hack to make runc work with --no-new-privilges

gistfile1.txt

From 657e01b0d909cce33bc5176e5ef618e039ba187f Mon Sep 17 00:00:00 2001
Message-Id: <657e01b0d909cce33bc5176e5ef618e039ba187f.1614356653.git.dongsu@kinvolk.io>
From: Dongsu Park <dongsu@kinvolk.io>
Date: Fri, 26 Feb 2021 15:51:04 +0100
Subject: [PATCH] libcontainer: disable prctl with NoNewPrivilges

To make runc work with --security-opt=no-new-privilges
---
 libcontainer/standard_init_linux.go | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
index 7ec506c4..fc4121a9 100644
--- a/libcontainer/standard_init_linux.go
+++ b/libcontainer/standard_init_linux.go
@@ -135,11 +135,6 @@ func (l *linuxStandardInit) Init() error {
 	if err != nil {
 		return errors.Wrap(err, "get pdeath signal")
 	}
-	if l.config.NoNewPrivileges {
-		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
-			return errors.Wrap(err, "set nonewprivileges")
-		}
-	}
 	// Tell our parent that we're ready to Execv. This must be done before the
 	// Seccomp rules have been applied, because we need to be able to read and
 	// write to a socket.
@@ -199,14 +194,6 @@ func (l *linuxStandardInit) Init() error {
 	// since been resolved.
 	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
 	unix.Close(l.fifoFd)
-	// Set seccomp as close to execve as possible, so as few syscalls take
-	// place afterward (reducing the amount of syscalls that users need to
-	// enable in their seccomp profiles).
-	if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
-		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
-			return newSystemErrorWithCause(err, "init seccomp")
-		}
-	}
 
 	s := l.config.SpecState
 	s.Pid = unix.Getpid()
-- 
2.29.2