1594778 - Want to be able to specify seccomp profiles somehow

Status: NEW

(Taskcluster :: Workers, enhancement)

Description

[James Graham [:jgraham]]

Chrome's process sandbox doesn't work with the default docker seccomp configuration because it requires two extra syscalls (clone and unshare). This means that taskcluster jobs running on new enough host kernels to support the user namespace-based sandbox are unable to run Chrome without either disabling the chrome sandbox (passing --no-sandbox) or running the docker container in privileged mode. The latter effectively gives each task root access to the host, which is undesirable for tasks that aren't trusted.

wpt has run into this problem with the community taskcluster deployment, and are going to specify --no-sandbox for all invocations of Chrome, but getting that right is tricky (and there is of course a worry it could change the test results; for performance testing it may be an even bigger concern).

A better solution would be the ability to either get worker images with a custom seccomp configuration, or specify the seccomp configuration for the worker pool, or define the custom configuration as part of the task definition.