upgrade all dependencies

The dependabot does not update dependencies when they do not use a tag.
This patch upgrades all untagged depenencies if possible.

You can upgrade all dependencies with `go get -u ./... && make vendor`
in theory however this failed since the k8s changes do not compile on
go v1.16 so I only updated the other dependencies.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

5 files changed, 31 insertions, 492 deletions

diff --git a/vendor/github.com/seccomp/libseccomp-golang/.travis.yml b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
index 5240d4622..feef144d1 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
+++ b/vendor/github.com/seccomp/libseccomp-golang/.travis.yml
@@ -19,39 +19,19 @@ os:
 
 language: go
 
-jobs:
-  include:
-    - name: "last libseccomp 2.5.0"
-      env:
-      - SECCOMP_VER=2.5.0
-      - SECCOMP_SHA256SUM=1ffa7038d2720ad191919816db3479295a4bcca1ec14e02f672539f4983014f3
-    - name: "compat libseccomp 2.4.4"
-      env:
-      - SECCOMP_VER=2.4.4
-      - SECCOMP_SHA256SUM=4e79738d1ef3c9b7ca9769f1f8b8d84fc17143c2c1c432e53b9c64787e0ff3eb
-    - name: "compat libseccomp 2.2.1"
-      env:
-      - SECCOMP_VER=2.2.1
-      - SECCOMP_SHA256SUM=0ba1789f54786c644af54cdffc9fd0dd0a8bb2b2ee153933f658855d2851a740
-
 addons:
   apt:
     packages:
       - build-essential
-      - astyle
-      - golint
-      - gperf
+      # TODO: use the main libseccomp git repo instead of a distro package
+      - libseccomp2
+      - libseccomp-dev
 
 install:
   - go get -u golang.org/x/lint/golint
 
 # run all of the tests independently, fail if any of the tests error
 script:
-  - wget https://github.com/seccomp/libseccomp/releases/download/v$SECCOMP_VER/libseccomp-$SECCOMP_VER.tar.gz
-  - echo $SECCOMP_SHA256SUM libseccomp-$SECCOMP_VER.tar.gz | sha256sum -c
-  - tar xf libseccomp-$SECCOMP_VER.tar.gz
-  - pushd libseccomp-$SECCOMP_VER && ./configure --prefix=/opt/libseccomp-$SECCOMP_VER && make && sudo make install && popd
   - make check-syntax
   - make lint
-  - PKG_CONFIG_PATH=/opt/libseccomp-$SECCOMP_VER/lib/pkgconfig LD_LIBRARY_PATH=/opt/libseccomp-$SECCOMP_VER/lib make vet
-  - PKG_CONFIG_PATH=/opt/libseccomp-$SECCOMP_VER/lib/pkgconfig LD_LIBRARY_PATH=/opt/libseccomp-$SECCOMP_VER/lib make test
+  - make check
diff --git a/vendor/github.com/seccomp/libseccomp-golang/Makefile b/vendor/github.com/seccomp/libseccomp-golang/Makefile
index 38cfa852c..1ff4cc898 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/Makefile
+++ b/vendor/github.com/seccomp/libseccomp-golang/Makefile
@@ -18,14 +18,8 @@ fix-syntax:
 vet:
 	go vet -v
 
-# Previous bugs have made the tests freeze until the timeout. Golang default
-# timeout for tests is 10 minutes, which is too long, considering current tests
-# can be executed in less than 1 second. Reduce the timeout, so problems can
-# be noticed earlier in the CI.
-TEST_TIMEOUT=10s
-
 test:
-	go test -v -timeout $(TEST_TIMEOUT)
+	go test -v
 
 lint:
 	@$(if $(shell which golint),true,$(error "install golint and include it in your PATH"))
diff --git a/vendor/github.com/seccomp/libseccomp-golang/README.md b/vendor/github.com/seccomp/libseccomp-golang/README.md
index 806a5ddf2..27423f2d9 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/README.md
+++ b/vendor/github.com/seccomp/libseccomp-golang/README.md
@@ -2,7 +2,7 @@
 ===============================================================================
 https://github.com/seccomp/libseccomp-golang
 
