Support SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV

[utam0k]

Fix #3860

I didn't find a good way to test SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV 😭

[utam0k]

crun: containers/crun#1008

[AkihiroSuda]

Could you remove:

runc/docs/spec-conformance.md

Line 16 in 6beb3c6

v1.1.0-rc.1 | `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV` | TODO ([#3860](https://github.com/opencontainers/runc/issues/3860))

[kolyshkin]

I guess this needs to be

• added to a released libseccomp version
• added to libseccomp-golang

Once in, we can implement it in runc.

[utam0k]

I guess this needs to be

• added to a released libseccomp version
• added to libseccomp-golang

Once in, we can implement it in runc.

I see. I will make this PR the draft PR once.

[kolyshkin]

A quick status update.

For libseccomp, it looks like support for SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV / SCMP_FLTATR_CTL_WAITKILL is added in seccomp/libseccomp#387 which has 2.6.0 milestone. Indeeed, the functionality is not in a released version as of time of writing this (Jan 2025).

So this PR have to wait for:

• libseccomp 2.6.0 release
• libseccomp-golang release which syncs features from libseccomp 2.6.0

[kolyshkin]

• libseccomp 2.6.0 release

This is now DONE!

• libseccomp-golang release which syncs features from libseccomp 2.6.0

This is being done in seccomp/libseccomp-golang#114 (there will be more PRs, and eventually a ne release).

[rata]

Moving to 1.4 because this doesn't seem ready and it seems like a feature, that we shouldn't merge at this point for 1.3.

Don't hesitate to speak-up if you want this in 1.3 anyways.

[kolyshkin]

We still need libseccomp-golang release, which is more-or-less in review ATM

[AkihiroSuda]

What is the current status?