Merge pull request #2783 from likebreath/1001/clh_enable_seccomp

virtcontainers: clh: Enable the `seccomp` feature

src/runtime/virtcontainers/clh.go

@@ -960,11 +960,11 @@ func (clh *cloudHypervisor) launchClh() (int, error) {
 		args = append(args, "-v")
 	}
 
-	// Disable the 'seccomp' option in clh for now.
-	// In this way, we can separate the periodic failures caused
-	// by incomplete `seccomp` filters from other failures.
-	// We will bring it back after completing the `seccomp` filter.
-	args = append(args, "--seccomp", "false")
+	// Enable the `seccomp` feature from Cloud Hypervisor by default
+	// Disable it only when requested by users for debugging purposes
+	if clh.config.DisableSeccomp {
+		args = append(args, "--seccomp", "false")
+	}
 
 	clh.Logger().WithField("path", clhPath).Info()
 	clh.Logger().WithField("args", strings.Join(args, " ")).Info()

src/runtime/virtcontainers/hypervisor.go

@@ -508,6 +508,9 @@ type HypervisorConfig struct {
 
 	// Rootless is used to enable rootless VMM process
 	Rootless bool
+
+	// Disable seccomp from the hypervisor process
+	DisableSeccomp bool
 }
 
 // vcpu mapping from vcpu number to thread number