@@ -81,7 +81,7 @@ require (

 	github.com/morikuni/aec v1.0.0

 	github.com/opencontainers/go-digest v1.0.0

 	github.com/opencontainers/image-spec v1.1.0

-	github.com/opencontainers/runc v1.1.14

+	github.com/opencontainers/runc v1.2.0

 	github.com/opencontainers/runtime-spec v1.2.0

 	github.com/opencontainers/selinux v1.11.1

 	github.com/pelletier/go-toml v1.9.5

@@ -422,8 +422,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8

 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=

 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=

 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=

-github.com/opencontainers/runc v1.1.14 h1:rgSuzbmgz5DUJjeSnw337TxDbRuqjs6iqQck/2weR6w=

-github.com/opencontainers/runc v1.1.14/go.mod h1:E4C2z+7BxR7GHXp0hAY53mek+x49X1LjPNeMTfRGvOA=

+github.com/opencontainers/runc v1.2.0 h1:qke7ZVCmJcKrJVY2iHJVC+0kql9uYdkusOPsQOOeBw4=

+github.com/opencontainers/runc v1.2.0/go.mod h1:/PXzF0h531HTMsYQnmxXkBD7YaGShm/2zcRB79dksUc=

 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=

 github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=

 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=

@@ -8,9 +8,9 @@ The following is courtesy of our legal counsel:

 Use and transfer of Docker may be subject to certain restrictions by the

-United States and other governments.  

+United States and other governments.

 It is your responsibility to ensure that your use and/or transfer does not

-violate applicable laws. 

+violate applicable laws.

 For more information, please see http://www.bis.doc.gov

@@ -1,9 +1,30 @@

 package cgroups

 import (

+	"errors"

+

 	"github.com/opencontainers/runc/libcontainer/configs"

 )

+var (

+	// ErrDevicesUnsupported is an error returned when a cgroup manager

+	// is not configured to set device rules.

+	ErrDevicesUnsupported = errors.New("cgroup manager is not configured to set device rules")

+

+	// ErrRootless is returned by [Manager.Apply] when there is an error

+	// creating cgroup directory, and cgroup.Rootless is set. In general,

+	// this error is to be ignored.

+	ErrRootless = errors.New("cgroup manager can not access cgroup (rootless container)")

+

+	// DevicesSetV1 and DevicesSetV2 are functions to set devices for

+	// cgroup v1 and v2, respectively. Unless

+	// [github.com/opencontainers/runc/libcontainer/cgroups/devices]

+	// package is imported, it is set to nil, so cgroup managers can't

+	// manage devices.

+	DevicesSetV1 func(path string, r *configs.Resources) error

+	DevicesSetV2 func(path string, r *configs.Resources) error

+)

+

 type Manager interface {

 	// Apply creates a cgroup, if not yet created, and adds a process

 	// with the specified pid into that cgroup.  A special value of -1

@@ -50,22 +50,45 @@ func WriteFile(dir, file, data string) error {

 		return err

 	}

 	defer fd.Close()

-	if err := retryingWriteFile(fd, data); err != nil {

+	if _, err := fd.WriteString(data); err != nil {

 		// Having data in the error message helps in debugging.

 		return fmt.Errorf("failed to write %q: %w", data, err)

 	}

 	return nil

 }

-func retryingWriteFile(fd *os.File, data string) error {

+// WriteFileByLine is the same as WriteFile, except if data contains newlines,

+// it is written line by line.

+func WriteFileByLine(dir, file, data string) error {

+	i := strings.Index(data, "\n")

+	if i == -1 {

+		return WriteFile(dir, file, data)

+	}

+

+	fd, err := OpenFile(dir, file, unix.O_WRONLY)

+	if err != nil {

+		return err

+	}

+	defer fd.Close()

+	start := 0

 	for {

-		_, err := fd.Write([]byte(data))

-		if errors.Is(err, unix.EINTR) {

-			logrus.Infof("interrupted while writing %s to %s", data, fd.Name())

-			continue

+		var line string

+		if i == -1 {

+			line = data[start:]

+		} else {

+			line = data[start : start+i+1]

 		}

-		return err

+		_, err := fd.WriteString(line)

+		if err != nil {

+			return fmt.Errorf("failed to write %q: %w", line, err)

