Commit Graph

1940 Commits

Author SHA1 Message Date
Sebastiaan van Stijn f28a8cc28c ebpf: replace deprecated prog.Attach/prog.Detach
Caught by golangci-lint when enabling golint:

    libcontainer/cgroups/ebpf/ebpf.go:35:12: SA1019: prog.Attach is deprecated: use link.RawAttachProgram instead. (staticcheck)
        if err := prog.Attach(dirFD, ebpf.AttachCGroupDevice, unix.BPF_F_ALLOW_MULTI); err != nil {
                  ^
    libcontainer/cgroups/ebpf/ebpf.go:39:13: SA1019: prog.Detach is deprecated: use link.RawDetachProgram instead. (staticcheck)
            if err := prog.Detach(dirFD, ebpf.AttachCGroupDevice, unix.BPF_F_ALLOW_MULTI); err != nil {
                      ^

Worth noting that we currently call prog.Detach() with unix.BPF_F_ALLOW_MULTI;
https://github.com/golang/sys/blob/22da62e12c0cd9c1da93581e1113ca4d82a5be14/unix/zerrors_linux.go#L178

    BPF_F_ALLOW_MULTI = 0x2

Looking at the source code for prog.Detach(); https://github.com/cilium/ebpf/blob/v0.4.0/prog.go#L579-L581,
this would _always_ produce an error:

    if flags != 0 {
        return errors.New("flags must be zero")
    }

Note that the flags parameter is not used (except for that validation)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-13 12:27:39 +02:00
Qiang Huang 2d38476c96 Merge pull request #2840 from kolyshkin/ignore-kmem
Ignore kernel memory settings
2021-04-13 09:44:14 +08:00
Aleksa Sarai 14ce8be9b1 merge branch 'pr-2836'
Aleksa Sarai (1):
  nsenter: improve debug logging

Kir Kolyshkin (1):
  libct/nsenter: add json msg escaping

LGTMs: mrunalp cyphar
Closes #2836
2021-04-13 10:55:57 +10:00
Mrunal Patel 23f6ca80d5 Merge pull request #2900 from LiangZhou-CTY/patch-1
fix a typo
2021-04-12 17:42:51 -07:00
Kir Kolyshkin 928ef7afac libct/nsenter: add json msg escaping
Since the previous commit, some strings logged by write_log() contain a
literal newline, which leads to errors like this one:

> # time="2020-06-07T15:41:37Z" level=error msg="failed to decode \"{\\\"level\\\":\\\"debug\\\", \\\"msg\\\": \\\"nsexec-0[2265]: update /proc/2266/uid_map to '0 1000 1\\n\" to json: invalid character '\\n' in string literal"

The fix is to escape such characters.

Add a simple (as much as it can be) routine which implements JSON string
escaping as required by RFC4627, section 2.5, plus escaping of DEL (0x7f)
character (not required, but allowed by the standard, and usually done
by tools such as jq).

As much as I hate to code something like this, I was not able to find
a ready to consume and decent C implementation (not using glib).

Added a test case (and some additional asserts in C code, conditionally
enabled by the test case) to make sure the implementation is correct.
The test case have to live in a separate directory so we can use
different C flags to compile the test, and use C from go test.

[v2: try to simplify the code, add more tests]
[v3: don't do exit(1), try returning an error instead]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-12 16:47:26 -07:00
Kir Kolyshkin 52390d6804 Ignore kernel memory settings
This is somewhat radical approach to deal with kernel memory.

Per-cgroup kernel memory limiting was always problematic. A few
examples:

 - older kernels had bugs and were even oopsing sometimes (best example
   is RHEL7 kernel);
 - kernel is unable to reclaim the kernel memory so once the limit is
   hit a cgroup is toasted;
 - some kernel memory allocations don't allow failing.

