From 42add7f201cf082d0d06d676c5cf20e6088ac2fb Mon Sep 17 00:00:00 2001
From: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Date: Wed, 27 Oct 2021 18:41:12 +0900
Subject: [PATCH] agent: Disable seccomp feature on aarch64 temporarily

In order to pass CI test of aarch64, it is necessary to run
`ci/install_libseccomp.sh` before ruuning unit tests in
`jenkins_job_build.sh`.
However, `ci/install_libseccomp.sh` is not available
until PR #1788 including this commit is merged in the mainline.
Therefore, we disable seccomp feature on aarch64 temporarily.
After #1788 lands and CI is fixed, this commit will be reverted.

Fixes: #1476

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
---
 src/agent/rustjail/Cargo.toml       | 3 +++
 src/agent/rustjail/src/container.rs | 6 +++---
 src/agent/rustjail/src/lib.rs       | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/agent/rustjail/Cargo.toml b/src/agent/rustjail/Cargo.toml
index 497a86210..e6d1d7ee6 100644
--- a/src/agent/rustjail/Cargo.toml
+++ b/src/agent/rustjail/Cargo.toml
@@ -30,6 +30,9 @@ tokio = { version = "1.2.0", features = ["sync", "io-util", "process", "time", "
 futures = "0.3"
 async-trait = "0.1.31"
 inotify = "0.9.2"
+
+# Disable libseccomp on aarch64 temporarily in order to pass CI
+[target.'cfg(not(target_arch = "aarch64"))'.dependencies]
 libseccomp = { version = "0.1.3", optional = true }
 
 [dev-dependencies]
diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs
index 6e71552ef..8e6e8d8d9 100644
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@@ -25,7 +25,7 @@ use crate::cgroups::mock::Manager as FsManager;
 use crate::cgroups::Manager;
 use crate::log_child;
 use crate::process::Process;
-#[cfg(feature = "seccomp")]
+#[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
 use crate::seccomp;
 use crate::specconv::CreateOpts;
 use crate::{mount, validator};
@@ -603,7 +603,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
     // Without NoNewPrivileges, we need to set seccomp
     // before dropping capabilities because the calling thread
     // must have the CAP_SYS_ADMIN.
-    #[cfg(feature = "seccomp")]
+    #[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
     if !oci_process.no_new_privileges {
         if let Some(ref scmp) = linux.seccomp {
             seccomp::init_seccomp(scmp)?;
@@ -685,7 +685,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
     // With NoNewPrivileges, we should set seccomp as close to
     // do_exec as possible in order to reduce the amount of
     // system calls in the seccomp profiles.
-    #[cfg(feature = "seccomp")]
+    #[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
     if oci_process.no_new_privileges {
         if let Some(ref scmp) = linux.seccomp {
             seccomp::init_seccomp(scmp)?;
diff --git a/src/agent/rustjail/src/lib.rs b/src/agent/rustjail/src/lib.rs
index 7535bf990..f9327dc3f 100644
--- a/src/agent/rustjail/src/lib.rs
+++ b/src/agent/rustjail/src/lib.rs
@@ -34,7 +34,7 @@ pub mod container;
 pub mod mount;
 pub mod pipestream;
 pub mod process;
-#[cfg(feature = "seccomp")]
+#[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
 pub mod seccomp;
 pub mod specconv;
 pub mod sync;