From 11c9ef92a8daf030f75f88f324396b2248c65a64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C5=91rinc?= <pap.lorinc@gmail.com>
Date: Sun, 3 May 2026 15:36:47 +0200
Subject: [PATCH] ci: unconfine seccomp for i686 no IPC

Docker 29.4.2 blocks `socketcall(2)` in the default seccomp profile:
https://docs.docker.com/engine/release-notes/29/#2942
https://github.com/moby/profiles/releases/tag/seccomp%2Fv0.2.2
https://github.com/moby/moby/pull/52501

That affects the `i686, no IPC` job because it runs 32-bit Linux test binaries inside Docker.

Add Docker's documented `--security-opt seccomp=unconfined` workaround to this job's `CI_CONTAINER_CAP` - the hook `ci/test/02_run_container.py` already appends to `docker run`.

This restores socket availability for the 32-bit test binaries throughout the job:
https://docs.docker.com/engine/security/seccomp/#run-without-the-default-seccomp-profile
---
 ci/test/00_setup_env_i686_no_ipc.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ci/test/00_setup_env_i686_no_ipc.sh b/ci/test/00_setup_env_i686_no_ipc.sh
index dca0486fb60..3d19232f2e5 100755
--- a/ci/test/00_setup_env_i686_no_ipc.sh
+++ b/ci/test/00_setup_env_i686_no_ipc.sh
@@ -10,6 +10,7 @@ export HOST=i686-pc-linux-gnu
 export CONTAINER_NAME=ci_i686_no_multiprocess
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"
 export CI_IMAGE_PLATFORM="linux/amd64"
+export CI_CONTAINER_CAP="--security-opt seccomp=unconfined"
 export PACKAGES="llvm clang g++-multilib"
 export DEP_OPTS="DEBUG=1 NO_IPC=1"
 export GOAL="install"