config: Add AllowSpeculation

AllowSpeculation disables spectre mitigations for container.
For more information about that, please refer to:
opencontainers/runc#2430

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>

Author: Kenta Tada

config.md

@@ -208,6 +208,7 @@ For Linux-based systems, the `process` object supports the following process-spe
     For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2].
 * **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process.
     For more information about SELinux, see  [SELinux documentation][selinux].
+* **`allowSpeculation`** (bool, OPTIONAL) setting `allowSpeculation` to true disable spectre mitigations to improve the performance.
 
 ### <a name="configUser" />User
 

schema/config-schema.json

@@ -166,6 +166,9 @@
                             }
                         }
                     }
+                },
+                "allowSpeculation": {
+                    "type": "boolean"
                 }
             }
         },

schema/test/config/good/spec-example.json

@@ -56,7 +56,8 @@
         ],
         "apparmorProfile": "acme_secure_profile",
         "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
-        "noNewPrivileges": true
+        "noNewPrivileges": true,
+        "allowSpeculation": false
     },
     "root": {
         "path": "rootfs",

specs-go/config.go

@@ -58,6 +58,8 @@ type Process struct {
 	OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"`
 	// SelinuxLabel specifies the selinux context that the container process is run as.
 	SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
+	// AllowSpeculation disables spectre mitigations
+	AllowSpeculation bool `json:"allowSpeculation,omitempty" platform:"linux"`
 }
 
 // LinuxCapabilities specifies the whitelist of capabilities that are kept for a process.