Closed nuclearsandwich closed 6 years ago
nuclearsandwich
commented
6 years ago Depending on buildfarm configuration you may require updates to your script-approval whitelist when incorporating this change. My testfarm did not hiccup but build.ros.org apparently did. https://github.com/ros-infrastructure/ros_buildfarm/pull/527#issuecomment-374424267
nuclearsandwich
commented
6 years ago I'll want to coordinate the timing of this PR's merge with the building of new Agent AMIs. If for some reason docker cannot start after puppet re-runs this will take our whole fleet down. I've tested it on both fresh and live machines but I saw enough carnage during development that I want to be overly cautious.
The personality system call is used by sbcl to disable address space layout randomization. Since the call can also be used to enable BSD emulation which is untested in Docker, it is not whitelisted by default.
This adds a custom seccomp profile, which will need to be periodically checked against the upstream default for changes, that allows the personality system call needed by sbcl to disable Address Space Layout Randomization (details in https://github.com/ros/roslisp/issues/40#issuecomment-339735708).
Fixes #176