vendor: bump runc to rc95

runc rc95 contains a fix for CVE-2021-30465.

runc rc94 provides fixes and improvements.

One notable change is cgroup manager's Set now accept Resources rather
than Cgroup (see https://github.com/opencontainers/runc/pull/2906).
Modify the code accordingly.

Also update runc dependencies (as hinted by hack/lint-depdendencies.sh):

        github.com/cilium/ebpf v0.5.0
        github.com/containerd/console v1.0.2
        github.com/coreos/go-systemd/v22 v22.3.1
        github.com/godbus/dbus/v5 v5.0.4
        github.com/moby/sys/mountinfo v0.4.1
        golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
        github.com/google/go-cmp v0.5.4
        github.com/kr/pretty v0.2.1
        github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

vendor/github.com/opencontainers/runc/libcontainer/seccomp/patchbpf/enosys_linux.go

@@ -3,6 +3,7 @@
 package patchbpf
 
 import (
+	"bytes"
 	"encoding/binary"
 	"io"
 	"os"
@@ -114,14 +115,26 @@ func disassembleFilter(filter *libseccomp.ScmpFilter) ([]bpf.Instruction, error)
 	defer wtr.Close()
 	defer rdr.Close()
 
+	readerBuffer := new(bytes.Buffer)
+	errChan := make(chan error, 1)
+	go func() {
+		_, err := io.Copy(readerBuffer, rdr)
+		errChan <- err
+		close(errChan)
+	}()
+
 	if err := filter.ExportBPF(wtr); err != nil {
 		return nil, errors.Wrap(err, "exporting BPF")
 	}
 	// Close so that the reader actually gets EOF.
 	_ = wtr.Close()
 
+	if copyErr := <-errChan; copyErr != nil {
+		return nil, errors.Wrap(copyErr, "reading from ExportBPF pipe")
+	}
+
 	// Parse the instructions.
-	rawProgram, err := parseProgram(rdr)
+	rawProgram, err := parseProgram(readerBuffer)
 	if err != nil {
 		return nil, errors.Wrap(err, "parsing generated BPF filter")
 	}
@@ -510,6 +523,11 @@ func assemble(program []bpf.Instruction) ([]unix.SockFilter, error) {
 }
 
 func generatePatch(config *configs.Seccomp) ([]bpf.Instruction, error) {
+	// Patch the generated cBPF only when there is not a defaultErrnoRet set
+	// and it is different from ENOSYS
+	if config.DefaultErrnoRet != nil && *config.DefaultErrnoRet == uint(retErrnoEnosys) {
+		return nil, nil
+	}
 	// We only add the stub if the default action is not permissive.
 	if isAllowAction(config.DefaultAction) {
 		logrus.Debugf("seccomp: skipping -ENOSYS stub filter generation")
@@ -584,9 +602,12 @@ func sysSeccompSetFilter(flags uint, filter []unix.SockFilter) (err error) {
 			unix.SECCOMP_MODE_FILTER,
 			uintptr(unsafe.Pointer(&fprog)), 0, 0)
 	} else {
-		_, _, err = unix.RawSyscall(unix.SYS_SECCOMP,
+		_, _, errno := unix.RawSyscall(unix.SYS_SECCOMP,
 			uintptr(C.C_SET_MODE_FILTER),
 			uintptr(flags), uintptr(unsafe.Pointer(&fprog)))
+		if errno != 0 {
+			err = errno
+		}
 	}
 	runtime.KeepAlive(filter)
 	runtime.KeepAlive(fprog)

vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go

@@ -3,11 +3,8 @@
 package seccomp
 
 import (
-	"bufio"
 	"errors"
 	"fmt"
-	"os"
-	"strings"
 
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/seccomp/patchbpf"
@@ -39,7 +36,7 @@ func InitSeccomp(config *configs.Seccomp) error {
 		return errors.New("cannot initialize Seccomp - nil config passed")
 	}
 
-	defaultAction, err := getAction(config.DefaultAction, nil)
+	defaultAction, err := getAction(config.DefaultAction, config.DefaultErrnoRet)
 	if err != nil {
 		return errors.New("error initializing seccomp - invalid default action")
 	}
@@ -80,24 +77,6 @@ func InitSeccomp(config *configs.Seccomp) error {
 	return nil
 }
 
-// IsEnabled returns if the kernel has been configured to support seccomp.
-func IsEnabled() bool {
-	// Try to read from /proc/self/status for kernels > 3.8
-	s, err := parseStatusFile("/proc/self/status")
-	if err != nil {
-		// Check if Seccomp is supported, via CONFIG_SECCOMP.
-		if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
-			// Make sure the kernel has CONFIG_SECCOMP_FILTER.
-			if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
-				return true
-			}
-		}
-		return false
-	}
-	_, ok := s["Seccomp"]
-	return ok
-}
-
 // Convert Libcontainer Action to Libseccomp ScmpAction
 func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error) {
 	switch act {
@@ -237,33 +216,6 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
 	return nil
 }
 
-func parseStatusFile(path string) (map[string]string, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	s := bufio.NewScanner(f)
-	status := make(map[string]string)
-
-	for s.Scan() {
-		text := s.Text()
-		parts := strings.Split(text, ":")
-
-		if len(parts) <= 1 {
-			continue
-		}
-
-		status[parts[0]] = parts[1]
-	}
-	if err := s.Err(); err != nil {
-		return nil, err
-	}
-
-	return status, nil
-}
-
 // Version returns major, minor, and micro.
 func Version() (uint, uint, uint) {
 	return libseccomp.GetLibraryVersion()

vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_unsupported.go

@@ -18,11 +18,6 @@ func InitSeccomp(config *configs.Seccomp) error {
 	return nil
 }
 
-// IsEnabled returns false, because it is not supported.
-func IsEnabled() bool {
-	return false
-}
-
 // Version returns major, minor, and micro.
 func Version() (uint, uint, uint) {
 	return 0, 0, 0