+		}

+		if i == -1 {

+			break

+		}

+		start += i + 1

+		i = strings.Index(data[start:], "\n")

 	}

+	return nil

 }

 const (

@@ -90,7 +113,7 @@ func prepareOpenat2() error {

 		})

 		if err != nil {

 			prepErr = &os.PathError{Op: "openat2", Path: cgroupfsDir, Err: err}

-			if err != unix.ENOSYS { //nolint:errorlint // unix errors are bare

+			if err != unix.ENOSYS {

 				logrus.Warnf("falling back to securejoin: %s", prepErr)

 			} else {

 				logrus.Debug("openat2 not available, falling back to securejoin")

@@ -148,8 +171,9 @@ func openFile(dir, file string, flags int) (*os.File, error) {

 		//

 		// TODO: if such usage will ever be common, amend this

 		// to reopen cgroupRootHandle and retry openat2.

-		fdStr := strconv.Itoa(int(cgroupRootHandle.Fd()))

-		fdDest, _ := os.Readlink("/proc/self/fd/" + fdStr)

+		fdPath, closer := utils.ProcThreadSelf("fd/" + strconv.Itoa(int(cgroupRootHandle.Fd())))

+		defer closer()

+		fdDest, _ := os.Readlink(fdPath)

 		if fdDest != cgroupfsDir {

 			// Wrap the error so it is clear that cgroupRootHandle

 			// is opened to an unexpected/wrong directory.

@@ -32,9 +32,22 @@ type CpuUsage struct {

 	UsageInUsermode uint64 `json:"usage_in_usermode"`

 }

+type PSIData struct {

+	Avg10  float64 `json:"avg10"`

+	Avg60  float64 `json:"avg60"`

+	Avg300 float64 `json:"avg300"`

+	Total  uint64  `json:"total"`

+}

+

+type PSIStats struct {

+	Some PSIData `json:"some,omitempty"`

+	Full PSIData `json:"full,omitempty"`

+}

+

 type CpuStats struct {

 	CpuUsage       CpuUsage       `json:"cpu_usage,omitempty"`

 	ThrottlingData ThrottlingData `json:"throttling_data,omitempty"`

+	PSI            *PSIStats      `json:"psi,omitempty"`

 }

 type CPUSetStats struct {

@@ -91,6 +104,7 @@ type MemoryStats struct {

 	UseHierarchy bool `json:"use_hierarchy"`

 	Stats map[string]uint64 `json:"stats,omitempty"`

+	PSI   *PSIStats         `json:"psi,omitempty"`

 }

 type PageUsageByNUMA struct {

@@ -135,6 +149,7 @@ type BlkioStats struct {

 	IoMergedRecursive       []BlkioStatEntry `json:"io_merged_recursive,omitempty"`

 	IoTimeRecursive         []BlkioStatEntry `json:"io_time_recursive,omitempty"`

 	SectorsRecursive        []BlkioStatEntry `json:"sectors_recursive,omitempty"`

+	PSI                     *PSIStats        `json:"psi,omitempty"`

 }

 type HugetlbStats struct {

@@ -157,6 +172,13 @@ type RdmaStats struct {

 	RdmaCurrent []RdmaEntry `json:"rdma_current,omitempty"`

 }

+type MiscStats struct {

+	// current resource usage for a key in misc

+	Usage uint64 `json:"usage,omitempty"`

+	// number of times the resource usage was about to go over the max boundary

+	Events uint64 `json:"events,omitempty"`

+}

+

 type Stats struct {

 	CpuStats    CpuStats    `json:"cpu_stats,omitempty"`

 	CPUSetStats CPUSetStats `json:"cpuset_stats,omitempty"`

@@ -166,10 +188,13 @@ type Stats struct {

 	// the map is in the format "size of hugepage: stats of the hugepage"

 	HugetlbStats map[string]HugetlbStats `json:"hugetlb_stats,omitempty"`

 	RdmaStats    RdmaStats               `json:"rdma_stats,omitempty"`

+	// the map is in the format "misc resource name: stats of the key"

+	MiscStats map[string]MiscStats `json:"misc_stats,omitempty"`

 }

 func NewStats() *Stats {

 	memoryStats := MemoryStats{Stats: make(map[string]uint64)}

 	hugetlbStats := make(map[string]HugetlbStats)