-[![Build Status](https://img.shields.io/travis/seccomp/libseccomp-golang/main.svg)](https://travis-ci.org/seccomp/libseccomp-golang)
+[![Build Status](https://img.shields.io/travis/seccomp/libseccomp-golang/master.svg)](https://travis-ci.org/seccomp/libseccomp-golang)
 
 The libseccomp library provides an easy to use, platform independent, interface
 to the Linux Kernel's syscall filtering mechanism.  The libseccomp API is
diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
index e9b92e221..e489b9ebd 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
+++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
@@ -20,13 +20,6 @@ import (
 
 // C wrapping code
 
-// To compile libseccomp-golang against a specific version of libseccomp:
-// cd ../libseccomp && mkdir -p prefix
-// ./configure --prefix=$PWD/prefix && make && make install
-// cd ../libseccomp-golang
-// PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make
-// LD_PRELOAD=$PWD/../libseccomp/prefix/lib/libseccomp.so.2.5.0 PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make test
-
 // #cgo pkg-config: libseccomp
 // #include <stdlib.h>
 // #include <seccomp.h>
@@ -41,25 +34,19 @@ type VersionError struct {
 	minimum string
 }
 
-func init() {
-	// This forces the cgo libseccomp to initialize its internal API support state,
-	// which is necessary on older versions of libseccomp in order to work
-	// correctly.
-	GetAPI()
-}
-
 func (e VersionError) Error() string {
-	messageStr := ""
+	format := "Libseccomp version too low: "
 	if e.message != "" {
-		messageStr = e.message + ": "
+		format += e.message + ": "
 	}
-	minimumStr := ""
+	format += "minimum supported is "
 	if e.minimum != "" {
-		minimumStr = e.minimum
+		format += e.minimum + ": "
 	} else {
-		minimumStr = "2.2.0"
+		format += "2.2.0: "
 	}
-	return fmt.Sprintf("Libseccomp version too low: %sminimum supported is %s: detected %d.%d.%d", messageStr, minimumStr, verMajor, verMinor, verMicro)
+	format += "detected %d.%d.%d"
+	return fmt.Sprintf(format, verMajor, verMinor, verMicro)
 }
 
 // ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a
@@ -82,61 +69,9 @@ type ScmpCondition struct {
 	Operand2 uint64        `json:"operand_two,omitempty"`
 }
 
-// Seccomp userspace notification structures associated with filters that use the ActNotify action.
-
-// ScmpSyscall identifies a Linux System Call by its number.
+// ScmpSyscall represents a Linux System Call
 type ScmpSyscall int32
 
-// ScmpFd represents a file-descriptor used for seccomp userspace notifications.
-type ScmpFd int32
-
-// ScmpNotifData describes the system call context that triggered a notification.
-//
-// Syscall:      the syscall number
-// Arch:         the filter architecture
-// InstrPointer: address of the instruction that triggered a notification
-// Args:         arguments (up to 6) for the syscall
-//
-type ScmpNotifData struct {
-	Syscall      ScmpSyscall `json:"syscall,omitempty"`
-	Arch         ScmpArch    `json:"arch,omitempty"`
-	InstrPointer uint64      `json:"instr_pointer,omitempty"`
-	Args         []uint64    `json:"args,omitempty"`
-}
-
-// ScmpNotifReq represents a seccomp userspace notification. See NotifReceive() for
-// info on how to pull such a notification.
-//
-// ID:    notification ID
-// Pid:   process that triggered the notification event
-// Flags: filter flags (see seccomp(2))
-// Data:  system call context that triggered the notification
-//
-type ScmpNotifReq struct {
-	ID    uint64        `json:"id,omitempty"`
-	Pid   uint32        `json:"pid,omitempty"`
-	Flags uint32        `json:"flags,omitempty"`
-	Data  ScmpNotifData `json:"data,omitempty"`
-}
-
-// ScmpNotifResp represents a seccomp userspace notification response. See NotifRespond()
-// for info on how to push such a response.
-//
-// ID:    notification ID (must match the corresponding ScmpNotifReq ID)
-// Error: must be 0 if no error occurred, or an error constant from package
-//        syscall (e.g., syscall.EPERM, etc). In the latter case, it's used
-//        as an error return from the syscall that created the notification.
-// Val:   return value for the syscall that created the notification. Only
-//        relevant if Error is 0.
-// Flags: userspace notification response flag (e.g., NotifRespFlagContinue)
-//
-type ScmpNotifResp struct {
-	ID    uint64 `json:"id,omitempty"`
-	Error int32  `json:"error,omitempty"`
-	Val   uint64 `json:"val,omitempty"`
-	Flags uint32 `json:"flags,omitempty"`
-}
-
 // Exported Constants
 
