VERSION: release v1.2.4

[cyphar]

runc v1.2.4 -- "Христос се роди!"

This is the fourth patch release of the 1.2.z release branch of runc. It
includes a fix for a regression introduced in 1.2.0 related to the
default device list.

 * Re-add tun/tap devices to built-in allowed devices lists.

   In runc 1.2.0 we removed these devices from the default allow-list
   (which were added seemingly by accident early in Docker's history) as
   a precaution in order to try to reduce the attack surface of device
   inodes available to most containers (#3468). At the time we thought
   that the vast majority of users using tun/tap would already be
   specifying what devices they need (such as by using `--device` with
   Docker/Podman) as opposed to doing the `mknod` manually, and thus
   there would've been no user-visible change.

   Unfortunately, it seems that this regressed a noticeable number of
   users (and not all higher-level tools provide easy ways to specify
   devices to allow) and so this change needed to be reverted. Users
   that do not need these devices are recommended to explicitly disable
   them by adding deny rules in their container configuration. (#4555,
   #4556)

Thanks to all of the contributors who made this release possible:

 * Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 * Aleksa Sarai <cyphar@cyphar.com>
 * Kir Kolyshkin <kolyshkin@gmail.com>
 * lifubang <lifubang@acmcoder.com>

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

[kolyshkin]

LGTM, thanks!