From 00adc293db8cdb857f69bb49196e432c460813fe Mon Sep 17 00:00:00 2001 From: Liz Prucka Date: Tue, 25 Jul 2023 10:22:19 -0500 Subject: executor/android: updated x86 seccomp policy The recent docker upgrade to debian `bookworm` caused x86_64 instances to fail in `pthread_create()` due to the android seccomp filter. On `bookworm`, `pthread_create()` calls `clone3()` and `set_robust_list()` which aren't on the seccomp filter (instead of `clone()`), which is. Added these calls to the seccomp policy. --- executor/android/android_seccomp.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'executor/android/android_seccomp.h') diff --git a/executor/android/android_seccomp.h b/executor/android/android_seccomp.h index 8546350c5..e534ac411 100644 --- a/executor/android/android_seccomp.h +++ b/executor/android/android_seccomp.h @@ -2,6 +2,11 @@ // Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. // These headers are generated by the Android build system and need to be updated periodically. + +// Header files are generated by `genseccomp.py` +// (https://android.googlesource.com/platform/bionic/+/refs/heads/main/libc/tools/genseccomp.py). +// Arguments are taken from the android build file +// (https://android.googlesource.com/platform/bionic/+/refs/heads/main/libc/Android.bp). #if GOARCH_arm64 #define PRIMARY_ARCH AUDIT_ARCH_AARCH64 #include "arm64_app_policy.h" @@ -23,6 +28,8 @@ static const struct sock_filter* system_filter = arm_system_filter; static const size_t system_filter_size = arm_system_filter_size; #define kFilterMaxSize (arm_app_filter_size + 3 + 1 + 4 + 2) +// Note: clone3() and set/get_robust_list() are added as they are used +// by pthread_create(). #elif GOARCH_amd64 #define PRIMARY_ARCH AUDIT_ARCH_X86_64 #include "x86_64_app_policy.h" -- cgit mrf-deployment