 const (
@@ -182,10 +117,6 @@ const (
 	ArchS390 ScmpArch = iota
 	// ArchS390X represents 64-bit System z/390 syscalls
 	ArchS390X ScmpArch = iota
-	// ArchPARISC represents 32-bit PA-RISC
-	ArchPARISC ScmpArch = iota
-	// ArchPARISC64 represents 64-bit PA-RISC
-	ArchPARISC64 ScmpArch = iota
 )
 
 const (
@@ -199,9 +130,6 @@ const (
 	ActKill ScmpAction = iota
 	// ActTrap throws SIGSYS
 	ActTrap ScmpAction = iota
-	// ActNotify triggers a userspace notification. This action is only usable when
-	// libseccomp API level 6 or higher is supported.
-	ActNotify ScmpAction = iota
 	// ActErrno causes the syscall to return a negative error code. This
 	// code can be set with the SetReturnCode method
 	ActErrno ScmpAction = iota
@@ -253,21 +181,6 @@ const (
 	CompareMaskedEqual ScmpCompareOp = iota
 )
 
-var (
-	// ErrSyscallDoesNotExist represents an error condition where
-	// libseccomp is unable to resolve the syscall
-	ErrSyscallDoesNotExist = fmt.Errorf("could not resolve syscall name")
-)
-
-const (
-	// Userspace notification response flags
-
-	// NotifRespFlagContinue tells the kernel to continue executing the system
-	// call that triggered the notification. Must only be used when the notication
-	// response's error is 0.
-	NotifRespFlagContinue uint32 = 1
-)
-
 // Helpers for types
 
 // GetArchFromString returns an ScmpArch constant from a string representing an
@@ -310,10 +223,6 @@ func GetArchFromString(arch string) (ScmpArch, error) {
 		return ArchS390, nil
 	case "s390x":
 		return ArchS390X, nil
-	case "parisc":
-		return ArchPARISC, nil
-	case "parisc64":
-		return ArchPARISC64, nil
 	default:
 		return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %q", arch)
 	}
@@ -354,10 +263,6 @@ func (a ScmpArch) String() string {
 		return "s390"
 	case ArchS390X:
 		return "s390x"
-	case ArchPARISC:
-		return "parisc"
-	case ArchPARISC64:
-		return "parisc64"
 	case ArchNative:
 		return "native"
 	case ArchInvalid:
@@ -405,8 +310,6 @@ func (a ScmpAction) String() string {
 	case ActTrace:
 		return fmt.Sprintf("Action: Notify tracing processes with code %d",
 			(a >> 16))
-	case ActNotify:
-		return "Action: Notify userspace"
 	case ActLog:
 		return "Action: Log system call"
 	case ActAllow:
@@ -446,7 +349,7 @@ func GetLibraryVersion() (major, minor, micro uint) {
 // Returns a positive int containing the API level, or 0 with an error if the
 // API level could not be detected due to the library being older than v2.4.0.
 // See the seccomp_api_get(3) man page for details on available API levels:
-// https://github.com/seccomp/libseccomp/blob/main/doc/man/man3/seccomp_api_get.3
+// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3
 func GetAPI() (uint, error) {
 	return getAPI()
 }
@@ -456,7 +359,7 @@ func GetAPI() (uint, error) {
 // Returns an error if the API level could not be set. An error is always
 // returned if the library is older than v2.4.0
 // See the seccomp_api_get(3) man page for details on available API levels:
-// https://github.com/seccomp/libseccomp/blob/main/doc/man/man3/seccomp_api_get.3
+// https://github.com/seccomp/libseccomp/blob/master/doc/man/man3/seccomp_api_get.3
 func SetAPI(api uint) error {
 	return setAPI(api)
 }
@@ -483,7 +386,7 @@ func (s ScmpSyscall) GetNameByArch(arch ScmpArch) (string, error) {
 
 	cString := C.seccomp_syscall_resolve_num_arch(arch.toNative(), C.int(s))
 	if cString == nil {
-		return "", ErrSyscallDoesNotExist
+		return "", fmt.Errorf("could not resolve syscall name for %#x", int32(s))
 	}
 	defer C.free(unsafe.Pointer(cString))
 