-	return &Stats{MemoryStats: memoryStats, HugetlbStats: hugetlbStats}

+	miscStats := make(map[string]MiscStats)

+	return &Stats{MemoryStats: memoryStats, HugetlbStats: hugetlbStats, MiscStats: miscStats}

 }

@@ -12,7 +12,7 @@ import (

 	"sync"

 	"time"

-	"github.com/opencontainers/runc/libcontainer/userns"

+	"github.com/moby/sys/userns"

 	"github.com/sirupsen/logrus"

 	"golang.org/x/sys/unix"

 )

@@ -36,13 +36,13 @@ func IsCgroup2UnifiedMode() bool {

 		var st unix.Statfs_t

 		err := unix.Statfs(unifiedMountpoint, &st)

 		if err != nil {

+			level := logrus.WarnLevel

 			if os.IsNotExist(err) && userns.RunningInUserNS() {

-				// ignore the "not found" error if running in userns

-				logrus.WithError(err).Debugf("%s missing, assuming cgroup v1", unifiedMountpoint)

-				isUnified = false

-				return

+				// For rootless containers, sweep it under the rug.

+				level = logrus.DebugLevel

 			}

-			panic(fmt.Sprintf("cannot statfs cgroup root: %s", err))

+			logrus.StandardLogger().Logf(level,

+				"statfs %s: %v; assuming cgroup v1", unifiedMountpoint, err)

 		}

 		isUnified = st.Type == unix.CGROUP2_SUPER_MAGIC

 	})

@@ -136,18 +136,18 @@ func GetAllSubsystems() ([]string, error) {

 	return subsystems, nil

 }

-func readProcsFile(dir string) ([]int, error) {

-	f, err := OpenFile(dir, CgroupProcesses, os.O_RDONLY)

+func readProcsFile(dir string) (out []int, _ error) {

+	file := CgroupProcesses

+	retry := true

+

+again:

+	f, err := OpenFile(dir, file, os.O_RDONLY)

 	if err != nil {

 		return nil, err

 	}

 	defer f.Close()

-	var (

-		s   = bufio.NewScanner(f)

-		out = []int{}

-	)

-

+	s := bufio.NewScanner(f)

 	for s.Scan() {

 		if t := s.Text(); t != "" {

 			pid, err := strconv.Atoi(t)

@@ -157,6 +157,13 @@ func readProcsFile(dir string) ([]int, error) {

 			out = append(out, pid)

 		}

 	}

+	if errors.Is(s.Err(), unix.ENOTSUP) && retry {

+		// For a threaded cgroup, read returns ENOTSUP, and we should

+		// read from cgroup.threads instead.

+		file = "cgroup.threads"

+		retry = false

+		goto again

+	}

 	return out, s.Err()

 }

@@ -217,21 +224,26 @@ func PathExists(path string) bool {

 	return true

 }

-func EnterPid(cgroupPaths map[string]string, pid int) error {

-	for _, path := range cgroupPaths {

-		if PathExists(path) {

-			if err := WriteCgroupProc(path, pid); err != nil {

-				return err

-			}

-		}

-	}

-	return nil

-}

+// rmdir tries to remove a directory, optionally retrying on EBUSY.

+func rmdir(path string, retry bool) error {

+	delay := time.Millisecond

+	tries := 10

-func rmdir(path string) error {

+again:

 	err := unix.Rmdir(path)

-	if err == nil || err == unix.ENOENT { //nolint:errorlint // unix errors are bare

+	switch err { // nolint:errorlint // unix errors are bare

+	case nil, unix.ENOENT:

 		return nil

+	case unix.EINTR:

+		goto again

+	case unix.EBUSY:

+		if retry && tries > 0 {

+			time.Sleep(delay)

+			delay *= 2

+			tries--

+			goto again

+

+		}

 	}

 	return &os.PathError{Op: "rmdir", Path: path, Err: err}

 }

@@ -239,68 +251,40 @@ func rmdir(path string) error {

 // RemovePath aims to remove cgroup path. It does so recursively,

 // by removing any subdirectories (sub-cgroups) first.

 func RemovePath(path string) error {

-	// try the fast path first

-	if err := rmdir(path); err == nil {

+	// Try the fast path first.

