runtime: Add option "disable_seccomp" to config hypervisor.clh

This patch adds an option "disable_seccomp" to the config
hypervisor.clh, from which users can disable the `seccomp`
feature from Cloud Hypervisor when needed (for debugging purposes).

Fixes: #2782

Signed-off-by: Bo Chen <chen.bo@intel.com>

src/runtime/virtcontainers/clh.go

@@ -947,6 +947,11 @@ func (clh *cloudHypervisor) launchClh() (int, error) {
 		args = append(args, "-v")
 	}
 
+	// Enable the `seccomp` feature from Cloud Hypervisor by default
+	// Disable it only when requested by users for debugging purposes
+	if clh.config.DisableSeccomp {
+		args = append(args, "--seccomp", "false")
+	}
 
 	clh.Logger().WithField("path", clhPath).Info()
 	clh.Logger().WithField("args", strings.Join(args, " ")).Info()

src/runtime/virtcontainers/hypervisor.go

@@ -473,6 +473,9 @@ type HypervisorConfig struct {
 
 	// Rootless is used to enable rootless VMM process
 	Rootless bool
+
+	// Disable seccomp from the hypervisor process
+	DisableSeccomp bool
 }
 
 // vcpu mapping from vcpu number to thread number