In addition to that,

 - users don't have a clue about how to set kernel memory limits
   (as the concept is much more complicated than e.g. [user] memory);
 - different kernels might have different kernel memory usage,
   which is sort of unexpected;
 - cgroup v2 do not have a [dedicated] kmem limit knob, and thus
   runc silently ignores kernel memory limits for v2;
 - kernel v5.4 made cgroup v1 kmem.limit obsoleted (see
   https://github.com/torvalds/linux/commit/0158115f702b).

In view of all this, and as the runtime-spec lists memory.kernel
and memory.kernelTCP as OPTIONAL, let's ignore kernel memory
limits (for cgroup v1, same as we're already doing for v2).

This should result in less bugs and better user experience.

The only bad side effect from it might be that stat can show kernel
memory usage as 0 (since the accounting is not enabled).

[v2: add a warning in specconv that limits are ignored]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-12 12:18:11 -07:00
Akihiro Suda 6023d635d7 Merge pull request #2844 from kolyshkin/sd-cg-docs 2021-04-13 04:12:34 +09:00
Liang Zhou b6cdb8ae09 fix a typo
Signed-off-by: Liang Zhou <zhoul110@chinatelecom.cn>
2021-04-11 09:40:21 +08:00
Kir Kolyshkin b23315bdd9 Merge pull request #2850 from thaJeztah/userns_check
libcontainer/system: move userns utilities, remove `GetParentNSeuid`, `UIDMapInUserNS`
2021-04-08 10:12:05 -07:00
Aleksa Sarai 64bb59f592 nsenter: improve debug logging
In order to make 'runc --debug' actually useful for debugging nsexec
bugs, provide information about all the internal operations when in
debug mode.

[@kolyshkin: rebasing; fix formatting via indent for make validate to pass]

Signed-off-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-08 09:54:43 -07:00
Peter Hunt 6ce2d63a5d libct/init_linux: retry chdir to fix EPERM
Alas, the EPERM on chdir saga continues...

Unfortunately, the there were two releases between when https://github.com/opencontainers/runc/commit/5e0e67d76cc99d76c8228d48f38f37034503f315  was released
and when the workaround https://github.com/opencontainers/runc/pull/2712 was added.

Between this, folks started relying on the ability to have a workdir that the container user doesn't have access to.

Since this case was previously valid, we should continue support for it.

Now, we retry the chdir:
Once at the top of the function (to catch cases where the runc user has access, but container user does not)
and once after we setup user (to catch cases where the container user has access, and the runc user does not)

Add a test case for this as well.

Signed-off-by: Peter Hunt <pehunt@redhat.com>
2021-04-06 14:51:43 -04:00
Akihiro Suda c453f1a523 Merge pull request #2881 from kolyshkin/test-rand-cg
tests/int: some refactoring, fix a flake
2021-04-06 13:27:19 +09:00
Akihiro Suda d8a5f6084a Merge pull request #2885 from thaJeztah/config_missing_type
libcontainer/configs: add missing type for hooknames
2021-04-06 13:24:28 +09:00
Akihiro Suda 913b9f14e8 Merge pull request #2886 from thaJeztah/check_cleanup 2021-04-06 03:28:45 +09:00
Sebastiaan van Stijn 4316df8b53 libcontainer/system: move userns utilities to separate package
Moving these utilities to a separate package, so that consumers of this
package don't have to pull in the whole "system" package.

Looking at uses of these utilities (outside of runc itself);

`RunningInUserNS()` is used by [various external consumers][1],
so adding a "Deprecated" alias for this.

