diff mbox series

[10/15] travis: Disable seccomp on child containers

Message ID 20200612022452.371685-11-oohall@gmail.com
State Accepted
Headers show
Series [01/15] test/qemu: Update command line arguments | expand

Checks

Context Check Description
snowpatch_ozlabs/apply_patch fail Failed to apply to any branch
snowpatch_ozlabs/apply_patch warning Failed to apply on branch master (fe70fbb78d33abea788a3221bc409a7c50c019c3)

Commit Message

Oliver O'Halloran June 12, 2020, 2:24 a.m. UTC
We've been hitting the following issue with valgrind breaking when run
inside a Fedora 32 container:

	        [ BOOT TEST ]  ccan/check_type/test/run
	valgrind: ccan/check_type/test/run: Operation not permitted
	make: *** [/build/ccan/Makefile.check:24:
	ccan/check_type/test/run-check] Error 126
	make: *** Waiting for unfinished jobs....

This seems to be a result of the default seccomp profile blocking system
calls that valgrind wants to use to inspect the process being debugged
(i.e. ptrace). Fix this by using the unrestricted seccomp profile and
giving the container the ptrace capability.

Travis uses ephemereal VMs for each job so this isn't any kind of
security issue.

Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/.travis.yml b/.travis.yml
index 17061913feb5..860d204d0465 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -39,6 +39,7 @@  install:
 script:
     - >
       docker run
+      --security-opt seccomp=unconfined
       --volume $HOME/.ccache:/root/.ccache
       --volume `pwd`:/build
       --volume `pwd`/ci_build_cache/${RUN_ON_CONTAINER}:/root/ci_build_cache/