@@ -506,7 +409,7 @@ func GetSyscallFromName(name string) (ScmpSyscall, error) {
 
 	result := C.seccomp_syscall_resolve_name(cString)
 	if result == scmpError {
-		return 0, ErrSyscallDoesNotExist
+		return 0, fmt.Errorf("could not resolve name to syscall: %q", name)
 	}
 
 	return ScmpSyscall(result), nil
@@ -530,7 +433,7 @@ func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) {
 
 	result := C.seccomp_syscall_resolve_name_arch(arch.toNative(), cString)
 	if result == scmpError {
-		return 0, ErrSyscallDoesNotExist
+		return 0, fmt.Errorf("could not resolve name to syscall: %q on %v", name, arch)
 	}
 
 	return ScmpSyscall(result), nil
@@ -603,10 +506,11 @@ type ScmpFilter struct {
 	lock      sync.Mutex
 }
 
-// NewFilter creates and returns a new filter context.  Accepts a default action to be
-// taken for syscalls which match no rules in the filter.
-// Returns a reference to a valid filter context, or nil and an error
-// if the filter context could not be created or an invalid default action was given.
+// NewFilter creates and returns a new filter context.
+// Accepts a default action to be taken for syscalls which match no rules in
+// the filter.
+// Returns a reference to a valid filter context, or nil and an error if the
+// filter context could not be created or an invalid default action was given.
 func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) {
 	if err := ensureSupportedVersion(); err != nil {
 		return nil, err
@@ -626,8 +530,8 @@ func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) {
 	filter.valid = true
 	runtime.SetFinalizer(filter, filterFinalizer)
 
-	// Enable TSync so all goroutines will receive the same rules.
-	// If the kernel does not support TSYNC, allow us to continue without error.
+	// Enable TSync so all goroutines will receive the same rules
+	// If the kernel does not support TSYNC, allow us to continue without error
 	if err := filter.setFilterAttr(filterAttrTsync, 0x1); err != nil && err != syscall.ENOTSUP {
 		filter.Release()
 		return nil, fmt.Errorf("could not create filter - error setting tsync bit: %v", err)
@@ -874,9 +778,8 @@ func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) {
 func (f *ScmpFilter) GetLogBit() (bool, error) {
 	log, err := f.getFilterAttr(filterAttrLog)
 	if err != nil {
-		// Ignore error, if not supported returns apiLevel == 0
-		apiLevel, _ := GetAPI()
-		if apiLevel < 3 {
+		api, apiErr := getAPI()
+		if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) {
 			return false, fmt.Errorf("getting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
 		}
 
@@ -890,30 +793,6 @@ func (f *ScmpFilter) GetLogBit() (bool, error) {
 	return true, nil
 }
 
-// GetSSB returns the current state the SSB bit will be set to on the filter
-// being loaded, or an error if an issue was encountered retrieving the value.
-// The SSB bit tells the kernel that a seccomp user is not interested in enabling
-// Speculative Store Bypass mitigation.
-// The SSB bit is only usable when libseccomp API level 4 or higher is
-// supported.
-func (f *ScmpFilter) GetSSB() (bool, error) {
-	ssb, err := f.getFilterAttr(filterAttrSSB)
-	if err != nil {
-		api, apiErr := getAPI()
-		if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) {
-			return false, fmt.Errorf("getting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher")
-		}
-
-		return false, err
-	}
-
-	if ssb == 0 {
-		return false, nil
-	}
-
-	return true, nil
-}
-
 // SetBadArchAction sets the default action taken on a syscall for an
 // architecture not in the filter, or an error if an issue was encountered
 // setting the value.
@@ -953,32 +832,9 @@ func (f *ScmpFilter) SetLogBit(state bool) error {
 