[1]: https://grep.app/search?current=2&q=.RunningInUserNS

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-04 22:42:03 +02:00
Sebastiaan van Stijn e7fd383bce libcontainer/system: un-export UIDMapInUserNS()
`UIDMapInUserNS()` is not used anywhere, only internally. so un-export it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-04 22:42:02 +02:00
Sebastiaan van Stijn 249356a1a4 libcontainer/system: remove unused GetParentNSeuid()
This function was added in f103de57ec, but no
longer used since 06f789cf26 (v1.0.0-rc6)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-04 22:41:59 +02:00
Kir Kolyshkin 365c6282c7 Merge pull request #2888 from thaJeztah/fixup_rm_win_carry
libcontainer: rm windows pieces (carry #2700)
2021-04-03 19:10:36 -07:00
Aleksa Sarai 0d49470392 merge branch 'pr-2855'
Kir Kolyshkin (2):
  start: don't kill runc init too early
  libct/configs/validator: add some cgroup support

LGTMs: @AkihiroSuda @cyphar
Closes #2855
2021-04-03 12:41:41 +11:00
Sebastiaan van Stijn dc52ed250a libcontainer/user: remove outdated MAINTAINERS file
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-02 11:56:41 +02:00
Sebastiaan van Stijn 72ecf59c88 libcontainer/user: fix windows compile error
Move the unix-specific code to a file that's not compiled on
Windows.

Some of the errors (ErrUnsupported, ErrNoPasswdEntries, ErrNoGroupEntries)
are used in other parts of the code, so are moved to a non-platform
specific file.

Most of "user" is probably not useful on Windows, although it's possible
that Windows code may have to parse a passwd file, so leaving that code
for now.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-02 11:56:39 +02:00
Kir Kolyshkin 2515b0c2f2 libct/user: rm windows code
Commit bf749516 added these two functions, but they are only used from
Windows code. The v1 of this patch moved these functions to _windows.go
file, but after some discussion we decided to drop windows code
altogether, so this is what this patch now does.

This fixes

> libcontainer/user/user.go:64:6: func `groupFromOS` is unused (unused)
> libcontainer/user/user.go:35:6: func `userFromOS` is unused (unused)

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-02 11:56:37 +02:00
Kir Kolyshkin 0596f6e1e7 libcontainer/devices/device_windows.go: rm
This was initially added by commit d78ee47154 but later
moved from libcontainer/configs to libcontainer/devices by
commit 677baf22.

Looks like since commit 677baf22 and also [1]
there is no use for this, thus removing.

[1] https://github.com/containers/buildah/pull/2652

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-02 11:56:21 +02:00
Kir Kolyshkin b1deba8c5a libcontainer/configs/config_windows_test.go: rm
Nothing is in there, so removing.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-02 11:55:33 +02:00
Sebastiaan van Stijn f1586dbd7a libcontainer/configs/validate: make Validate() less DRY
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-02 11:41:19 +02:00
Sebastiaan van Stijn 4126b807cc libcontainer/configs: add missing type for hooknames
Commit ccdd75760c introduced the HookName type
for hooks, but only set this type on the Prestart const, but not for the
other hooks.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-02 11:08:24 +02:00
Kir Kolyshkin 27bb1bd5ea libct/specconv/CreateCgroupConfig: don't set c.Parent default
c.Parent is only used by systemd cgroup drivers, and both v1 and v2
drivers do have code to set the default if it is empty, so setting
it here is redundant.

In addition, in case of cgroup v2 rootless container setting it here
is harmful as the default should be user.slice not system.slice.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:50:37 -07:00
Kir Kolyshkin f0dec0b4bf libct/specconv/CreateCgroupConfig: nit
Do not call libcontainerUtils.CleanPath in case its result will
not be used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 19:33:01 -07:00
Kir Kolyshkin 6538f9f20a Merge pull request #2854 from thaJeztah/runc_warn_unknown_caps
capabilities: WARN, not ERROR, for unknown / unavailable capabilities
2021-04-01 18:27:57 -07:00
Mrunal Patel 8c4dca8dcb Merge pull request #2871 from masters-of-cats/pr-seccomp-pipe-hang
Ensure the seccomp pipe is being read while exporting bpf
2021-04-01 15:09:08 -07:00
Kir Kolyshkin 2dd62b3d42 libct/checkCriuFeatures: rm excessive debug
1. Remove printing criu args as now they are *always swrk 3.
2. Remove duplicated "feature check says" debug.

