agent: Disable seccomp feature on aarch64 temporarily

In order to pass CI test of aarch64, it is necessary to run `ci/install_libseccomp.sh` before ruuning unit tests in `jenkins_job_build.sh`. However, `ci/install_libseccomp.sh` is not available until PR #1788 including this commit is merged in the mainline. Therefore, we disable seccomp feature on aarch64 temporarily. After #1788 lands and CI is fixed, this commit will be reverted. Fixes: #1476 Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
2025-10-31 17:37:20 +00:00 · 2021-10-27 18:41:12 +09:00
parent 5dfedc2b19
commit 42add7f201
3 changed files with 7 additions and 4 deletions
--- a/src/agent/rustjail/Cargo.toml
+++ b/src/agent/rustjail/Cargo.toml
@@ -30,6 +30,9 @@ tokio = { version = "1.2.0", features = ["sync", "io-util", "process", "time", "
 futures = "0.3"
 async-trait = "0.1.31"
 inotify = "0.9.2"
+
+# Disable libseccomp on aarch64 temporarily in order to pass CI
+[target.'cfg(not(target_arch = "aarch64"))'.dependencies]
 libseccomp = { version = "0.1.3", optional = true }

 [dev-dependencies]
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@@ -25,7 +25,7 @@ use crate::cgroups::mock::Manager as FsManager;
 use crate::cgroups::Manager;
 use crate::log_child;
 use crate::process::Process;
-#[cfg(feature = "seccomp")]
+#[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
 use crate::seccomp;
 use crate::specconv::CreateOpts;
 use crate::{mount, validator};
@@ -603,7 +603,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
    // Without NoNewPrivileges, we need to set seccomp
    // before dropping capabilities because the calling thread
    // must have the CAP_SYS_ADMIN.
-    #[cfg(feature = "seccomp")]
+    #[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
    if !oci_process.no_new_privileges {
        if let Some(ref scmp) = linux.seccomp {
            seccomp::init_seccomp(scmp)?;
@@ -685,7 +685,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
    // With NoNewPrivileges, we should set seccomp as close to
    // do_exec as possible in order to reduce the amount of
    // system calls in the seccomp profiles.
-    #[cfg(feature = "seccomp")]
+    #[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
    if oci_process.no_new_privileges {
        if let Some(ref scmp) = linux.seccomp {
            seccomp::init_seccomp(scmp)?;
--- a/src/agent/rustjail/src/lib.rs
+++ b/src/agent/rustjail/src/lib.rs
@@ -34,7 +34,7 @@ pub mod container;
 pub mod mount;
 pub mod pipestream;
 pub mod process;
-#[cfg(feature = "seccomp")]
+#[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
 pub mod seccomp;
 pub mod specconv;
 pub mod sync;