 	err := f.setFilterAttr(filterAttrLog, toSet)
 	if err != nil {
-		// Ignore error, if not supported returns apiLevel == 0
-		apiLevel, _ := GetAPI()
-		if apiLevel < 3 {
-			return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
-		}
-	}
-
-	return err
-}
-
-// SetSSB sets the state of the SSB bit, which will be applied on filter
-// load, or an error if an issue was encountered setting the value.
-// The SSB bit is only usable when libseccomp API level 4 or higher is
-// supported.
-func (f *ScmpFilter) SetSSB(state bool) error {
-	var toSet C.uint32_t = 0x0
-
-	if state {
-		toSet = 0x1
-	}
-
-	err := f.setFilterAttr(filterAttrSSB, toSet)
-	if err != nil {
 		api, apiErr := getAPI()
-		if (apiErr != nil && api == 0) || (apiErr == nil && api < 4) {
-			return fmt.Errorf("setting the SSB flag is only supported in libseccomp 2.5.0 and newer with API level 4 or higher")
+		if (apiErr != nil && api == 0) || (apiErr == nil && api < 3) {
+			return fmt.Errorf("setting the log bit is only supported in libseccomp 2.4.0 and newer with API level 3 or higher")
 		}
 	}
 
@@ -1091,36 +947,3 @@ func (f *ScmpFilter) ExportBPF(file *os.File) error {
 
 	return nil
 }
-
-// Userspace Notification API
-
-// GetNotifFd returns the userspace notification file descriptor associated with the given
-// filter context. Such a file descriptor is only valid after the filter has been loaded
-// and only when the filter uses the ActNotify action. The file descriptor can be used to
-// retrieve and respond to notifications associated with the filter (see NotifReceive(),
-// NotifRespond(), and NotifIDValid()).
-func (f *ScmpFilter) GetNotifFd() (ScmpFd, error) {
-	return f.getNotifFd()
-}
-
-// NotifReceive retrieves a seccomp userspace notification from a filter whose ActNotify
-// action has triggered. The caller is expected to process the notification and return a
-// response via NotifRespond(). Each invocation of this function returns one
-// notification. As multiple notifications may be pending at any time, this function is
-// normally called within a polling loop.
-func NotifReceive(fd ScmpFd) (*ScmpNotifReq, error) {
-	return notifReceive(fd)
-}
-
-// NotifRespond responds to a notification retrieved via NotifReceive(). The response Id
-// must match that of the corresponding notification retrieved via NotifReceive().
-func NotifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error {
-	return notifRespond(fd, scmpResp)
-}
-
-// NotifIDValid checks if a notification is still valid. An return value of nil means the
-// notification is still valid. Otherwise the notification is not valid. This can be used
-// to mitigate time-of-check-time-of-use (TOCTOU) attacks as described in seccomp_notify_id_valid(2).
-func NotifIDValid(fd ScmpFd, id uint64) error {
-	return notifIDValid(fd, id)
-}
diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
index 8dc7b296f..0982e930f 100644
--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
+++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
@@ -14,13 +14,6 @@ import (
 // Get the seccomp header in scope
 // Need stdlib.h for free() on cstrings
 
-// To compile libseccomp-golang against a specific version of libseccomp:
-// cd ../libseccomp && mkdir -p prefix
-// ./configure --prefix=$PWD/prefix && make && make install
-// cd ../libseccomp-golang
-// PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make
-// LD_PRELOAD=$PWD/../libseccomp/prefix/lib/libseccomp.so.2.5.0 PKG_CONFIG_PATH=$PWD/../libseccomp/prefix/lib/pkgconfig/ make test
-
 // #cgo pkg-config: libseccomp
 /*
 #include <errno.h>
@@ -57,14 +50,6 @@ const uint32_t C_ARCH_BAD = ARCH_BAD;
 #define SCMP_ARCH_S390X ARCH_BAD
 #endif
 