Before:

> DEBU[0000] Using CRIU with following args: [swrk 3]
> DEBU[0000] Using CRIU in FEATURE_CHECK mode
> DEBU[0000] Feature check says: type:FEATURE_CHECK success:true features:<mem_track:false lazy_pages:true >
> DEBU[0000] Feature check says: mem_track:false lazy_pages:true

After:

> DEBU[0000] Using CRIU in FEATURE_CHECK mode
> DEBU[0000] Feature check says: mem_track:false lazy_pages:true

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-04-01 12:57:41 -07:00
Kir Kolyshkin bed4d89f57 Merge pull request #2807 from kolyshkin/google-golang-protobuf
go.mod, libct: switch to google.golang.org/protobuf
2021-03-31 20:34:16 -07:00
Kir Kolyshkin 4ecff8d9d8 start: don't kill runc init too early
The stars can be aligned in a way that results in runc to leave a stale
bind mount in container's state directory, which manifests itself later,
while trying to remove the container, in an error like this:

> remove /run/runc/test2: unlinkat /run/runc/test2/runc.W24K2t: device or resource busy

The stale mount happens because runc start/run/exec kills runc init
while it is inside ensure_cloned_binary(). One such scenario is when
a unified cgroup resource is specified for cgroup v1, a cgroup manager's
Apply returns an error (as of commit b006f4a180), and when
(*initProcess).start() kills runc init just after it was started.

One solution is NOT to kill runc init too early. To achieve that,
amend the libcontainer/nsenter code to send a \0 byte to signal
that it is past the initial setup, and make start() (for both
run/start and exec) wait for this byte before proceeding with
kill on an error path.

While at it, improve some error messages.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 14:36:52 -07:00
Kir Kolyshkin b118430231 libct/configs/validator: add some cgroup support
Add some minimal validation for cgroups. The following checks
are implemented:

 - cgroup name and/or prefix (or path) is set;
 - for cgroup v1, unified resources are not set;
 - for cgroup v2, if memorySwap is set, memory is also set,
   and memorySwap > memory.

This makes some invalid configurations fail earlier (before runc init
is started), which is better.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-31 14:36:52 -07:00
Kir Kolyshkin 79a8647b81 libct/int: add TestFdLeaks
This is a very simple test that checks that container.Run do not leak
opened file descriptors.

In fact it does, so we have to add two exclusions:

1. /sys/fs/cgroup is opened once per lifetime in prepareOpenat2(),
    provided that cgroupv2 is used and openat2 is available. This
    works as intended ("it's not a bug, it's a feature").

2. ebpf program fd is leaked every time we call setDevices() for
   cgroupv2 (iow, every container.Run or container.Set leaks 1 fd).
   This needs to be fixed, thus FIXME.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-30 19:58:09 -07:00
Kir Kolyshkin b3be2b0b4f libct: close execFifo after start
Apparently, the parent never closes execFifo fd. Not a problem for runc
per se, but can be an issue for a user of libcontainer.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-30 19:58:09 -07:00
Kieron Browne 08b5279797 Make test specific to disassembleFilter function
TestPatchHugeSeccompFilterDoesNotBlock is only testing the
disassembleFilter function. There is no need to invoke PatchAndLoad
which has the side effect of loading a seccomp profile.

Co-authored-by: Danail Branekov <danailster@gmail.com>
Co-authored-by: Kieron Browne <kbrowne@vmware.com>
Signed-off-by: Kieron Browne <kbrowne@vmware.com>
Signed-off-by: Danail Branekov <danailster@gmail.com>
2021-03-30 12:31:14 +03:00
Danail Branekov 7b3e0bcf29 Ensure the scratch pipe is read during ExportBPF
There is a potential deadlock where the ExportBPF method call writes to
a pipe but the pipe is not read until after the method call returns.
ExportBPF might fill the pipe buffer, in which case it will block
waiting for a read on the other side which can't happen until the method
returns.