+	if err := rmdir(path, false); err == nil {

 		return nil

 	}

 	infos, err := os.ReadDir(path)

-	if err != nil {

-		if os.IsNotExist(err) {

-			err = nil

-		}

+	if err != nil && !os.IsNotExist(err) {

 		return err

 	}

 	for _, info := range infos {

 		if info.IsDir() {

-			// We should remove subcgroups dir first

+			// We should remove subcgroup first.

 			if err = RemovePath(filepath.Join(path, info.Name())); err != nil {

 				break

 			}

 		}

 	}

 	if err == nil {

-		err = rmdir(path)

+		err = rmdir(path, true)

 	}

 	return err

 }

 // RemovePaths iterates over the provided paths removing them.

-// We trying to remove all paths five times with increasing delay between tries.

-// If after all there are not removed cgroups - appropriate error will be

-// returned.

 func RemovePaths(paths map[string]string) (err error) {

-	const retries = 5

-	delay := 10 * time.Millisecond

-	for i := 0; i < retries; i++ {

-		if i != 0 {

-			time.Sleep(delay)

-			delay *= 2

-		}

-		for s, p := range paths {

-			if err := RemovePath(p); err != nil {

-				// do not log intermediate iterations

-				switch i {

-				case 0:

-					logrus.WithError(err).Warnf("Failed to remove cgroup (will retry)")

-				case retries - 1:

-					logrus.WithError(err).Error("Failed to remove cgroup")

-				}

-			}

-			_, err := os.Stat(p)

-			// We need this strange way of checking cgroups existence because

-			// RemoveAll almost always returns error, even on already removed

-			// cgroups

-			if os.IsNotExist(err) {

-				delete(paths, s)

-			}

-		}

-		if len(paths) == 0 {

-			//nolint:ineffassign,staticcheck // done to help garbage collecting: opencontainers/runc#2506

-			paths = make(map[string]string)

-			return nil

+	for s, p := range paths {

+		if err := RemovePath(p); err == nil {

+			delete(paths, s)

 		}

 	}

+	if len(paths) == 0 {

+		clear(paths)

+		return nil

+	}

 	return fmt.Errorf("Failed to remove paths: %v", paths)

 }

@@ -99,11 +99,12 @@ func tryDefaultPath(cgroupPath, subsystem string) string {

 // expensive), so it is assumed that cgroup mounts are not being changed.

 func readCgroupMountinfo() ([]*mountinfo.Info, error) {

 	readMountinfoOnce.Do(func() {

+		// mountinfo.GetMounts uses /proc/thread-self, so we can use it without

+		// issues.

 		cgroupMountinfo, readMountinfoErr = mountinfo.GetMounts(

 			mountinfo.FSTypeFilter("cgroup"),

 		)

 	})

-

 	return cgroupMountinfo, readMountinfoErr

 }

@@ -196,6 +197,9 @@ func getCgroupMountsV1(all bool) ([]Mount, error) {

 		return nil, err

 	}

+	// We don't need to use /proc/thread-self here because runc always runs

+	// with every thread in the same cgroup. This lets us avoid having to do

+	// runtime.LockOSThread.

 	allSubsystems, err := ParseCgroupFile("/proc/self/cgroup")

 	if err != nil {

 		return nil, err

@@ -214,6 +218,10 @@ func GetOwnCgroup(subsystem string) (string, error) {

 	if IsCgroup2UnifiedMode() {

 		return "", errUnified

 	}

+

+	// We don't need to use /proc/thread-self here because runc always runs

+	// with every thread in the same cgroup. This lets us avoid having to do

+	// runtime.LockOSThread.

 	cgroups, err := ParseCgroupFile("/proc/self/cgroup")

 	if err != nil {

 		return "", err

@@ -236,27 +244,6 @@ func GetOwnCgroupPath(subsystem string) (string, error) {

 	return getCgroupPathHelper(subsystem, cgroup)

 }

-func GetInitCgroup(subsystem string) (string, error) {

-	if IsCgroup2UnifiedMode() {

-		return "", errUnified

-	}

-	cgroups, err := ParseCgroupFile("/proc/1/cgroup")

