WIP snap for 0ad

Tyler Hicks tyhicks at canonical.com
Mon Nov 21 15:21:56 UTC 2016


On 11/18/2016 09:05 AM, Sergio Schvezov wrote:
> 
> 
> El 18/11/16 a las 10:37, Jamie Strandboge escribió:
>> On Fri, 2016-11-18 at 13:13 +0100, Olivier Tilloy wrote:
>>> Hi everyone,
>>>
>>> I’ve been working on snapping up 0ad¹ as a side project, and I’m at
>>> the point where I’ve got it to run fully confined.
>>>
>>> I’ve had to modify the generated seccomp profile for this to work
>>> though, and I’m not sure where to take it from there. The game uses
>>> the following syscalls which are not allowed by default: setpriority
>>> and sched_setaffinity. I can get setpriority by adding the
>>> process-control plug (which needs manual connection), but it doesn’t
>>> appear any sensible interface exposes sched_setaffinity
>>> (docker-support does, but that’s obviously not a solution).
>>>
>>> What would interface experts suggest? Would it make sense to add
>>> sched_setaffinity to process-control? Or to create a new privileged
>>> interface for just that one syscall?
>>>
> 
> So this triggers the question, does 0ad work if these were denied?
> 
>> Fyi, there is a bug for setpriority. It looks like sched_setaffinity
>> would be
>> fine for process-control and I just prepared a PR for it. It looks
>> like it works
>> much like setpriority and so we'll be able to add it to the default
>> template
>> soon for certain invocations (I suspect you'll be able to drop
>> proces-control
>> then).
>>
> 
> Which brings in the follow-up question. Are there any updates wrt
> SCMP_ACT_KILL and SCMP_ACT_ERRNO or alternatives?

Not yet. Some other work took priority and this work is almost back to
the top of my list.

Tyler


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snapcraft/attachments/20161121/0f0e94ae/attachment.sig>


More information about the Snapcraft mailing list