On 11/18/2016 09:05 AM, Sergio Schvezov wrote: > > > El 18/11/16 a las 10:37, Jamie Strandboge escribió: >> On Fri, 2016-11-18 at 13:13 +0100, Olivier Tilloy wrote: >>> Hi everyone, >>> >>> I’ve been working on snapping up 0ad¹ as a side project, and I’m at >>> the point where I’ve got it to run fully confined. >>> >>> I’ve had to modify the generated seccomp profile for this to work >>> though, and I’m not sure where to take it from there. The game uses >>> the following syscalls which are not allowed by default: setpriority >>> and sched_setaffinity. I can get setpriority by adding the >>> process-control plug (which needs manual connection), but it doesn’t >>> appear any sensible interface exposes sched_setaffinity >>> (docker-support does, but that’s obviously not a solution). >>> >>> What would interface experts suggest? Would it make sense to add >>> sched_setaffinity to process-control? Or to create a new privileged >>> interface for just that one syscall? >>> > > So this triggers the question, does 0ad work if these were denied? > >> Fyi, there is a bug for setpriority. It looks like sched_setaffinity >> would be >> fine for process-control and I just prepared a PR for it. It looks >> like it works >> much like setpriority and so we'll be able to add it to the default >> template >> soon for certain invocations (I suspect you'll be able to drop >> proces-control >> then). >> > > Which brings in the follow-up question. Are there any updates wrt > SCMP_ACT_KILL and SCMP_ACT_ERRNO or alternatives?
Not yet. Some other work took priority and this work is almost back to the top of my list. Tyler
signature.asc
Description: OpenPGP digital signature
-- Snapcraft mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snapcraft
