Fallback to bind mount for sysfs in user namespaces

[HirazawaUi]

This is the code implementation in the runc project for KEP: kubernetes/enhancements#5607. In the PR for this KEP, the feature has been discussed with runc maintainer @rata and has received @rata's acknowledgment.

When running a container within a user namespace (userns), runc currently fails to mount /sys. This is because a standard mount of the sysfs filesystem is a privileged operation.

For a process that is root only within a new user namespace but is unprivileged on the host, the kernel correctly denies this request. This prevents containers from starting successfully in environments that rely on user namespaces, such as rootless containers.

This change implements a fallback mechanism to address this issue, aligning runc's behavior with other runtimes like crun and improving support for user namespaces.

The corresponding code path in crun:

      ret = mount (source, real_target, fstype, flags, data);
      if (UNLIKELY (ret < 0))
        {
          int saved_errno = errno;

          if ((mountflags & MS_RDONLY) && targetfd > 0 && fstype && strcmp (fstype, "sysfs") == 0)
            {
              /* If we are running in an user namespace, just bind mount /sys if creating
                 sysfs failed.  */
              ret = check_running_in_user_namespace (err);

......