bump runc go dep to v1.3.0

Signed-off-by: Tariq Ibrahim <tibrahim@nvidia.com>

vendor/github.com/opencontainers/runc/libcontainer/exeseal/cloned_binary_linux.go

@@ -1,4 +1,4 @@
-package dmz
+package exeseal
 
 import (
 	"errors"
@@ -228,7 +228,7 @@ func CloneSelfExe(tmpDir string) (*os.File, error) {
 	// around ~60% overhead during container startup.
 	overlayFile, err := sealedOverlayfs("/proc/self/exe", tmpDir)
 	if err == nil {
-		logrus.Debug("runc-dmz: using overlayfs for sealed /proc/self/exe") // used for tests
+		logrus.Debug("runc exeseal: using overlayfs for sealed /proc/self/exe") // used for tests
 		return overlayFile, nil
 	}
 	logrus.WithError(err).Debugf("could not use overlayfs for /proc/self/exe sealing -- falling back to making a temporary copy")

vendor/github.com/opencontainers/runc/libcontainer/exeseal/overlayfs_linux.go

@@ -1,4 +1,4 @@
-package dmz
+package exeseal
 
 import (
 	"fmt"

vendor/github.com/opencontainers/runc/libcontainer/system/rlimit_linux_go122.go

@@ -1,27 +0,0 @@
-//go:build !go1.23
-
-// TODO: remove this file once go 1.22 is no longer supported.
-
-package system
-
-import (
-	"sync/atomic"
-	"syscall"
-	_ "unsafe" // Needed for go:linkname to work.
-)
-
-//go:linkname syscallOrigRlimitNofile syscall.origRlimitNofile
-var syscallOrigRlimitNofile atomic.Pointer[syscall.Rlimit]
-
-// ClearRlimitNofileCache clears go runtime's nofile rlimit cache.
-// The argument is process RLIMIT_NOFILE values.
-func ClearRlimitNofileCache(_ *syscall.Rlimit) {
-	// As reported in issue #4195, the new version of go runtime(since 1.19)
-	// will cache rlimit-nofile. Before executing execve, the rlimit-nofile
-	// of the process will be restored with the cache. In runc, this will
-	// cause the rlimit-nofile setting by the parent process for the container
-	// to become invalid. It can be solved by clearing this cache. But
-	// unfortunately, go stdlib doesn't provide such function, so we need to
-	// link to the private var `origRlimitNofile` in package syscall to hack.
-	syscallOrigRlimitNofile.Store(nil)
-}

vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go

@@ -50,19 +50,19 @@ func CleanPath(path string) string {
 
 	// Ensure that all paths are cleaned (especially problematic ones like
 	// "/../../../../../" which can cause lots of issues).
-	path = filepath.Clean(path)
+
+	if filepath.IsAbs(path) {
+		return filepath.Clean(path)
+	}
 
 	// If the path isn't absolute, we need to do more processing to fix paths
 	// such as "../../../../<etc>/some/path". We also shouldn't convert absolute
 	// paths to relative ones.
-	if !filepath.IsAbs(path) {
-		path = filepath.Clean(string(os.PathSeparator) + path)
-		// This can't fail, as (by definition) all paths are relative to root.
-		path, _ = filepath.Rel(string(os.PathSeparator), path)
-	}
+	path = filepath.Clean(string(os.PathSeparator) + path)
+	// This can't fail, as (by definition) all paths are relative to root.
+	path, _ = filepath.Rel(string(os.PathSeparator), path)
 
-	// Clean the path again for good measure.
-	return filepath.Clean(path)
+	return path
 }
 
 // stripRoot returns the passed path, stripping the root path if it was
@@ -77,7 +77,7 @@ func stripRoot(root, path string) string {
 		path = "/"
 	case root == "/":
 		// do nothing
-	case strings.HasPrefix(path, root+"/"):
+	default:
 		path = strings.TrimPrefix(path, root+"/")
 	}
 	return CleanPath("/" + path)
@@ -88,8 +88,8 @@ func stripRoot(root, path string) string {
 func SearchLabels(labels []string, key string) (string, bool) {
 	key += "="
 	for _, s := range labels {
-		if strings.HasPrefix(s, key) {
-			return s[len(key):], true
+		if val, ok := strings.CutPrefix(s, key); ok {
+			return val, true
 		}
 	}
 	return "", false

vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go

@@ -102,8 +102,14 @@ func fdRangeFrom(minFd int, fn fdFunc) error {
 func CloseExecFrom(minFd int) error {
 	// Use close_range(CLOSE_RANGE_CLOEXEC) if possible.
 	if haveCloseRangeCloexec() {
-		err := unix.CloseRange(uint(minFd), math.MaxUint, unix.CLOSE_RANGE_CLOEXEC)
-		return os.NewSyscallError("close_range", err)
+		err := unix.CloseRange(uint(minFd), math.MaxInt32, unix.CLOSE_RANGE_CLOEXEC)
+		if err == nil {
+			return nil
+		}
+
+		logrus.Debugf("close_range failed, closing range one at a time (error: %v)", err)
+
+		// If close_range fails, we fall back to the standard loop.
 	}
 	// Otherwise, fall back to the standard loop.
 	return fdRangeFrom(minFd, unix.CloseOnExec)