Update seccomp profile to moby/moby 20.10.12.

ros-infrastructure / cookbook-ros-buildfarm

Apache License 2.0

2 stars 2 forks source link

Update seccomp profile to moby/moby 20.10.12. #109

Closed nuclearsandwich closed 2 years ago

nuclearsandwich commented 2 years ago

This pulls in the default seccomp profile from moby/moby 20.10.12 which includes, among other changes, support for the clone3 system call which is being blocked in our current Ubuntu Jammy sourcedeb containers.

The personality system call for sbcl in ROS 1 is maintained.

ros-discourse commented 2 years ago

This pull request has been mentioned on ROS Discourse. There might be relevant details there:

https://discourse.ros.org/t/holding-releases-to-perform-rolling-transition-to-new-platforms/24191/12

j-rivero commented 2 years ago

Seems good to my eyes:

cookbook-ros-buildfarm/files on  update-seccomp-policy [?] ❯ diff -u /tmp/moby-20.10.12/profiles/seccomp/default.json docker-seccomp-default-with-personality.json 
--- /tmp/moby-20.10.12/profiles/seccomp/default.json    2021-12-12 11:11:51.000000000 +0100
+++ docker-seccomp-default-with-personality.json    2022-02-16 21:09:30.344735175 +0100
@@ -234,6 +234,7 @@
                "openat",
                "openat2",
                "pause",
+               "personality",
                "pidfd_open",
                "pidfd_send_signal",
                "pipe",