interfaces/seccomp: allow bind() for Fedora and openSUSE

morphis · a604e6e94cca5251a1a1ae31907832e023b38fa7 · Simon Fels committed May 17, 2017 · May 17, 2017 · a604e6e
1 parent e3648fa
commit a604e6e94cca5251a1a1ae31907832e023b38fa7
Unified Split

Showing with 10 additions and 0 deletions.

+10 −0 interfaces/seccomp/template.go
diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go
@@ -548,4 +548,14 @@ pwritev
 # This is an older interface and single entry point that can be used instead
 # of socket(), bind(), connect(), etc individually.
 socketcall
+
+# Allow bind() as the golang net package uses this on initialization when
+# loaded the first time and on systems without an LSM system this kills
+# snapctl when executed in a hook when the network-bind interface isn't
+# plugged. See https://forum.snapcraft.io/t/hooks-calling-snapctl-are-broken-with-just-seccomp-enabled/658/
+# for more details.
+#
+# NOTE: This is only meant for Fedora and openSUSE and shouldn't be
+# applied upstream.
+bind
 `)