From a4d0fd8853ddb45873bfec337becd39862ec0dcb Mon Sep 17 00:00:00 2001 From: Ricardo Branco Date: Wed, 11 Mar 2026 23:10:28 +0100 Subject: [PATCH] test/e2e: Add linkat to seccomp profile Some architectures (i.e., arm64) do not implement the link(2) system call and ln(1) uses linkat(2) instead. Use the names array to block both syscalls so the tests works on all architectures. Signed-off-by: Ricardo Branco --- test/e2e/play_kube_test.go | 2 +- test/e2e/run_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index ba663c0783..a084271a01 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -1518,7 +1518,7 @@ var ( defaultConfigMapName = "testConfigMap" defaultSecretName = "testSecret" defaultPVCName = "testPVC" - seccompLinkEPERM = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`) + seccompLinkEPERM = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"names":["link","linkat"],"action":"SCMP_ACT_ERRNO"}]}`) // CPU Period in ms defaultCPUPeriod = 100 // Default secret in JSON. Note that the values ("foo" and "bar") are base64 encoded. diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 192623f538..ad156911e8 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -400,7 +400,7 @@ var _ = Describe("Podman run", func() { }) forbidLinkSeccompProfile := func() string { - in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`) + in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"names":["link","linkat"],"action":"SCMP_ACT_ERRNO"}]}`) jsonFile, err := podmanTest.CreateSeccompJSON(in) if err != nil { GinkgoWriter.Println(err)