build: make runc binary 7.6% smaller

In general runc does not do any cryptography or TLS networking.

go-systemd module has optional support for TLS. It is compiled by
default, and pulls in all of crypto/tls stack into the binary. Despite
being unused, it is not optimised out, as there is no sophisticated
LTO-like functionality in go toolchain.

By removing this single file from the vendored modules, runc binary
size is 7.6% smaller (both stripped and unstripped).

This also has a nice compliance side effect - the only other
cryptography modules pulled in are crypto/rand and crypto/sha1 neither
of which are used to protect information at rest or in-transit,
meaning the same build of runc can be used in FIPS and non-FIPS
contexts, as not using any cryptography make the binary out of scope
for FIPS cryptographic module compliance.

If this is of interest, will also proposed to go-systemd project to
add a build tag, to allow building go-systemd without tls-listeners.

Signed-off-by: Dimitri John Ledkov <[email protected]>

Author: xnox

Makefile

@@ -231,6 +231,10 @@ localshfmt:
 vendor:
 	$(GO) mod tidy
 	$(GO) mod vendor
+	rm vendor/github.com/coreos/go-systemd/v22/activation/listeners.go
+	# Verify that no encryption/decryption cryptography is used
+	git add vendor/
+	[ -z $$(git grep -h '"crypto/' | grep -v -e 'crypto/sha1' -e 'crypto/rand') ]
 	$(GO) mod verify
 
 .PHONY: verify-changelog