On Fri, 2016-11-18 at 13:13 +0100, Olivier Tilloy wrote: > Hi everyone, > > I’ve been working on snapping up 0ad¹ as a side project, and I’m at > the point where I’ve got it to run fully confined. > > I’ve had to modify the generated seccomp profile for this to work > though, and I’m not sure where to take it from there. The game uses > the following syscalls which are not allowed by default: setpriority > and sched_setaffinity. I can get setpriority by adding the > process-control plug (which needs manual connection), but it doesn’t > appear any sensible interface exposes sched_setaffinity > (docker-support does, but that’s obviously not a solution). > > What would interface experts suggest? Would it make sense to add > sched_setaffinity to process-control? Or to create a new privileged > interface for just that one syscall? >
Fyi, there is a bug for setpriority. It looks like sched_setaffinity would be fine for process-control and I just prepared a PR for it. It looks like it works much like setpriority and so we'll be able to add it to the default template soon for certain invocations (I suspect you'll be able to drop proces-control then). In the future you can also simply file a bug and add the 'snapd-interface' tag. Thanks for bringing this up! -- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
