From 2d3edd9640f32657e292974967f5d18ee4263230 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C5=91rinc?= <pap.lorinc@gmail.com>
Date: Sun, 3 May 2026 15:36:47 +0200
Subject: [PATCH] ci: unconfine seccomp for i686 no IPC

Docker 29.4.2 blocks `socketcall(2)` in the default seccomp profile:
https://docs.docker.com/engine/release-notes/29/#2942
https://github.com/moby/profiles/releases/tag/seccomp%2Fv0.2.2
https://github.com/moby/moby/pull/52501

That affects the `i686, no IPC` job because it runs 32-bit Linux test binaries inside Docker.

Add Docker's documented `--security-opt seccomp=unconfined` workaround to this job's `CI_CONTAINER_CAP` - the hook `ci/test/02_run_container.py` already appends to `docker run`.

This restores socket availability for the 32-bit test binaries throughout the job:
https://docs.docker.com/engine/security/seccomp/#run-without-the-default-seccomp-profile

Github-Pull: #35202
Rebased-From: 11c9ef92a8daf030f75f88f324396b2248c65a64
---
 ci/test/00_setup_env_i686_centos.sh       | 1 +
 ci/test/00_setup_env_i686_multiprocess.sh | 1 +
 ci/test/00_setup_env_win64.sh             | 1 +
 3 files changed, 3 insertions(+)

diff --git a/ci/test/00_setup_env_i686_centos.sh b/ci/test/00_setup_env_i686_centos.sh
index 5f8391c5dac..0f532fd4057 100755
--- a/ci/test/00_setup_env_i686_centos.sh
+++ b/ci/test/00_setup_env_i686_centos.sh
@@ -9,6 +9,7 @@ export LC_ALL=C.UTF-8
 export HOST=i686-pc-linux-gnu
 export CONTAINER_NAME=ci_i686_centos
 export CI_IMAGE_NAME_TAG="quay.io/centos/amd64:stream9"
+export CI_CONTAINER_CAP="--security-opt seccomp=unconfined"
 export CI_BASE_PACKAGES="gcc-c++ glibc-devel.x86_64 libstdc++-devel.x86_64 glibc-devel.i686 libstdc++-devel.i686 ccache libtool make git python3 python3-pip which patch lbzip2 xz procps-ng dash rsync coreutils bison util-linux e2fsprogs cmake"
 export PIP_PACKAGES="pyzmq"
 export GOAL="install"
diff --git a/ci/test/00_setup_env_i686_multiprocess.sh b/ci/test/00_setup_env_i686_multiprocess.sh
index f6463438d39..ef3a63507dc 100755
--- a/ci/test/00_setup_env_i686_multiprocess.sh
+++ b/ci/test/00_setup_env_i686_multiprocess.sh
@@ -9,6 +9,7 @@ export LC_ALL=C.UTF-8
 export HOST=i686-pc-linux-gnu
 export CONTAINER_NAME=ci_i686_multiprocess
 export CI_IMAGE_NAME_TAG="docker.io/amd64/ubuntu:24.04"
+export CI_CONTAINER_CAP="--security-opt seccomp=unconfined"
 export PACKAGES="llvm clang g++-multilib"
 export DEP_OPTS="DEBUG=1 MULTIPROCESS=1"
 export GOAL="install"
diff --git a/ci/test/00_setup_env_win64.sh b/ci/test/00_setup_env_win64.sh
index bf80d5d435f..b0409a28b4f 100755
--- a/ci/test/00_setup_env_win64.sh
+++ b/ci/test/00_setup_env_win64.sh
@@ -8,6 +8,7 @@ export LC_ALL=C.UTF-8
 
 export CONTAINER_NAME=ci_win64
 export CI_IMAGE_NAME_TAG="docker.io/amd64/debian:bookworm"  # Check that https://packages.debian.org/bookworm/g++-mingw-w64-x86-64-posix (version 12.2, similar to guix) can cross-compile
+export CI_CONTAINER_CAP="--security-opt seccomp=unconfined"
 export HOST=x86_64-w64-mingw32
 export DPKG_ADD_ARCH="i386"
 export PACKAGES="nsis g++-mingw-w64-x86-64-posix wine-binfmt wine64 wine32 file"