Merge release-20210705.0-10-gebe99977a (automated)

author: gVisor bot <gvisor-bot@google.com> 2021-07-12 20:38:33 +0000
committer: gVisor bot <gvisor-bot@google.com> 2021-07-12 20:38:33 +0000
commit: f28c339def09aea90fe60b3abb38215c5e5c8e52 (patch)
tree: eac41ca885254d7a165bbc1438f2a785a6b48fb2 /pkg/seccomp
parent: 798496a6e56be9a8ae7ed8b8055e424426233647 (diff)
parent: ebe99977a47d93ee769121f9463650cfb924e243 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/pkg/seccomp/seccomp_unsafe.go b/pkg/seccomp/seccomp_unsafe.go
index 061cd26ab..6701b5542 100644
--- a/pkg/seccomp/seccomp_unsafe.go
+++ b/pkg/seccomp/seccomp_unsafe.go
@@ -68,6 +68,10 @@ func SetFilter(instrs []linux.BPFInstruction) error {
 // - Since fork()ed child processes cannot perform heap allocation, it returns
 // a unix.Errno rather than an error.
 //
+// - The race instrumentation has to be disabled for all functions that are
+// called in a forked child.
+//
+//go:norace
 //go:nosplit
 func SetFilterInChild(instrs []linux.BPFInstruction) unix.Errno {
 	if _, _, errno := unix.RawSyscall6(unix.SYS_PRCTL, linux.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); errno != 0 {
author	gVisor bot <gvisor-bot@google.com>	2021-07-12 20:38:33 +0000
committer	gVisor bot <gvisor-bot@google.com>	2021-07-12 20:38:33 +0000
commit	f28c339def09aea90fe60b3abb38215c5e5c8e52 (patch)
tree	eac41ca885254d7a165bbc1438f2a785a6b48fb2 /pkg/seccomp
parent	798496a6e56be9a8ae7ed8b8055e424426233647 (diff)
parent	ebe99977a47d93ee769121f9463650cfb924e243 (diff)