Here we concurrently read from the pipe into a buffer to ensure
ExportBPF will always return.

Co-authored-by: Kieron Browne <kbrowne@vmware.com>
Co-authored-by: Danail Branekov <danailster@gmail.com>
Signed-off-by: Kieron Browne <kbrowne@vmware.com>
Signed-off-by: Danail Branekov <danailster@gmail.com>
2021-03-30 12:29:35 +03:00
Kir Kolyshkin 2400e5e36e Merge pull request #2860 from kolyshkin/validate-c
fix/simplify scripts/validate-c, fix *.c formatting
2021-03-28 10:17:34 -07:00
Sebastiaan van Stijn 5fb831a0fa capabilities: WARN, not ERROR, for unknown / unavailable capabilities
This updates handling of capabilities to match the updated runtime specification,
in https://github.com/opencontainers/runtime-spec/pull/1094.

Prior to that change, the specification required runtimes to produce a (fatal)
error if a container configuration requested capabilities that could not be
granted (either the capability is "unknown" to the runtime, not supported by the
kernel version in use, or not available in the environment that the runtime
operates in).

This caused problems in situations where the runtime was running in a restricted
environment (for example, docker-in-docker), or if there is a mismatch between
the list of capabilities known by higher-level runtimes and the OCI runtime.

Some examples:

- Kernel 5.8 introduced CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
  capabilities. Docker 20.10.0 ("higher level runtime") shipped with
  an updated list of capabilities, and when creating a "privileged" container,
  would determine what capabilities are known by the kernel in use, and request
  all those capabilities (by including them in the container config).
  However, runc did not yet have an updated list of capabilities, and therefore
  reject the container specification, producing an error because the new
  capabilities were "unknown".
- When running nested containers, for example, when running docker-in-docker,
  the "inner" container may be using a more recent version of docker than the
  "outer" container. In this situation, the "outer" container may be missing
  capabilities that the inner container expects to be supported (based on
  kernel version). However, starting the container would fail, because the OCI
  runtime could not grant those capabilities (them not being available in the
  environment it's running in).

WARN (but otherwise ignore) capabilities that cannot be granted
--------------------------------------------------------------------------------

This patch changes the handling to WARN (but otherwise ignore) capabilities that
are requested in the container config, but cannot be granted, alleviating higher
level runtimes to detect what capabilities are supported (by the kernel, and
in the current environment), as well as avoiding failures in situations where
the higher-level runtime is aware of capabilities that are not (yet) supported
by runc.

Impact on security
--------------------------------------------------------------------------------

Given that `capabilities` is an "allow-list", ignoring unknown capabilities does
not impose a security risk; worst case, a container does not get all requested
capabilities granted and, as a result, some actions may fail.

Backward-compatibility
--------------------------------------------------------------------------------

This change should be fully backward compatible. Higher-level runtimes that
already dynamically adjust the list of requested capabilities can continue to do
so. Runtimes that do not adjust will see an improvement (containers can start
even if some of the requested capabilities are not granted). Container processes
MAY fail (as described in "impact on security"), but users can debug this
situation either by looking at the warnings produces by the OCI runtime, or using
tools such as `capsh` / `libcap` to get the list of actual capabilities in the
container.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-26 21:23:00 +01:00
Mrunal Patel 1827254afe Merge pull request #2870 from kolyshkin/seccomp-version
libct/seccomp: remove IsEnabled
2021-03-26 11:20:55 -07:00
Mrunal Patel 547951061e Merge pull request #2835 from kolyshkin/fix-init-log-race
Fix init log forwarding race
2021-03-26 11:17:03 -07:00
Akihiro Suda 5df79d5c3d Merge pull request #2820 from dqminh/io-cgroup2-fallback
fs2: fallback to setting io.weight if io.bfq.weight
2021-03-26 18:58:51 +09:00
Kir Kolyshkin 2726146b04 runc --debug: more tests
First, add runc --debug exec test cases, very similar to those in
debug.bats but for runc exec (rather than runc run). Do not include json
tests as it is already tested in debug.bats.

