WIP snap for 0ad
Olivier Tilloy
olivier.tilloy at canonical.com
Fri Nov 18 15:11:48 UTC 2016
On Fri, Nov 18, 2016 at 4:05 PM, Sergio Schvezov
<sergio.schvezov at canonical.com> wrote:
>
>
> El 18/11/16 a las 10:37, Jamie Strandboge escribió:
>>
>> On Fri, 2016-11-18 at 13:13 +0100, Olivier Tilloy wrote:
>>>
>>> Hi everyone,
>>>
>>> I’ve been working on snapping up 0ad¹ as a side project, and I’m at
>>> the point where I’ve got it to run fully confined.
>>>
>>> I’ve had to modify the generated seccomp profile for this to work
>>> though, and I’m not sure where to take it from there. The game uses
>>> the following syscalls which are not allowed by default: setpriority
>>> and sched_setaffinity. I can get setpriority by adding the
>>> process-control plug (which needs manual connection), but it doesn’t
>>> appear any sensible interface exposes sched_setaffinity
>>> (docker-support does, but that’s obviously not a solution).
>>>
>>> What would interface experts suggest? Would it make sense to add
>>> sched_setaffinity to process-control? Or to create a new privileged
>>> interface for just that one syscall?
>>>
>
> So this triggers the question, does 0ad work if these were denied?
No. It actually hangs pretty badly at startup. When setpriority is
denied the game’s javascript engine fails to initialize properly, and
when sched_setaffinity is denied the graphics init hangs (in
SDL_Init).
>> Fyi, there is a bug for setpriority. It looks like sched_setaffinity would
>> be
>> fine for process-control and I just prepared a PR for it. It looks like it
>> works
>> much like setpriority and so we'll be able to add it to the default
>> template
>> soon for certain invocations (I suspect you'll be able to drop
>> proces-control
>> then).
>>
>
> Which brings in the follow-up question. Are there any updates wrt
> SCMP_ACT_KILL and SCMP_ACT_ERRNO or alternatives?
More information about the Snapcraft
mailing list