-#ifndef SCMP_ARCH_PARISC
-#define SCMP_ARCH_PARISC ARCH_BAD
-#endif
-
-#ifndef SCMP_ARCH_PARISC64
-#define SCMP_ARCH_PARISC64 ARCH_BAD
-#endif
-
 const uint32_t C_ARCH_NATIVE       = SCMP_ARCH_NATIVE;
 const uint32_t C_ARCH_X86          = SCMP_ARCH_X86;
 const uint32_t C_ARCH_X86_64       = SCMP_ARCH_X86_64;
@@ -82,8 +67,6 @@ const uint32_t C_ARCH_PPC64        = SCMP_ARCH_PPC64;
 const uint32_t C_ARCH_PPC64LE      = SCMP_ARCH_PPC64LE;
 const uint32_t C_ARCH_S390         = SCMP_ARCH_S390;
 const uint32_t C_ARCH_S390X        = SCMP_ARCH_S390X;
-const uint32_t C_ARCH_PARISC       = SCMP_ARCH_PARISC;
-const uint32_t C_ARCH_PARISC64     = SCMP_ARCH_PARISC64;
 
 #ifndef SCMP_ACT_LOG
 #define SCMP_ACT_LOG 0x7ffc0000U
@@ -97,10 +80,6 @@ const uint32_t C_ARCH_PARISC64     = SCMP_ARCH_PARISC64;
 #define SCMP_ACT_KILL_THREAD	0x00000000U
 #endif
 
-#ifndef SCMP_ACT_NOTIFY
-#define SCMP_ACT_NOTIFY 0x7fc00000U
-#endif
-
 const uint32_t C_ACT_KILL          = SCMP_ACT_KILL;
 const uint32_t C_ACT_KILL_PROCESS  = SCMP_ACT_KILL_PROCESS;
 const uint32_t C_ACT_KILL_THREAD   = SCMP_ACT_KILL_THREAD;
@@ -109,7 +88,6 @@ const uint32_t C_ACT_ERRNO         = SCMP_ACT_ERRNO(0);
 const uint32_t C_ACT_TRACE         = SCMP_ACT_TRACE(0);
 const uint32_t C_ACT_LOG           = SCMP_ACT_LOG;
 const uint32_t C_ACT_ALLOW         = SCMP_ACT_ALLOW;
-const uint32_t C_ACT_NOTIFY        = SCMP_ACT_NOTIFY;
 
 // The libseccomp SCMP_FLTATR_CTL_LOG member of the scmp_filter_attr enum was
 // added in v2.4.0
@@ -117,16 +95,12 @@ const uint32_t C_ACT_NOTIFY        = SCMP_ACT_NOTIFY;
     (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 4)
 #define SCMP_FLTATR_CTL_LOG _SCMP_FLTATR_MIN
 #endif
-#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5
-#define SCMP_FLTATR_CTL_SSB _SCMP_FLTATR_MIN
-#endif
 
 const uint32_t C_ATTRIBUTE_DEFAULT = (uint32_t)SCMP_FLTATR_ACT_DEFAULT;
 const uint32_t C_ATTRIBUTE_BADARCH = (uint32_t)SCMP_FLTATR_ACT_BADARCH;
 const uint32_t C_ATTRIBUTE_NNP     = (uint32_t)SCMP_FLTATR_CTL_NNP;
 const uint32_t C_ATTRIBUTE_TSYNC   = (uint32_t)SCMP_FLTATR_CTL_TSYNC;
 const uint32_t C_ATTRIBUTE_LOG     = (uint32_t)SCMP_FLTATR_CTL_LOG;
-const uint32_t C_ATTRIBUTE_SSB     = (uint32_t)SCMP_FLTATR_CTL_SSB;
 
 const int      C_CMP_NE            = (int)SCMP_CMP_NE;
 const int      C_CMP_LT            = (int)SCMP_CMP_LT;
@@ -215,51 +189,6 @@ void add_struct_arg_cmp(
 