-	if err != nil {

-		return "", err

-	}

-

-	return getControllerPath(subsystem, cgroups)

-}

-

-func GetInitCgroupPath(subsystem string) (string, error) {

-	cgroup, err := GetInitCgroup(subsystem)

-	if err != nil {

-		return "", err

-	}

-

-	return getCgroupPathHelper(subsystem, cgroup)

-}

-

 func getCgroupPathHelper(subsystem, cgroup string) (string, error) {

 	mnt, root, err := FindCgroupMountpointAndRoot("", subsystem)

 	if err != nil {

@@ -2,8 +2,8 @@ package configs

 import "fmt"

-// blockIODevice holds major:minor format supported in blkio cgroup

-type blockIODevice struct {

+// BlockIODevice holds major:minor format supported in blkio cgroup.

+type BlockIODevice struct {

 	// Major is the device's major number

 	Major int64 `json:"major"`

 	// Minor is the device's minor number

@@ -12,7 +12,7 @@ type blockIODevice struct {

 // WeightDevice struct holds a `major:minor weight`|`major:minor leaf_weight` pair

 type WeightDevice struct {

-	blockIODevice

+	BlockIODevice

 	// Weight is the bandwidth rate for the device, range is from 10 to 1000

 	Weight uint16 `json:"weight"`

 	// LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, cfq scheduler only

@@ -41,7 +41,7 @@ func (wd *WeightDevice) LeafWeightString() string {

 // ThrottleDevice struct holds a `major:minor rate_per_second` pair

 type ThrottleDevice struct {

-	blockIODevice

+	BlockIODevice

 	// Rate is the IO rate limit per cgroup per device

 	Rate uint64 `json:"rate"`

 }

@@ -69,6 +69,9 @@ type Resources struct {

 	// CPU hardcap limit (in usecs). Allowed cpu time in a given period.

 	CpuQuota int64 `json:"cpu_quota"`

+	// CPU hardcap burst limit (in usecs). Allowed accumulated cpu time additionally for burst in a given period.

+	CpuBurst *uint64 `json:"cpu_burst"` //nolint:revive

+

 	// CPU period to be used for hardcapping (in usecs). 0 to use system default.

 	CpuPeriod uint64 `json:"cpu_period"`

@@ -84,6 +87,9 @@ type Resources struct {

 	// MEM to use

 	CpusetMems string `json:"cpuset_mems"`

+	// cgroup SCHED_IDLE

+	CPUIdle *int64 `json:"cpu_idle,omitempty"`

+

 	// Process limit; set <= `0' to disable limit.

 	PidsLimit int64 `json:"pids_limit"`

@@ -155,4 +161,9 @@ type Resources struct {

 	// during Set() to figure out whether the freeze is required. Those

 	// methods may be relatively slow, thus this flag.

 	SkipFreezeOnSet bool `json:"-"`

+

+	// MemoryCheckBeforeUpdate is a flag for cgroup v2 managers to check

+	// if the new memory limits (Memory and MemorySwap) being set are lower

+	// than the current memory usage, and reject if so.

+	MemoryCheckBeforeUpdate bool `json:"memory_check_before_update"`

 }

@@ -1,5 +1,4 @@

 //go:build !linux

-// +build !linux

 package configs

@@ -8,6 +8,7 @@ import (

 	"time"

 	"github.com/sirupsen/logrus"

+	"golang.org/x/sys/unix"

 	"github.com/opencontainers/runc/libcontainer/devices"

 	"github.com/opencontainers/runtime-spec/specs-go"

@@ -31,12 +32,13 @@ type IDMap struct {

 // for syscalls. Additional architectures can be added by specifying them in

 // Architectures.

