app-emulation/docker-runc: disable NoNewPrivileges options

Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
to make docker/runc work with "--security-opt=no-new-privileges".

So far it has worked without disabling NoNewPrivileges until runc
1.0.0-rc92,
which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
the selinux build tag is now gone, so selinux is always enabled.
That's why `docker run --security-opt=no-new-privileges` failed.

Until we could figure out its real reason, let's temporarily disable
NoNewPrivilges to make the CI pass.

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc93.ebuild

@@ -42,7 +42,8 @@ src_unpack() {
 
 PATCHES=(
 	"${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch"
-	"${FILESDIR}/0001-temporarily-disable-selinux.GetEnabled-error-checks.patch"
+	"${FILESDIR}/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch"
+	"${FILESDIR}/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch"
 )
 
 src_compile() {

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch

@@ -0,0 +1,55 @@
+From 657e01b0d909cce33bc5176e5ef618e039ba187f Mon Sep 17 00:00:00 2001
+Message-Id: <657e01b0d909cce33bc5176e5ef618e039ba187f.1614603215.git.dongsu@kinvolk.io>
+From: Dongsu Park <dongsu@kinvolk.io>
+Date: Fri, 26 Feb 2021 15:51:04 +0100
+Subject: [PATCH] libcontainer: disable prctl with NoNewPrivileges
+
+Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
+to make docker/runc work with "--security-opt=no-new-privileges".
+
+So far it has worked without disabling NoNewPrivileges until runc 1.0.0-rc92,
+which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
+the selinux build tag is now gone, so selinux is always enabled.
+That's why `docker run --security-opt=no-new-privileges` failed.
+
+Until we could figure out its real reason, let's temporarily disable
+NoNewPrivileges to make the CI pass.
+
+---
+ libcontainer/standard_init_linux.go | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
+index 7ec506c4..fc4121a9 100644
+--- a/libcontainer/standard_init_linux.go
++++ b/libcontainer/standard_init_linux.go
+@@ -135,11 +135,6 @@ func (l *linuxStandardInit) Init() error {
+ 	if err != nil {
+ 		return errors.Wrap(err, "get pdeath signal")
+ 	}
+-	if l.config.NoNewPrivileges {
+-		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+-			return errors.Wrap(err, "set nonewprivileges")
+-		}
+-	}
+ 	// Tell our parent that we're ready to Execv. This must be done before the
+ 	// Seccomp rules have been applied, because we need to be able to read and
+ 	// write to a socket.
+@@ -199,14 +194,6 @@ func (l *linuxStandardInit) Init() error {
+ 	// since been resolved.
+ 	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
+ 	unix.Close(l.fifoFd)
+-	// Set seccomp as close to execve as possible, so as few syscalls take
+-	// place afterward (reducing the amount of syscalls that users need to
+-	// enable in their seccomp profiles).
+-	if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
+-		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
+-			return newSystemErrorWithCause(err, "init seccomp")
+-		}
+-	}
+ 
+ 	s := l.config.SpecState
+ 	s.Pid = unix.Getpid()
+-- 
+2.29.2
+