app-emulation/runc: remove patches disabling NNP and seccomp

These were included as a workaround for SELinux issues on Flatcar.
However, they also disable NoNewPrivileges and seccomp support, which
reduces security.

Instead, we'll disable SELinux support in the Docker daemon in the next
commit.

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/docker-runc-1.0.0_rc95.ebuild

@@ -42,8 +42,6 @@ src_unpack() {
 
 PATCHES=(
 	"${FILESDIR}/0001-Delay-unshare-of-clone-newipc-for-selinux.patch"
-	"${FILESDIR}/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch"
-	"${FILESDIR}/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch"
 )
 
 src_compile() {

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0002-temporarily-disable-selinux.GetEnabled-error-checks.patch

@@ -1,58 +0,0 @@
-From 7264883458e7bdcd23152495ac141a24d17b8db9 Mon Sep 17 00:00:00 2001
-Message-Id: <7264883458e7bdcd23152495ac141a24d17b8db9.1564136934.git.dongsu@kinvolk.io>
-From: Dongsu Park <dongsu@kinvolk.io>
-Date: Fri, 26 Jul 2019 12:19:37 +0200
-Subject: [PATCH] temporarily disable selinux.GetEnabled() error checks
-
----
- libcontainer/configs/validate/validator.go | 4 ----
- utils_linux.go                             | 4 ----
- 2 files changed, 8 deletions(-)
-
-diff --git a/libcontainer/configs/validate/validator.go b/libcontainer/configs/validate/validator.go
-index 3b42f301..bace067d 100644
---- a/libcontainer/configs/validate/validator.go
-+++ b/libcontainer/configs/validate/validator.go
-@@ -8,7 +8,6 @@ import (
- 	"github.com/opencontainers/runc/libcontainer/cgroups"
- 	"github.com/opencontainers/runc/libcontainer/configs"
- 	"github.com/opencontainers/runc/libcontainer/intelrdt"
--	selinux "github.com/opencontainers/selinux/go-selinux"
- 	"golang.org/x/sys/unix"
- )
- 
-@@ -99,9 +98,6 @@ func (v *ConfigValidator) security(config *configs.Config) error {
- 		!config.Namespaces.Contains(configs.NEWNS) {
- 		return errors.New("unable to restrict sys entries without a private MNT namespace")
- 	}
--	if config.ProcessLabel != "" && !selinux.GetEnabled() {
--		return errors.New("selinux label is specified in config, but selinux is disabled or not supported")
--	}
- 
- 	return nil
- }
-diff --git a/utils_linux.go b/utils_linux.go
-index b05e7b60..ce50db14 100644
---- a/utils_linux.go
-+++ b/utils_linux.go
-@@ -17,7 +17,6 @@ import (
- 	"github.com/opencontainers/runc/libcontainer/specconv"
- 	"github.com/opencontainers/runc/libcontainer/utils"
- 	"github.com/opencontainers/runtime-spec/specs-go"
--	selinux "github.com/opencontainers/selinux/go-selinux"
- 
- 	"github.com/coreos/go-systemd/v22/activation"
- 	"github.com/pkg/errors"
-@@ -388,9 +387,6 @@ func validateProcessSpec(spec *specs.Process) error {
- 	if len(spec.Args) == 0 {
- 		return errors.New("args must not be empty")
- 	}
--	if spec.SelinuxLabel != "" && !selinux.GetEnabled() {
--		return errors.New("selinux label is specified in config, but selinux is disabled or not supported")
--	}
- 	return nil
- }
- 
--- 
-2.21.0
-

sdk_container/src/third_party/coreos-overlay/app-emulation/docker-runc/files/0003-libcontainer-disable-prctl-with-NoNewPrivileges.patch

@@ -1,55 +0,0 @@
-From 657e01b0d909cce33bc5176e5ef618e039ba187f Mon Sep 17 00:00:00 2001
-Message-Id: <657e01b0d909cce33bc5176e5ef618e039ba187f.1614603215.git.dongsu@kinvolk.io>
-From: Dongsu Park <dongsu@kinvolk.io>
-Date: Fri, 26 Feb 2021 15:51:04 +0100
-Subject: [PATCH] libcontainer: disable prctl with NoNewPrivileges
-
-Temporarily disable Prctl and InitSeccomp for NoNewPrivileges, to be able
-to make docker/runc work with "--security-opt=no-new-privileges".
-
-So far it has worked without disabling NoNewPrivileges until runc 1.0.0-rc92,
-which allowed the "selinux" build tag. Since runc 1.0.0-rc93, however,
-the selinux build tag is now gone, so selinux is always enabled.
-That's why `docker run --security-opt=no-new-privileges` failed.
-
-Until we could figure out its real reason, let's temporarily disable
-NoNewPrivileges to make the CI pass.
-
----
- libcontainer/standard_init_linux.go | 13 -------------
- 1 file changed, 13 deletions(-)
-
-diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
-index 7ec506c4..fc4121a9 100644
---- a/libcontainer/standard_init_linux.go
-+++ b/libcontainer/standard_init_linux.go
-@@ -135,11 +135,6 @@ func (l *linuxStandardInit) Init() error {
- 	if err != nil {
- 		return errors.Wrap(err, "get pdeath signal")
- 	}
--	if l.config.NoNewPrivileges {
--		if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
--			return errors.Wrap(err, "set nonewprivileges")
--		}
--	}
- 	// Tell our parent that we're ready to Execv. This must be done before the
- 	// Seccomp rules have been applied, because we need to be able to read and
- 	// write to a socket.
-@@ -199,14 +194,6 @@ func (l *linuxStandardInit) Init() error {
- 	// since been resolved.
- 	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
- 	unix.Close(l.fifoFd)
--	// Set seccomp as close to execve as possible, so as few syscalls take
--	// place afterward (reducing the amount of syscalls that users need to
--	// enable in their seccomp profiles).
--	if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
--		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
--			return newSystemErrorWithCause(err, "init seccomp")
--		}
--	}
- 
- 	s := l.config.SpecState
- 	s.Pid = unix.Getpid()
--- 
-2.29.2
-