chore(deps): bump github.com/opencontainers/runc from 1.1.12 to 1.4.1

[dependabot]

Bumps github.com/opencontainers/runc from 1.1.12 to 1.4.1.

Release notes

Sourced from github.com/opencontainers/runc's releases.

runc v1.4.0 -- "路漫漫其修远兮，吾将上下而求索！"

This is the first release of the 1.4.z release branch of runc. It contains a few fixes for issues found in 1.4.0-rc.3. This version of runc supports runtime-spec v1.3 (see [docs/spec-conformance.md][] for the few features that are still missing).

This is the second release of runc following our new release and support policy (see [RELEASES.md][] for more details). This means that, as of this release:

• The runc 1.2.z release branch will now only receive high severity CVE fixes, and will no longer be supported in less than 6 months (end of April 2026).
• The runc 1.3.z release branch will now only receive security and "significant" bugfixes.
• Users are encouraged to plan migrating to runc 1.4.0 as soon as possible.
• Despite this release being delayed by a month, users should still expect a runc 1.5.0 release in late April 2026.

Deprecated

• Deprecate cgroup v1. (#4956)
• Deprecate CleanPath, StripRoot, WithProcfd, and WithProcfdFile from libcontainer/utils. (#4985)

Breaking

• The handling of pids.limit has been updated to match the newer guidance from the OCI runtime specification. In particular, now a maximum limit value of 0 will be treated as an actual limit (due to limitations with systemd, it will be treated the same as a limit value of 1). We only expect users that explicitly set pids.limit to 0 will see a behaviour change. opencontainers/cgroups#48#4949)

Fixed

• opencontainers/cgroups#43
• cgroups: retry DBus connection when it fails with EAGAIN. opencontainers/cgroups#45
• cgroups: improve cpuacct.usage_all resilience when parsing data from opencontainers/cgroups#46 opencontainers/cgroups#50)
• libct: close child fds on prepareCgroupFD error. (#4936)
• libct: fix mips compilation. (#4962, #4967)
• When configuring a tmpfs mount, only set the mode= argument if the target path already existed. This fixes a regression introduced in our [CVE-2025-52881][] mitigation patches. (#4971, #4976)
• Fix various file descriptor leaks and add additional tests to detect them as comprehensively as possible. (#5007, #5021, #5034)
• The "hallucination" helpers added as part of the [CVE-2025-52881][] mitigation have been made more generic and now apply to all of our pathrs helper functions, which should ensure we will not regress dangling symlink

... (truncated)

Changelog

Sourced from github.com/opencontainers/runc's changelog.

[1.4.1] - 2026-03-12

La guerre n'est pas une aventure. La guerre est une maladie. Comme le typhus.

Deprecated

• libcontainer/configs.MPOL_* constants added in runc [1.4.0][]. (#5110, #5055)

Added

• Preliminary loong64 support. (#5062, #4938)

Fixed

• libct: fix panic in initSystemdProps when processing certain systemd properties in the OCI spec. (#5161, #5133)
• libct: fix several file descriptor leaks on error paths. (#5168, #5009)
• Remove unnecessary crypto/tls dependency by open-coding the systemd socket activation logic, allowing us to more easily avoid false positive CVE warnings. (#5093, #5057)
• Remove legacy os.Is* error usage, improving error type detection to make our error fallback paths more robust. (#5162, #5061)
• Go 1.26 has started enforcing a restriction of os/exec.Cmd which caused issues with our usage of CLONE_INTO_CGROUP (on newer kernels). This has now been resolved. (#5116, #5091)
• Recursive atime-related mount flags (rrelatime et al.) are now applied properly. (#5114, #5098)
• Fix a regression in runc exec due to CLONE_INTO_CGROUP in the (inadvisable) scenario where a container is configured without cgroup namespaces and with /sys/fs/cgroup mounted rw. (#5117, #5101)
• On machines with more than 1024 CPU cores, our logic for resetting the CPU affinity will now correctly reset the affinity onto all available cores (not just the first 1024). (#5149, #5025)
• PR #4757 caused a regression that resulted in spurious cannot start a container that has stopped errors when running runc create and has thus been reverted. (#5157, #5153, #5151, #4645, #4757)

Changed

• Previously we made an attempt to make our runc.armhf release binaries work with ARMv6 (which would allow runc to work on the original Raspberry Pi). Unfortunately, this has effectively always been broken (because we cross-compile libseccomp within a Debian container and statically link to it) and so we are now officially matching the Debian definition of armhf (that is, ARMv7). (#5167, #5103)
• Minor signing keyring updates. (#5147, #5139, #5144, #5148)

[1.4.0] - 2025-11-27

路漫漫其修远兮，吾将上下而求索！

... (truncated)

Commits

• c671325 VERSION: release v1.4.1
• 1a6e2e6 Merge pull request #5167 from cyphar/1.4-libpathrs-cherry-pick
• 485f8f6 Merge pull request #5168 from cyphar/1.4-5009-close-fd-on-error
• 5dac737 [1.4] notify_socket: close fds on error
• d934c6d [1.4] libct: mountFd: close mountFile on error
• 0af85cb [1.4] libct: newProcessComm: close fds on error
• ffc6092 [1.4] libct: startInitialization: add defer close
• 4fb2e1c [1.4] deps: update to cyphar.com/go-pathrs@v0.2.4
• 97f79db [1.4] README: document libpathrs build tag
• 5424ac4 [1.4] script: seccomp.sh -> build-seccomp.sh
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: area/cli, area/engine, kind/dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.