTOR) (err error) {
 	r1, _, e1 := syscall.Syscall(procSetKernelObjectSecurity.Addr(), 3, uintptr(handle), uintptr(securityInformation), uintptr(unsafe.Pointer(securityDescriptor)))
 	if r1 == 0 {
@@ -4082,6 +4086,12 @@ func GetGUIThreadInfo(thread uint32, info *GUIThreadInfo) (err error) {
 	return
 }
 
+func GetKeyboardLayout(tid uint32) (hkl Handle) {
+	r0, _, _ := syscall.Syscall(procGetKeyboardLayout.Addr(), 1, uintptr(tid), 0, 0)
+	hkl = Handle(r0)
+	return
+}
+
 func GetShellWindow() (shellWindow HWND) {
 	r0, _, _ := syscall.Syscall(procGetShellWindow.Addr(), 0, 0, 0, 0)
 	shellWindow = HWND(r0)
@@ -4115,6 +4125,15 @@ func IsWindowVisible(hwnd HWND) (isVisible bool) {
 	return
 }
 
+func LoadKeyboardLayout(name *uint16, flags uint32) (hkl Handle, err error) {
+	r0, _, e1 := syscall.Syscall(procLoadKeyboardLayoutW.Addr(), 2, uintptr(unsafe.Pointer(name)), uintptr(flags), 0)
+	hkl = Handle(r0)
+	if hkl == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func MessageBox(hwnd HWND, text *uint16, caption *uint16, boxtype uint32) (ret int32, err error) {
 	r0, _, e1 := syscall.Syscall6(procMessageBoxW.Addr(), 4, uintptr(hwnd), uintptr(unsafe.Pointer(text)), uintptr(unsafe.Pointer(caption)), uintptr(boxtype), 0, 0)
 	ret = int32(r0)
@@ -4124,6 +4143,20 @@ func MessageBox(hwnd HWND, text *uint16, caption *uint16, boxtype uint32) (ret i
 	return
 }
 
+func ToUnicodeEx(vkey uint32, scancode uint32, keystate *byte, pwszBuff *uint16, cchBuff int32, flags uint32, hkl Handle) (ret int32) {
+	r0, _, _ := syscall.Syscall9(procToUnicodeEx.Addr(), 7, uintptr(vkey), uintptr(scancode), uintptr(unsafe.Pointer(keystate)), uintptr(unsafe.Pointer(pwszBuff)), uintptr(cchBuff), uintptr(flags), uintptr(hkl), 0, 0)
+	ret = int32(r0)
+	return
+}
+
+func UnloadKeyboardLayout(hkl Handle) (err error) {
+	r1, _, e1 := syscall.Syscall(procUnloadKeyboardLayout.Addr(), 1, uintptr(hkl), 0, 0)
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func CreateEnvironmentBlock(block **uint16, token Token, inheritExisting bool) (err error) {
 	var _p0 uint32
 	if inheritExisting {
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/text/LICENSE b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/text/LICENSE
index 6a66aea5eaf..2a7cf70da6e 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/text/LICENSE
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/golang.org/x/text/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt b/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt
index 218f833ca92..e66f636fa12 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt
@@ -22,14 +22,17 @@ github.com/cilium/lumberjack/v2
 # github.com/cilium/tetragon/api v0.0.0-00010101000000-000000000000 => ../../../api
 ## explicit; go 1.22.2
 github.com/cilium/tetragon/api/v1/tetragon
-# github.com/containers/common v0.58.2
-## explicit; go 1.20
+# github.com/containers/common v0.60.4
+## explicit; go 1.21.0
 github.com/containers/common/pkg/hooks/1.0.0
+# github.com/containers/storage v1.55.0
+## explicit; go 1.21
+github.com/containers/storage/pkg/fileutils
 # github.com/coreos/go-systemd/v22 v22.5.0
 ## explicit; go 1.12
 github.com/coreos/go-systemd/v22/dbus
-# github.com/cyphar/filepath-securejoin v0.2.4
-## explicit; go 1.13
+# github.com/cyphar/filepath-securejoin v0.3.1
+## explicit; go 1.20
 github.com/cyphar/filepath-securejoin
 # github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 ## explicit
@@ -59,11 +62,11 @@ github.com/google/cel-go/common/types/traits
 github.com/google/cel-go/interpreter
 github.com/google/cel-go/parser
 github.com/google/cel-go/parser/gen
-# github.com/moby/sys/mountinfo v0.7.1
-## explicit; go 1.16
-github.com/moby/sys/mountinfo
-# github.com/opencontainers/runc v1.1.12
+# github.com/moby/sys/mountinfo v0.7.2
 ## explicit; go 1.17
+github.com/moby/sys/mountinfo
+# github.com/opencontainers/runc v1.1.13
+## explicit; go 1.18
 github.com/opencontainers/runc/libcontainer/cgroups
 github.com/opencontainers/runc/libcontainer/cgroups/devices
 github.com/opencontainers/runc/libcontainer/cgroups/ebpf
@@ -93,12 +96,12 @@ github.com/stoewer/go-strcase
 ## explicit; go 1.17
 github.com/stretchr/testify/assert
 github.com/stretchr/testify/require
-# golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
+# golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 ## explicit; go 1.20
 golang.org/x/exp/constraints
 golang.org/x/exp/maps
 golang.org/x/exp/slices
-# golang.org/x/net v0.26.0
+# golang.org/x/net v0.28.0
 ## explicit; go 1.18
 golang.org/x/net/http/httpguts
 golang.org/x/net/http2
@@ -106,11 +109,11 @@ golang.org/x/net/http2/hpack
 golang.org/x/net/idna
 golang.org/x/net/internal/timeseries
 golang.org/x/net/trace
-# golang.org/x/sys v0.22.0
+# golang.org/x/sys v0.24.0
 ## explicit; go 1.18
 golang.org/x/sys/unix
 golang.org/x/sys/windows
-# golang.org/x/text v0.16.0
+# golang.org/x/text v0.17.0
 ## explicit; go 1.18
 golang.org/x/text/secure/bidirule
 golang.org/x/text/transform