integration: verify syscall compatibility after seccomp enforcement

[lifubang]

(This PR requires #5026.)

test #5007
Although we need more information in #5007, we can already confirm that there may be a bug in syscall compatibility after seccomp enforcement.

[lifubang]

As expected, the following error was observed:

not ok 267 runc run [seccomp] (verify syscall compatibility after seccomp enforcement)
# (in test file tests/integration/seccomp.bats, line 199)
#   `[ "$status" -eq 0 ]' failed
# runc spec (status=0)
#
# runc run test_busybox (status=1)
# time="2025-11-14T03:57:40Z" level=error msg="runc run failed: unable to start container process: error during container init: error closing exec fds: get handle to /proc/thread-self/fd: unsafe procfs detected: openat2 fsmount:fscontext:proc/thread-self/fd/: function not implemented"
# --- teardown ---

[lifubang]

However, I don’t believe the high-level runtime would set this seccomp configuration: "errnoRet": 38.

[cyphar]

Well, we actually would prefer higher-level runtimes to set defaultErrno to be 38 (podman does this). See moby/moby#42871 and the surrounding issues.

[cyphar]

This requires the filepath-securejoin update from #5026 as well.

[lifubang]

This requires the filepath-securejoin update from #5026 as well.

I think we can include this PR in #5026. WDYT?

[cyphar]

Yeah that's probably easiest solution. Thanks @lifubang.

[lifubang]

Close via #5026