 type Seccomp struct {

-	DefaultAction    Action     `json:"default_action"`

-	Architectures    []string   `json:"architectures"`

-	Syscalls         []*Syscall `json:"syscalls"`

-	DefaultErrnoRet  *uint      `json:"default_errno_ret"`

-	ListenerPath     string     `json:"listener_path,omitempty"`

-	ListenerMetadata string     `json:"listener_metadata,omitempty"`

+	DefaultAction    Action                   `json:"default_action"`

+	Architectures    []string                 `json:"architectures"`

+	Flags            []specs.LinuxSeccompFlag `json:"flags"`

+	Syscalls         []*Syscall               `json:"syscalls"`

+	DefaultErrnoRet  *uint                    `json:"default_errno_ret"`

+	ListenerPath     string                   `json:"listener_path,omitempty"`

+	ListenerMetadata string                   `json:"listener_metadata,omitempty"`

 }

 // Action is taken upon rule match in Seccomp

@@ -83,9 +85,6 @@ type Syscall struct {

 	Args     []*Arg `json:"args"`

 }

-// TODO Windows. Many of these fields should be factored out into those parts

-// which are common across platforms, and those which are platform specific.

-

 // Config defines configuration options for executing a process inside a contained environment.

 type Config struct {

 	// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs

@@ -121,6 +120,9 @@ type Config struct {

 	// Hostname optionally sets the container's hostname if provided

 	Hostname string `json:"hostname"`

+	// Domainname optionally sets the container's domainname if provided

+	Domainname string `json:"domainname"`

+

 	// Namespaces specifies the container's namespaces that it should setup when cloning the init process

 	// If a namespace is not provided that namespace is shared from the container's parent process

 	Namespaces Namespaces `json:"namespaces"`

@@ -158,11 +160,11 @@ type Config struct {

 	// More information about kernel oom score calculation here: https://lwn.net/Articles/317814/

 	OomScoreAdj *int `json:"oom_score_adj,omitempty"`

-	// UidMappings is an array of User ID mappings for User Namespaces

-	UidMappings []IDMap `json:"uid_mappings"`

+	// UIDMappings is an array of User ID mappings for User Namespaces

+	UIDMappings []IDMap `json:"uid_mappings"`

-	// GidMappings is an array of Group ID mappings for User Namespaces

-	GidMappings []IDMap `json:"gid_mappings"`

+	// GIDMappings is an array of Group ID mappings for User Namespaces

+	GIDMappings []IDMap `json:"gid_mappings"`

 	// MaskPaths specifies paths within the container's rootfs to mask over with a bind

 	// mount pointing to /dev/null as to prevent reads of the file.

@@ -211,8 +213,87 @@ type Config struct {

 	// RootlessCgroups is set when unlikely to have the full access to cgroups.

 	// When RootlessCgroups is set, cgroups errors are ignored.

 	RootlessCgroups bool `json:"rootless_cgroups,omitempty"`

+

+	// TimeOffsets specifies the offset for supporting time namespaces.

+	TimeOffsets map[string]specs.LinuxTimeOffset `json:"time_offsets,omitempty"`

+

+	// Scheduler represents the scheduling attributes for a process.

+	Scheduler *Scheduler `json:"scheduler,omitempty"`

+

+	// Personality contains configuration for the Linux personality syscall.

+	Personality *LinuxPersonality `json:"personality,omitempty"`

+

+	// IOPriority is the container's I/O priority.

+	IOPriority *IOPriority `json:"io_priority,omitempty"`

 }

+// Scheduler is based on the Linux sched_setattr(2) syscall.

+type Scheduler = specs.Scheduler

+

+// ToSchedAttr is to convert *configs.Scheduler to *unix.SchedAttr.

+func ToSchedAttr(scheduler *Scheduler) (*unix.SchedAttr, error) {

+	var policy uint32

+	switch scheduler.Policy {

+	case specs.SchedOther:

+		policy = 0

+	case specs.SchedFIFO:

+		policy = 1

+	case specs.SchedRR:

+		policy = 2

+	case specs.SchedBatch:

+		policy = 3

+	case specs.SchedISO:

+		policy = 4

+	case specs.SchedIdle:

+		policy = 5

+	case specs.SchedDeadline:

+		policy = 6

+	default:

+		return nil, fmt.Errorf("invalid scheduler policy: %s", scheduler.Policy)

+	}

+

+	var flags uint64

+	for _, flag := range scheduler.Flags {

+		switch flag {

+		case specs.SchedFlagResetOnFork:

+			flags |= 0x01

+		case specs.SchedFlagReclaim:

+			flags |= 0x02

+		case specs.SchedFlagDLOverrun:

+			flags |= 0x04

+		case specs.SchedFlagKeepPolicy:

+			flags |= 0x08

+		case specs.SchedFlagKeepParams:

+			flags |= 0x10

+		case specs.SchedFlagUtilClampMin:

+			flags |= 0x20

+		case specs.SchedFlagUtilClampMax:

+			flags |= 0x40

+		default:

+			return nil, fmt.Errorf("invalid scheduler flag: %s", flag)

+		}

+	}

+

+	return &unix.SchedAttr{

+		Size:     unix.SizeofSchedAttr,

+		Policy:   policy,

+		Flags:    flags,

+		Nice:     scheduler.Nice,

+		Priority: uint32(scheduler.Priority),

+		Runtime:  scheduler.Runtime,

+		Deadline: scheduler.Deadline,

+		Period:   scheduler.Period,

+	}, nil

+}

+

+var IOPrioClassMapping = map[specs.IOPriorityClass]int{

+	specs.IOPRIO_CLASS_RT:   1,

+	specs.IOPRIO_CLASS_BE:   2,

+	specs.IOPRIO_CLASS_IDLE: 3,

+}

+

+type IOPriority = specs.LinuxIOPriority

+

 type (

 	HookName string

 	HookList []Hook

@@ -277,6 +358,7 @@ type Capabilities struct {

 	Ambient []string

 }

+// Deprecated: use (Hooks).Run instead.

 func (hooks HookList) RunHooks(state *specs.State) error {

 	for i, h := range hooks {

 		if err := h.Run(state); err != nil {

@@ -333,6 +415,18 @@ func (hooks *Hooks) MarshalJSON() ([]byte, error) {

 	})

 }

+// Run executes all hooks for the given hook name.

+func (hooks Hooks) Run(name HookName, state *specs.State) error {

+	list := hooks[name]

+	for i, h := range list {

+		if err := h.Run(state); err != nil {

+			return fmt.Errorf("error running %s hook #%d: %w", name, i, err)

+		}

+	}

+

+	return nil

+}

+

 type Hook interface {

 	// Run executes the hook with the provided state.

 	Run(*specs.State) error

@@ -393,7 +487,7 @@ func (c Command) Run(s *specs.State) error {

 	go func() {

 		err := cmd.Wait()

 		if err != nil {

-			err = fmt.Errorf("error running hook: %w, stdout: %s, stderr: %s", err, stdout.String(), stderr.String())

+			err = fmt.Errorf("%w, stdout: %s, stderr: %s", err, stdout.String(), stderr.String())

 		}

 		errC <- err

 	}()

@@ -7,22 +7,33 @@ import (

 )

 var (

-	errNoUIDMap   = errors.New("User namespaces enabled, but no uid mappings found.")

-	errNoUserMap  = errors.New("User namespaces enabled, but no user mapping found.")

-	errNoGIDMap   = errors.New("User namespaces enabled, but no gid mappings found.")

-	errNoGroupMap = errors.New("User namespaces enabled, but no group mapping found.")

+	errNoUIDMap = errors.New("user namespaces enabled, but no uid mappings found")

+	errNoGIDMap = errors.New("user namespaces enabled, but no gid mappings found")

 )

+// Please check https://man7.org/linux/man-pages/man2/personality.2.html for const details.

+// https://raw.githubusercontent.com/torvalds/linux/master/include/uapi/linux/personality.h

+const (

+	PerLinux   = 0x0000

+	PerLinux32 = 0x0008

+)

+

+type LinuxPersonality struct {

+	// Domain for the personality

+	// can only contain values "LINUX" and "LINUX32"

+	Domain int `json:"domain"`

+}

+

 // HostUID gets the translated uid for the process on host which could be

 // different when user namespaces are enabled.

 func (c Config) HostUID(containerId int) (int, error) {

 	if c.Namespaces.Contains(NEWUSER) {

-		if c.UidMappings == nil {

+		if len(c.UIDMappings) == 0 {

 			return -1, errNoUIDMap

 		}

-		id, found := c.hostIDFromMapping(int64(containerId), c.UidMappings)

+		id, found := c.hostIDFromMapping(int64(containerId), c.UIDMappings)

 		if !found {

-			return -1, errNoUserMap

+			return -1, fmt.Errorf("user namespaces enabled, but no mapping found for uid %d", containerId)

