El 18/11/16 a las 10:37, Jamie Strandboge escribió:
On Fri, 2016-11-18 at 13:13 +0100, Olivier Tilloy wrote:
Hi everyone,
I’ve been working on snapping up 0ad¹ as a side project, and I’m at
the point where I’ve got it to run fully confined.
I’ve had to modify the generated seccomp profile for this to work
though, and I’m not sure where to take it from there. The game uses
the following syscalls which are not allowed by default: setpriority
and sched_setaffinity. I can get setpriority by adding the
process-control plug (which needs manual connection), but it doesn’t
appear any sensible interface exposes sched_setaffinity
(docker-support does, but that’s obviously not a solution).
What would interface experts suggest? Would it make sense to add
sched_setaffinity to process-control? Or to create a new privileged
interface for just that one syscall?
So this triggers the question, does 0ad work if these were denied?
Fyi, there is a bug for setpriority. It looks like sched_setaffinity would be
fine for process-control and I just prepared a PR for it. It looks like it works
much like setpriority and so we'll be able to add it to the default template
soon for certain invocations (I suspect you'll be able to drop proces-control
then).
Which brings in the follow-up question. Are there any updates wrt
SCMP_ACT_KILL and SCMP_ACT_ERRNO or alternatives?
--
Snapcraft mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/snapcraft
