This fixes the following linter warnings:

> go-selinux/label/label_linux.go:21:28: ST1005: error strings should not be capitalized (staticcheck)
> var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be used together")
>                            ^
> go-selinux/label/label_linux.go:55:20: ST1005: error strings should not be capitalized (staticcheck)
> 				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)
> 				               ^
> go-selinux/label/label_linux.go:59:20: ST1005: error strings should not be capitalized (staticcheck)
> 				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type, filetype'", con[0])
> 				               ^

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

The configuration was migrated using golangci-lint migrate and when
tweaked manually trying to minimize it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Switch to golangci-lint v2

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

…/actions/checkout-5

build(deps): bump actions/checkout from 4 to 5

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

…/actions/setup-go-6

build(deps): bump actions/setup-go from 5 to 6

Commit 965323e ("SetKeyLabel: add thread group leader requirement")
added verification that the caller of SetKeyLabel is the thread-group
leader, however the check had a typo in it, which would almost always
cause all errors to be treated as ErrNotTGLeader.

It's a bit of a shame that os.Getuid() and os.Getpid() are untyped, as a
one-character typo like this can really easily cause bugs without type
checking...

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

keyring: fix typo in EACCES check

A new rule was introduced in gofumpt v0.9.0 to "clothe" naked returns.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Also, bump golangci-lint-action to v8.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Switch from go 1.24 to go 1.25 where we use a single go version.

Drop go 1.23, add go 1.25 to the test matrix.

(Note most testing is done in a VM job which uses whatever Go version is
shipped with a distro).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Add Go 1.25, drop go 1.23, bump golangci-lint

The previous isProcHandle approach introduced in 03b517d ("selinux:
verify that writes to /proc/... are on procfs") was a fairly naive
solution to CVE-2019-16884 style bugs, as it only checked that the
target was a procfs file without any verification what exact procfs file
it is.

A far more insidious attack (as discussed at the time) would be to
instead bind-mount something like /proc/self/sched on top of
/proc/self/attr/... which would not be detectable using a simple
filesystem type check.

The new pathrs-lite API (provided by filepath-securejoin) can correctly
detect this and includes many other hardenings to avoid attacks of this
kind.

Fixes: CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

selinux: migrate to pathrs-lite procfs API