opencontainers · kolyshkin · Mar 12, 2026 · Feb 2, 2026 · Feb 13, 2026 · Feb 2, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased 1.4.z]
 
+### Changed ###
+- Previously we made an attempt to make our `runc.armhf` release binaries work
+  with ARMv6 (which would allow runc to work on the original Raspberry Pi).
+  Unfortunately, this has effectively always been broken (because we
+  cross-compile `libseccomp` within a Debian container and statically link to
+  it) and so we are now officially matching [the Debian definition of `armhf`][debian-armhf]
+  (that is, ARMv7). (#5103)
-  (that is, ARMv7). (#5103)
+  (that is, ARMv7). (#5167, #5103)
-  (that is, ARMv7). (#5103)
+  (that is, ARMv7). (#5167, #5103)
+
+[debian-armhf]: https://wiki.debian.org/ArmHardFloatPort
+
 ## [1.4.0] - 2025-11-27
 
 > 路漫漫其修远兮，吾将上下而求索！

diff --git a/Dockerfile b/Dockerfile
@@ -2,9 +2,9 @@ ARG GO_VERSION=1.25
 ARG BATS_VERSION=v1.12.0
 ARG LIBSECCOMP_VERSION=2.6.0
 
-FROM golang:${GO_VERSION}-bookworm
+FROM golang:${GO_VERSION}-trixie
 ARG DEBIAN_FRONTEND=noninteractive
-ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_12
+ARG CRIU_REPO=https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_13
 
 RUN KEYFILE=/usr/share/keyrings/criu-repo-keyring.gpg; \
     wget -nv $CRIU_REPO/Release.key -O- | gpg --dearmor > "$KEYFILE" \
@@ -54,14 +54,18 @@ RUN cd /tmp \
     && ./install.sh /usr/local \
     && rm -rf /tmp/bats-core
 
+ARG RELEASE_ARCHES="386 amd64 arm64 armel armhf ppc64le riscv64 s390x"
+ENV DYLIB_DIR=/opt/runc-dylibs
+
 # install libseccomp
 ARG LIBSECCOMP_VERSION
-COPY script/seccomp.sh script/lib.sh /tmp/script/
-RUN mkdir -p /opt/libseccomp \
-    && /tmp/script/seccomp.sh "$LIBSECCOMP_VERSION" /opt/libseccomp 386 amd64 arm64 armel armhf ppc64le riscv64 s390x
+COPY script/build-seccomp.sh script/lib.sh /tmp/script/
+RUN mkdir -p $DYLIB_DIR \
+    && /tmp/script/build-seccomp.sh "$LIBSECCOMP_VERSION" $DYLIB_DIR $RELEASE_ARCHES
 ENV LIBSECCOMP_VERSION=$LIBSECCOMP_VERSION
-ENV LD_LIBRARY_PATH=/opt/libseccomp/lib
-ENV PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig
+
+ENV LD_LIBRARY_PATH=$DYLIB_DIR/lib
+ENV PKG_CONFIG_PATH=$DYLIB_DIR/lib/pkgconfig
 
 # Prevent the "fatal: detected dubious ownership in repository" git complain during build.
 RUN git config --global --add safe.directory /go/src/github.com/opencontainers/runc

diff --git a/README.md b/README.md
@@ -112,6 +112,7 @@ make EXTRA_BUILDTAGS="runc_nocriu"
 | Build Tag     | Feature                               | Enabled by Default | Dependencies        |
 |---------------|---------------------------------------|--------------------|---------------------|
 | `seccomp`     | Syscall filtering using `libseccomp`. | yes                | `libseccomp`        |
+| `libpathrs`   | Use [`libpathrs`][] for path safety.  | no                 | [`libpathrs`][]     |
 | `runc_nocriu` | **Disables** runc checkpoint/restore. | no                 | `criu`              |
 
 The following build tags were used earlier, but are now obsoleted:
@@ -120,6 +121,8 @@ The following build tags were used earlier, but are now obsoleted:
  - **apparmor** (since runc v1.0.0-rc93 the feature is always enabled)
  - **selinux**  (since runc v1.0.0-rc93 the feature is always enabled)
 
+[`libpathrs`]: https://github.com/cyphar/libpathrs
+
 ### Running the test suite
 
 `runc` currently supports running its test suite via Docker.

diff --git a/go.mod b/go.mod
@@ -28,7 +28,7 @@ require (
 )
 
 require (
-	cyphar.com/go-pathrs v0.2.1 // indirect
+	cyphar.com/go-pathrs v0.2.4 // indirect
 	github.com/cilium/ebpf v0.17.3 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect

diff --git a/go.sum b/go.sum
@@ -1,5 +1,5 @@
-cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8=
-cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
+cyphar.com/go-pathrs v0.2.4 h1:iD/mge36swa1UFKdINkr1Frkpp6wZsy3YYEildj9cLY=
+cyphar.com/go-pathrs v0.2.4/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/checkpoint-restore/go-criu/v7 v7.2.0 h1:qGiWA4App1gGlEfIJ68WR9jbezV9J7yZdjzglezcqKo=
 github.com/checkpoint-restore/go-criu/v7 v7.2.0/go.mod h1:u0LCWLg0w4yqqu14aXhiB4YD3a1qd8EcCEg7vda5dwo=