         return;
 }
-
-// The seccomp notify API functions were added in v2.5.0
-#if (SCMP_VER_MAJOR < 2) || \
-    (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 5)
-
-struct seccomp_data {
-	int nr;
-	__u32 arch;
-	__u64 instruction_pointer;
-	__u64 args[6];
-};
-
-struct seccomp_notif {
-	__u64 id;
-	__u32 pid;
-	__u32 flags;
-	struct seccomp_data data;
-};
-
-struct seccomp_notif_resp {
-	__u64 id;
-	__s64 val;
-	__s32 error;
-	__u32 flags;
-};
-
-int seccomp_notify_alloc(struct seccomp_notif **req, struct seccomp_notif_resp **resp) {
-	return -EOPNOTSUPP;
-}
-int seccomp_notify_fd(const scmp_filter_ctx ctx) {
-	return -EOPNOTSUPP;
-}
-void seccomp_notify_free(struct seccomp_notif *req, struct seccomp_notif_resp *resp) {
-}
-int seccomp_notify_id_valid(int fd, uint64_t id) {
-	return -EOPNOTSUPP;
-}
-int seccomp_notify_receive(int fd, struct seccomp_notif *req) {
-	return -EOPNOTSUPP;
-}
-int seccomp_notify_respond(int fd, struct seccomp_notif_resp *resp) {
-	return -EOPNOTSUPP;
-}
-
-#endif
 */
 import "C"
 
@@ -274,7 +203,6 @@ const (
 	filterAttrNNP        scmpFilterAttr = iota
 	filterAttrTsync      scmpFilterAttr = iota
 	filterAttrLog        scmpFilterAttr = iota
-	filterAttrSSB        scmpFilterAttr = iota
 )
 
