Revert "Update runc to 1.0.0"

vendor/github.com/opencontainers/selinux/go-selinux/doc.go

@@ -1,6 +1,10 @@
 /*
 Package selinux provides a high-level interface for interacting with selinux.
 
+This package uses a selinux build tag to enable the selinux functionality. This
+allows non-linux and linux users who do not have selinux support to still use
+tools that rely on this library.
+
 Usage:
 
 	import "github.com/opencontainers/selinux/go-selinux"

vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go

@@ -25,8 +25,6 @@ var ErrIncompatibleLabel = errors.New("Bad SELinux option z and Z can not be use
 // the container.  A list of options can be passed into this function to alter
 // the labels.  The labels returned will include a random MCS String, that is
 // guaranteed to be unique.
-// If the disabled flag is passed in, the process label will not be set, but the mount label will be set
-// to the container_file label with the maximum category. This label is not usable by any confined label.
 func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 	if !selinux.GetEnabled() {
 		return "", "", nil
@@ -49,8 +47,7 @@ func InitLabels(options []string) (plabel string, mlabel string, retErr error) {
 		}
 		for _, opt := range options {
 			if opt == "disable" {
-				selinux.ReleaseLabel(mountLabel)
-				return "", selinux.PrivContainerMountLabel(), nil
+				return "", mountLabel, nil
 			}
 			if i := strings.Index(opt, ":"); i == -1 {
 				return "", "", errors.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type, filetype' followed by ':' and a value", opt)

vendor/github.com/opencontainers/selinux/go-selinux/selinux.go

@@ -11,10 +11,9 @@ const (
 	Permissive = 0
 	// Disabled constant to indicate SELinux is disabled
 	Disabled = -1
-	// maxCategory is the maximum number of categories used within containers
-	maxCategory = 1024
+
 	// DefaultCategoryRange is the upper bound on the category range
-	DefaultCategoryRange = uint32(maxCategory)
+	DefaultCategoryRange = uint32(1024)
 )
 
 var (
@@ -277,8 +276,3 @@ func DisableSecOpt() []string {
 func GetDefaultContextWithLevel(user, level, scon string) (string, error) {
 	return getDefaultContextWithLevel(user, level, scon)
 }
-
-// PrivContainerMountLabel returns mount label for privileged containers
-func PrivContainerMountLabel() string {
-	return privContainerMountLabel
-}

vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go

@@ -16,9 +16,9 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/bits-and-blooms/bitset"
 	"github.com/opencontainers/selinux/pkg/pwalk"
 	"github.com/pkg/errors"
+	"github.com/willf/bitset"
 	"golang.org/x/sys/unix"
 )
 
@@ -892,13 +892,13 @@ func openContextFile() (*os.File, error) {
 	return os.Open(lxcPath)
 }
 
-var labels, privContainerMountLabel = loadLabels()
+var labels = loadLabels()
 
-func loadLabels() (map[string]string, string) {
+func loadLabels() map[string]string {
 	labels := make(map[string]string)
 	in, err := openContextFile()
 	if err != nil {
-		return labels, ""
+		return labels
 	}
 	defer in.Close()
 
@@ -920,10 +920,7 @@ func loadLabels() (map[string]string, string) {
 		}
 	}
 
-	con, _ := NewContext(labels["file"])
-	con["level"] = fmt.Sprintf("s0:c%d,c%d", maxCategory-2, maxCategory-1)
-	reserveLabel(con.get())
-	return labels, con.get()
+	return labels
 }
 
 // kvmContainerLabels returns the default processLabel and mountLabel to be used

vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go

@@ -2,8 +2,6 @@
 
 package selinux
 
-const privContainerMountLabel = ""
-
 func setDisabled() {
 }