On Fri, 2016-11-18 at 07:37 -0600, Jamie Strandboge wrote: > On Fri, 2016-11-18 at 13:13 +0100, Olivier Tilloy wrote: > > > > Hi everyone, > > > > I’ve been working on snapping up 0ad¹ as a side project, and I’m at > > the point where I’ve got it to run fully confined. > > > > I’ve had to modify the generated seccomp profile for this to work > > though, and I’m not sure where to take it from there. The game uses > > the following syscalls which are not allowed by default: setpriority > > and sched_setaffinity. I can get setpriority by adding the > > process-control plug (which needs manual connection), but it doesn’t > > appear any sensible interface exposes sched_setaffinity > > (docker-support does, but that’s obviously not a solution). > > > > What would interface experts suggest? Would it make sense to add > > sched_setaffinity to process-control? Or to create a new privileged > > interface for just that one syscall? > > > Fyi, there is a bug for setpriority. It looks like sched_setaffinity would be > fine for process-control and I just prepared a PR for it. It looks like it > works > much like setpriority and so we'll be able to add it to the default template > soon for certain invocations (I suspect you'll be able to drop proces-control > then). > Re setpriority bug> I should have been more clear. There is a bug already for it to be usable in the default template so process-control isn't always needed.
-- Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
-- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
