tcwg-dev run dev container with unconfined security policy

The sanitizer tests on AArch64 disable address space randomisation. This results on an assertion failure as this is disabled on the container. By using --security-opt seccomp=unconfined the sanitizer tests pass on AArch64. This configuration option is already used for the buildbot container. Change-Id: I64c1659ed834a9a5cdc436a2c3077f6fb4b38d4a
author: Peter Smith <peter.smith@linaro.org> 2018-07-03 10:13:26 +0100
committer: Maxim Kuvyrkov <maxim.kuvyrkov@linaro.org> 2018-07-19 17:19:24 +0000
commit: 22face7d18b4b200f13fda732de78d95a0345d24 (patch)
tree: bae11b9cf91c3c234dd389bb211a0b07c00a2a26
parent: 1fce4a0efc6e3f35272537853bce7cb7892b3fad (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/tcwg-base/tcwg-dev/start.sh b/tcwg-base/tcwg-dev/start.sh
index edcd8aca..b281d34b 100755
--- a/tcwg-base/tcwg-dev/start.sh
+++ b/tcwg-base/tcwg-dev/start.sh
@@ -103,7 +103,8 @@ esac
 memlimit=$(($(free -g | awk '/^Mem/ { print $2 }') / 2))G
 # IPC_LOCK is required for some implementations of ssh-agent (e.g., MATE's).
 # SYS_PTRACE is required for debugger work.
-caps="--cap-add=IPC_LOCK --cap-add=SYS_PTRACE"
+# seccomp=unconfined to allow disabling of ASLR for sanitizer regression tests.
+caps="--cap-add=IPC_LOCK --cap-add=SYS_PTRACE --security-opt seccomp:unconfined"
 
 $DOCKER run --name=$name --hostname=$(hostname)-dev --restart=unless-stopped -dt -p 22 $mounts --memory=$memlimit --pids-limit=5000 $caps $image --user $user "$@"
author	Peter Smith <peter.smith@linaro.org>	2018-07-03 10:13:26 +0100
committer	Maxim Kuvyrkov <maxim.kuvyrkov@linaro.org>	2018-07-19 17:19:24 +0000
commit	22face7d18b4b200f13fda732de78d95a0345d24 (patch)
tree	bae11b9cf91c3c234dd389bb211a0b07c00a2a26
parent	1fce4a0efc6e3f35272537853bce7cb7892b3fad (diff)