 const (
@@ -282,7 +210,7 @@ const (
 	scmpError C.int = -1
 	// Comparison boundaries to check for architecture validity
 	archStart ScmpArch = ArchNative
-	archEnd   ScmpArch = ArchPARISC64
+	archEnd   ScmpArch = ArchS390X
 	// Comparison boundaries to check for action validity
 	actionStart ScmpAction = ActKill
 	actionEnd   ScmpAction = ActKillProcess
@@ -532,10 +460,6 @@ func archFromNative(a C.uint32_t) (ScmpArch, error) {
 		return ArchS390, nil
 	case C.C_ARCH_S390X:
 		return ArchS390X, nil
-	case C.C_ARCH_PARISC:
-		return ArchPARISC, nil
-	case C.C_ARCH_PARISC64:
-		return ArchPARISC64, nil
 	default:
 		return 0x0, fmt.Errorf("unrecognized architecture %#x", uint32(a))
 	}
@@ -576,10 +500,6 @@ func (a ScmpArch) toNative() C.uint32_t {
 		return C.C_ARCH_S390
 	case ArchS390X:
 		return C.C_ARCH_S390X
-	case ArchPARISC:
-		return C.C_ARCH_PARISC
-	case ArchPARISC64:
-		return C.C_ARCH_PARISC64
 	case ArchNative:
 		return C.C_ARCH_NATIVE
 	default:
@@ -628,8 +548,6 @@ func actionFromNative(a C.uint32_t) (ScmpAction, error) {
 		return ActLog, nil
 	case C.C_ACT_ALLOW:
 		return ActAllow, nil
-	case C.C_ACT_NOTIFY:
-		return ActNotify, nil
 	default:
 		return 0x0, fmt.Errorf("unrecognized action %#x", uint32(a))
 	}
@@ -654,8 +572,6 @@ func (a ScmpAction) toNative() C.uint32_t {
 		return C.C_ACT_LOG
 	case ActAllow:
 		return C.C_ACT_ALLOW
-	case ActNotify:
-		return C.C_ACT_NOTIFY
 	default:
 		return 0x0
 	}
@@ -674,181 +590,7 @@ func (a scmpFilterAttr) toNative() uint32 {
 		return uint32(C.C_ATTRIBUTE_TSYNC)
 	case filterAttrLog:
 		return uint32(C.C_ATTRIBUTE_LOG)
-	case filterAttrSSB:
-		return uint32(C.C_ATTRIBUTE_SSB)
 	default:
 		return 0x0
 	}
 }
-
-func (a ScmpSyscall) toNative() C.uint32_t {
-	return C.uint32_t(a)
-}
-
-func syscallFromNative(a C.int) ScmpSyscall {
-	return ScmpSyscall(a)
-}
-
-func notifReqFromNative(req *C.struct_seccomp_notif) (*ScmpNotifReq, error) {
-	scmpArgs := make([]uint64, 6)
-	for i := 0; i < len(scmpArgs); i++ {
-		scmpArgs[i] = uint64(req.data.args[i])
-	}
-
-	arch, err := archFromNative(req.data.arch)
-	if err != nil {
-		return nil, err
-	}
-
-	scmpData := ScmpNotifData{
-		Syscall:      syscallFromNative(req.data.nr),
-		Arch:         arch,
-		InstrPointer: uint64(req.data.instruction_pointer),
-		Args:         scmpArgs,
-	}
-
-	scmpReq := &ScmpNotifReq{
-		ID:    uint64(req.id),
-		Pid:   uint32(req.pid),
-		Flags: uint32(req.flags),
-		Data:  scmpData,
-	}
-
-	return scmpReq, nil
-}
-
-func (scmpResp *ScmpNotifResp) toNative(resp *C.struct_seccomp_notif_resp) {
-	resp.id = C.__u64(scmpResp.ID)
-	resp.val = C.__s64(scmpResp.Val)
-	resp.error = (C.__s32(scmpResp.Error) * -1) // kernel requires a negated value
-	resp.flags = C.__u32(scmpResp.Flags)
-}
-
-// Userspace Notification API
-// Calls to C.seccomp_notify* hidden from seccomp.go
-
-func (f *ScmpFilter) getNotifFd() (ScmpFd, error) {
-	f.lock.Lock()
-	defer f.lock.Unlock()
-
-	if !f.valid {
-		return -1, errBadFilter
-	}
-
-	// Ignore error, if not supported returns apiLevel == 0
-	apiLevel, _ := GetAPI()
-	if apiLevel < 6 {
-		return -1, fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
-	}
-
-	fd := C.seccomp_notify_fd(f.filterCtx)
-
-	return ScmpFd(fd), nil
-}
-
-func notifReceive(fd ScmpFd) (*ScmpNotifReq, error) {
-	var req *C.struct_seccomp_notif
-	var resp *C.struct_seccomp_notif_resp
-
-	// Ignore error, if not supported returns apiLevel == 0
-	apiLevel, _ := GetAPI()
-	if apiLevel < 6 {
-		return nil, fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
-	}
-
-	// we only use the request here; the response is unused
-	if retCode := C.seccomp_notify_alloc(&req, &resp); retCode != 0 {
-		return nil, errRc(retCode)
-	}
-
-	defer func() {
-		C.seccomp_notify_free(req, resp)
-	}()
-
-	for {
-		retCode, errno := C.seccomp_notify_receive(C.int(fd), req)
-		if retCode == 0 {
-			break
-		}
-
-		if errno == syscall.EINTR {
-			continue
-		}
-
-		if errno == syscall.ENOENT {
-			return nil, errno
-		}
-
-		return nil, errRc(retCode)
-	}
-
-	return notifReqFromNative(req)
-}
-
-func notifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error {
-	var req *C.struct_seccomp_notif
-	var resp *C.struct_seccomp_notif_resp
-
-	// Ignore error, if not supported returns apiLevel == 0
-	apiLevel, _ := GetAPI()
-	if apiLevel < 6 {
-		return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
-	}
-
-	// we only use the reponse here; the request is discarded
-	if retCode := C.seccomp_notify_alloc(&req, &resp); retCode != 0 {
-		return errRc(retCode)
-	}
-
-	defer func() {
-		C.seccomp_notify_free(req, resp)
-	}()
-
-	scmpResp.toNative(resp)
-
-	for {
-		retCode, errno := C.seccomp_notify_respond(C.int(fd), resp)
-		if retCode == 0 {
-			break
-		}
-
-		if errno == syscall.EINTR {
-			continue
-		}
-
-		if errno == syscall.ENOENT {
-			return errno
-		}
-
-		return errRc(retCode)
-	}
-
-	return nil
-}
-
-func notifIDValid(fd ScmpFd, id uint64) error {
-	// Ignore error, if not supported returns apiLevel == 0
-	apiLevel, _ := GetAPI()
-	if apiLevel < 6 {
-		return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
-	}
-
-	for {
-		retCode, errno := C.seccomp_notify_id_valid(C.int(fd), C.uint64_t(id))
-		if retCode == 0 {
-			break
-		}
-
-		if errno == syscall.EINTR {
-			continue
-		}
-
-		if errno == syscall.ENOENT {
-			return errno
-		}
-
-		return errRc(retCode)
-	}
-
-	return nil
-}