Define readonly/mask paths in spec

This vendors in new spec/runc that supports
setting readonly and masked paths in the 
configuration. Using this allows us to make an
exception for `—-privileged`.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Upstream-commit: 3f81b4935292d5daedea9de4e2db0895986115da
Component: engine

components/engine/oci/defaults_linux.go

@@ -79,6 +79,20 @@ func DefaultSpec() specs.Spec {
 	}
 
 	s.Linux = specs.Linux{
+		MaskedPaths: []string{
+			"/proc/kcore",
+			"/proc/latency_stats",
+			"/proc/timer_stats",
+			"/proc/sched_debug",
+		},
+		ReadonlyPaths: []string{
+			"/proc/asound",
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger",
+		},
 		Namespaces: []specs.Namespace{
 			{Type: "mount"},
 			{Type: "network"},