diff --git a/script/seccomp.sh → script/build-seccomp.sh b/script/seccomp.sh → script/build-seccomp.sh
@@ -65,7 +65,7 @@ function build_libseccomp() {
 }
 
 if [ $# -lt 2 ]; then
-	echo "Usage: seccomp.sh <version> <dest-dir> [<extra-arch> ...]" >&2
+	echo "Usage: $0 <version> <dest-dir> [<extra-arch> ...]" >&2
 	exit 1
 fi
 

diff --git a/script/lib.sh b/script/lib.sh
@@ -48,16 +48,7 @@ function set_cross_vars() {
 	armhf)
 		HOST=arm-${PLATFORM}eabihf
 		GOARCH=arm
-		# "armhf" means ARMv7 for Debian, ARMv6 for Raspbian.
-		# ARMv6 is chosen here for compatibility.
-		#
-		# https://wiki.debian.org/RaspberryPi
-		#
-		# > Raspberry Pi OS builds a single image for all of the Raspberry families,
-		# > so you will get an armhf 32-bit, hard floating-point system, but built
-		# > for the ARMv6 ISA (with VFP2), unlike Debian's ARMv7 ISA (with VFP3)
-		# > port.
-		GOARM=6
+		GOARM=7
 		;;
 	ppc64le)
 		HOST=powerpc64le-${PLATFORM}

diff --git a/script/release_build.sh b/script/release_build.sh
@@ -40,14 +40,14 @@ function build_project() {
 	shift
 	local arches=("$@")
 
-	# Assume that if /opt/libseccomp exists, then we are run
-	# via Dockerfile, and seccomp is already built.
-	local seccompdir=/opt/libseccomp temp_dir
-	if [ ! -d "$seccompdir" ]; then
-		temp_dir="$(mktemp -d)"
-		seccompdir="$temp_dir"
+	# Assume that if /opt/runc-dylibs exists, then we are running via
+	# Dockerfile, and thus seccomp is already built. Otherwise, build it now.
+	local dylibdir=/opt/runc-dylibs
+	if ! [ -d "$dylibdir" ]; then
+		trap 'rm -rf "$dylibdir"' EXIT
+		dylibdir="$(mktemp -d)"
 		# Download and build libseccomp.
-		"$root/script/seccomp.sh" "$LIBSECCOMP_VERSION" "$seccompdir" "${arches[@]}"
+		"$root/script/build-seccomp.sh" "$LIBSECCOMP_VERSION" "$dylibdir" "${arches[@]}"
 	fi
 
 	# For reproducible builds, add these to EXTRA_LDFLAGS:
@@ -70,7 +70,7 @@ function build_project() {
 		CFLAGS="$original_cflags"
 		set_cross_vars "$arch"
 		make -C "$root" \
-			PKG_CONFIG_PATH="$seccompdir/$arch/lib/pkgconfig" \
+			PKG_CONFIG_PATH="$dylibdir/$arch/lib/pkgconfig" \
 			"${make_args[@]}"
 		"$STRIP" "$root/$project"
 		mv "$root/$project" "$builddir/$project.$arch"
@@ -85,12 +85,7 @@ function build_project() {
 	fi
 
 	# Copy libseccomp source tarball.
-	cp "$seccompdir"/src/* "$builddir"
-
-	# Clean up.
-	if [ -n "$tempdir" ]; then
-		rm -rf "$tempdir"
-	fi
+	cp "$dylibdir"/src/* "$builddir"
 }
 
 # End of the easy-to-configure portion.

diff --git a/vendor/cyphar.com/go-pathrs/.golangci.yml b/vendor/cyphar.com/go-pathrs/.golangci.yml
diff --git a/vendor/cyphar.com/go-pathrs/doc.go b/vendor/cyphar.com/go-pathrs/doc.go
diff --git a/vendor/cyphar.com/go-pathrs/handle_linux.go b/vendor/cyphar.com/go-pathrs/handle_linux.go
diff --git a/vendor/cyphar.com/go-pathrs/internal/fdutils/fd_linux.go b/vendor/cyphar.com/go-pathrs/internal/fdutils/fd_linux.go
diff --git a/vendor/cyphar.com/go-pathrs/internal/libpathrs/error_unix.go b/vendor/cyphar.com/go-pathrs/internal/libpathrs/error_unix.go
diff --git a/vendor/cyphar.com/go-pathrs/internal/libpathrs/libpathrs_linux.go b/vendor/cyphar.com/go-pathrs/internal/libpathrs/libpathrs_linux.go
diff --git a/vendor/cyphar.com/go-pathrs/procfs/procfs_linux.go b/vendor/cyphar.com/go-pathrs/procfs/procfs_linux.go
-Original file line number
+Diff line change
@@ Expand Up / @@ -65,7 +65,7 @@ function build_libseccomp() { @@
     }
     if [ $# -lt 2 ]; then
-    	echo "Usage: seccomp.sh <version> <dest-dir> [<extra-arch> ...]" >&2
+    	echo "Usage: $0 <version> <dest-dir> [<extra-arch> ...]" >&2
     	exit 1
     fi
@@ Expand Down @@