Revert "Merge pull request 101888 from kolyshkin/update-runc-rc94"

This reverts commit b1b06fe0a4, reversing
changes made to 382a33986b.

vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go

@@ -3,7 +3,6 @@
 package patchbpf
 
 import (
-	"bytes"
 	"encoding/binary"
 	"io"
 	"os"
@@ -115,26 +114,14 @@ func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction, error)
 	defer wtr.Close()
 	defer rdr.Close()
 
-	readerBuffer := new(bytes.Buffer)
-	errChan := make(chan error, 1)
-	go func() {
-		_, err := io.Copy(readerBuffer, rdr)
-		errChan <- err
-		close(errChan)
-	}()
-
 	if err := filter.ExportBPF(wtr); err != nil {
 		return nil, errors.Wrap(err, "exporting BPF")
 	}
 	// Close so that the reader actually gets EOF.
 	_ = wtr.Close()
 
-	if copyErr := <-errChan; copyErr != nil {
-		return nil, errors.Wrap(copyErr, "reading from ExportBPF pipe")
-	}
-
 	// Parse the instructions.
-	rawProgram, err := parseProgram(readerBuffer)
+	rawProgram, err := parseProgram(rdr)
 	if err != nil {
 		return nil, errors.Wrap(err, "parsing generated BPF filter")
 	}
@@ -597,12 +584,9 @@ func sysSeccompSetFilter(flags uint, filter []unix.SockFilter) (err error) {
 			unix.SECCOMP_MODE_FILTER,
 			uintptr(unsafe.Pointer(&fprog)), 0, 0)
 	} else {
-		_, _, errno := unix.RawSyscall(unix.SYS_SECCOMP,
+		_, _, err = unix.RawSyscall(unix.SYS_SECCOMP,
 			uintptr(C.C_SET_MODE_FILTER),
 			uintptr(flags), uintptr(unsafe.Pointer(&fprog)))
-		if errno != 0 {
-			err = errno
-		}
 	}
 	runtime.KeepAlive(filter)
 	runtime.KeepAlive(fprog)

vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go

@@ -3,8 +3,11 @@
 package seccomp
 
 import (
+	"bufio"
 	"errors"
 	"fmt"
+	"os"
+	"strings"
 
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/seccomp/patchbpf"
@@ -77,6 +80,24 @@ func InitSeccomp(config *configs.Seccomp) error {
 	return nil
 }
 
+// IsEnabled returns if the kernel has been configured to support seccomp.
+func IsEnabled() bool {
+	// Try to read from /proc/self/status for kernels > 3.8
+	s, err := parseStatusFile("/proc/self/status")
+	if err != nil {
+		// Check if Seccomp is supported, via CONFIG_SECCOMP.
+		if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
+			// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+			if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
+				return true
+			}
+		}
+		return false
+	}
+	_, ok := s["Seccomp"]
+	return ok
+}
+
 // Convert Libcontainer Action to Libseccomp ScmpAction
 func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error) {
 	switch act {
@@ -216,6 +237,33 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
 	return nil
 }
 
+func parseStatusFile(path string) (map[string]string, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	s := bufio.NewScanner(f)
+	status := make(map[string]string)
+
+	for s.Scan() {
+		text := s.Text()
+		parts := strings.Split(text, ":")
+
+		if len(parts) <= 1 {
+			continue
+		}
+
+		status[parts[0]] = parts[1]
+	}
+	if err := s.Err(); err != nil {
+		return nil, err
+	}
+
+	return status, nil
+}
+
 // Version returns major, minor, and micro.
 func Version() (uint, uint, uint) {
 	return libseccomp.GetLibraryVersion()

vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_unsupported.go

@@ -18,6 +18,11 @@ func InitSeccomp(config *configs.Seccomp) error {
 	return nil
 }
 
+// IsEnabled returns false, because it is not supported.
+func IsEnabled() bool {
+	return false
+}
+
 // Version returns major, minor, and micro.
 func Version() (uint, uint, uint) {
 	return 0, 0, 0