 		}

 		// If we are a 32-bit binary running on a 64-bit system, it's possible

 		// the mapped user is too large to store in an int, which means we

@@ -47,12 +58,12 @@ func (c Config) HostRootUID() (int, error) {

 // different when user namespaces are enabled.

 func (c Config) HostGID(containerId int) (int, error) {

 	if c.Namespaces.Contains(NEWUSER) {

-		if c.GidMappings == nil {

+		if len(c.GIDMappings) == 0 {

 			return -1, errNoGIDMap

 		}

-		id, found := c.hostIDFromMapping(int64(containerId), c.GidMappings)

+		id, found := c.hostIDFromMapping(int64(containerId), c.GIDMappings)

 		if !found {

-			return -1, errNoGroupMap

+			return -1, fmt.Errorf("user namespaces enabled, but no mapping found for gid %d", containerId)

 		}

 		// If we are a 32-bit binary running on a 64-bit system, it's possible

 		// the mapped user is too large to store in an int, which means we

@@ -1,5 +1,4 @@

 //go:build gofuzz

-// +build gofuzz

 package configs

@@ -1,48 +1,7 @@

 package configs

-import "golang.org/x/sys/unix"

-

 const (

 	// EXT_COPYUP is a directive to copy up the contents of a directory when

 	// a tmpfs is mounted over it.

-	EXT_COPYUP = 1 << iota //nolint:golint // ignore "don't use ALL_CAPS" warning

+	EXT_COPYUP = 1 << iota //nolint:golint,revive // ignore "don't use ALL_CAPS" warning

 )

-

-type Mount struct {

-	// Source path for the mount.

-	Source string `json:"source"`

-

-	// Destination path for the mount inside the container.

-	Destination string `json:"destination"`

-

-	// Device the mount is for.

-	Device string `json:"device"`

-

-	// Mount flags.

-	Flags int `json:"flags"`

-

-	// Propagation Flags

-	PropagationFlags []int `json:"propagation_flags"`

-

-	// Mount data applied to the mount.

-	Data string `json:"data"`

-

-	// Relabel source if set, "z" indicates shared, "Z" indicates unshared.

-	Relabel string `json:"relabel"`

-

-	// RecAttr represents mount properties to be applied recursively (AT_RECURSIVE), see mount_setattr(2).

-	RecAttr *unix.MountAttr `json:"rec_attr"`

-

-	// Extensions are additional flags that are specific to runc.

-	Extensions int `json:"extensions"`

-

-	// Optional Command to be run before Source is mounted.

-	PremountCmds []Command `json:"premount_cmds"`

-

-	// Optional Command to be run after Source is mounted.

-	PostmountCmds []Command `json:"postmount_cmds"`

-}

-

-func (m *Mount) IsBind() bool {

-	return m.Flags&unix.MS_BIND != 0

-}

new file mode 100644

@@ -0,0 +1,66 @@

+package configs

+

+import "golang.org/x/sys/unix"

+

+type MountIDMapping struct {

+	// Recursive indicates if the mapping needs to be recursive.

+	Recursive bool `json:"recursive"`

+

+	// UserNSPath is a path to a user namespace that indicates the necessary

+	// id-mappings for MOUNT_ATTR_IDMAP. If set to non-"", UIDMappings and

+	// GIDMappings must be set to nil.

+	UserNSPath string `json:"userns_path,omitempty"`

+

+	// UIDMappings is the uid mapping set for this mount, to be used with

+	// MOUNT_ATTR_IDMAP.

+	UIDMappings []IDMap `json:"uid_mappings,omitempty"`

+

+	// GIDMappings is the gid mapping set for this mount, to be used with

+	// MOUNT_ATTR_IDMAP.

+	GIDMappings []IDMap `json:"gid_mappings,omitempty"`

+}

+

+type Mount struct {

+	// Source path for the mount.

+	Source string `json:"source"`

+

+	// Destination path for the mount inside the container.

+	Destination string `json:"destination"`

+

+	// Device the mount is for.

+	Device string `json:"device"`

+

+	// Mount flags.

+	Flags int `json:"flags"`

+

+	// Mount flags that were explicitly cleared in the configuration (meaning