WIP snap for 0ad
Sergio Schvezov
sergio.schvezov at canonical.com
Fri Nov 18 15:05:57 UTC 2016
El 18/11/16 a las 10:37, Jamie Strandboge escribió:
> On Fri, 2016-11-18 at 13:13 +0100, Olivier Tilloy wrote:
>> Hi everyone,
>>
>> I’ve been working on snapping up 0ad¹ as a side project, and I’m at
>> the point where I’ve got it to run fully confined.
>>
>> I’ve had to modify the generated seccomp profile for this to work
>> though, and I’m not sure where to take it from there. The game uses
>> the following syscalls which are not allowed by default: setpriority
>> and sched_setaffinity. I can get setpriority by adding the
>> process-control plug (which needs manual connection), but it doesn’t
>> appear any sensible interface exposes sched_setaffinity
>> (docker-support does, but that’s obviously not a solution).
>>
>> What would interface experts suggest? Would it make sense to add
>> sched_setaffinity to process-control? Or to create a new privileged
>> interface for just that one syscall?
>>
So this triggers the question, does 0ad work if these were denied?
> Fyi, there is a bug for setpriority. It looks like sched_setaffinity would be
> fine for process-control and I just prepared a PR for it. It looks like it works
> much like setpriority and so we'll be able to add it to the default template
> soon for certain invocations (I suspect you'll be able to drop proces-control
> then).
>
Which brings in the follow-up question. Are there any updates wrt
SCMP_ACT_KILL and SCMP_ACT_ERRNO or alternatives?
More information about the Snapcraft
mailing list