Second, add logrus debug to late stages of runc init, and amend the
integration tests to check for those messages. This serves two purposes:

 - demonstrate that runc init can be amended with debug logrus which is
   properly forwarded to and logged by the parent runc create/run/exec;

 - improve the chances to catch the race fixed by the previous commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 19:19:20 -07:00
Kir Kolyshkin 201d60c51d runc run/start/exec: fix init log forwarding race
Sometimes debug.bats test cases are failing like this:

> not ok 27 global --debug to --log --log-format 'json'
> # (in test file tests/integration/debug.bats, line 77)
> #   `[[ "${output}" == *"child process in init()"* ]]' failed

It happens more when writing to disk.

This issue is caused by the fact that runc spawns log forwarding goroutine
(ForwardLogs) but does not wait for it to finish, resulting in missing
debug lines from nsexec.

ForwardLogs itself, though, never finishes, because it reads from a
reading side of a pipe which writing side is not closed. This is
especially true in case of runc create, which spawns runc init and
exits; meanwhile runc init waits on exec fifo for arbitrarily long
time before doing execve.

So, to fix the failure described above, we need to:

 1. Make runc create/run/exec wait for ForwardLogs to finish;

 2. Make runc init close its log pipe file descriptor (i.e.
    the one which value is passed in _LIBCONTAINER_LOGPIPE
    environment variable).

This is exactly what this commit does:

 1. Amend ForwardLogs to return a channel, and wait for it in start().

 2. In runc init, save the log fd and close it as late as possible.

PS I have to admit I still do not understand why an explicit close of
log pipe fd is required in e.g. (*linuxSetnsInit).Init, right before
the execve which (thanks to CLOEXEC) closes the fd anyway.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 19:18:55 -07:00
Kir Kolyshkin c06f999b76 libct/logs/test: refactor
- add check, checkWait, and finish helpers;
 - move test cleanup to runLogForwarding;
 - introduce and use log struct.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 18:58:30 -07:00
Kir Kolyshkin 688ea99e1b runc init: fix double call to ConfigureLogs
I have noticed that ConfigureLogs do not return an error in case logging
was already configured -- instead it just warns about it. So I went
ahead and changed the warning to the actual error...

... only to discover I broke things badly, because in case of runc init
logging is configured twice. The fix is to not configure logging in case
we are init.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 18:56:15 -07:00
Kir Kolyshkin 69ec21a12f libct/logs.ForwardLogs: use bufio.Scanner
Error handling is slightly cleaner this way.

While at it, do minor refactoring and fix error logging
in processEntry.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 18:56:15 -07:00
Kir Kolyshkin d38d1f9f79 libcontainer/logs: use int for Config.LogPipeFd
It does not make sense to have a string for a numeric type.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-25 18:56:15 -07:00
Kir Kolyshkin ac93746c4d libct/seccomp: rm IsEnabled
seccomp.IsEnabled is not well defined (the presence of Seccomp: field
in /proc/self/status does not tell us whether CONFIG_SECCOMP_FILTER
is enabled in the kernel; parsing all keys in /proc/self/status is a
moderate waste of resources, etc).

I traced its addition back to [1] and even in there it is not clear
what for it was added. There were never an internal user (except
for the recently added one, removed by the previous commit), and
can't find any external users (but found two copy-pastes of this
code, suffering from the same problems, see [2] and [3]).

Since it is broken and has no users, remove it.

[1] https://github.com/opencontainers/runc/pull/471
[2] https://github.com/containerd/containerd/blob/master/pkg/seccomp/seccomp_linux.go
[3] https://github.com/containers/common/blob/master/pkg/seccomp/supported.go

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-03-23 16:59:46 -07:00