Revert "fix(fedimint): run fmcd with seccomp=unconfined so its DHT can start (#7)"

This reverts commit 409543c41e78025354acbdde5ffc6445895d4508.
2026-06-20 14:37:24 -04:00 · 2026-06-20 14:37:24 -04:00 · 63b98599e8
commit 63b98599e8
parent 409543c41e
4 changed files with 0 additions and 31 deletions
--- a/apps/fedimint-clientd/manifest.yml
+++ b/apps/fedimint-clientd/manifest.yml
@ -42,12 +42,6 @@ app:
    # skip this whole manifest, so fmcd never ran and federations never joined.)
    # Lock down once the default federation's reachability model is finalized.
    network_policy: bridge
-    # fmcd's Mainline-DHT / iroh transport uses syscalls the default rootless
-    # seccomp profile blocks on some kernels (e.g. .116, kernel 6.12.74), where
-    # fmcd crash-loops "Operation not permitted (os error 1)" and never serves
-    # its REST API — so federations can't be joined (#7). Verified: with
-    # seccomp=unconfined fmcd boots and answers /v2/* (HTTP 401 vs dead 000).
-    seccomp_unconfined: true

  ports:
    # fmcd REST bound to 8080 in-container; 8080 collides with LND REST on the
--- a/core/archipelago/src/container/quadlet.rs
+++ b/core/archipelago/src/container/quadlet.rs
@ -149,9 +149,6 @@ pub struct QuadletUnit {
    pub command: Vec<String>,
    pub read_only_root: bool,
    pub no_new_privileges: bool,
-    /// Render `SeccompProfile=unconfined` — for daemons whose networking needs
-    /// syscalls the default rootless seccomp profile blocks (e.g. fmcd, #7).
-    pub seccomp_unconfined: bool,
    pub cpu_quota: Option<u32>,
    pub restart_policy: RestartPolicy,
 }
@ -255,9 +252,6 @@ impl QuadletUnit {
        if self.no_new_privileges {
            let _ = writeln!(s, "NoNewPrivileges=true");
        }
-        if self.seccomp_unconfined {
-            let _ = writeln!(s, "SeccompProfile=unconfined");
-        }
        if let Some(cpus) = self.cpu_quota {
            let _ = writeln!(s, "PodmanArgs=--cpus={cpus}");
        }
@ -414,7 +408,6 @@ impl QuadletUnit {
            command: app.container.custom_args.clone(),
            read_only_root: app.security.readonly_root,
            no_new_privileges: app.security.no_new_privileges,
-            seccomp_unconfined: app.security.seccomp_unconfined,
            cpu_quota: app.resources.cpu_limit,
            restart_policy: RestartPolicy::OnFailure,
        }
--- a/core/container/src/manifest.rs
+++ b/core/container/src/manifest.rs
@ -228,13 +228,6 @@ pub struct SecurityPolicy {
    pub network_policy: String,
    #[serde(default)]
    pub apparmor_profile: Option<String>,
-    /// Run the container with `seccomp=unconfined`. Needed by daemons whose
-    /// networking uses syscalls blocked by the default rootless seccomp profile
-    /// on some kernels — e.g. fmcd's Mainline-DHT/iroh transport, which otherwise
-    /// crash-loops with "Operation not permitted (os error 1)" (#7). Opt-in only;
-    /// a mild relaxation, so reserve it for apps that genuinely need it.
-    #[serde(default)]
-    pub seccomp_unconfined: bool,
 }

 fn default_true() -> bool {
--- a/core/container/src/podman_client.rs
+++ b/core/container/src/podman_client.rs
@ -384,17 +384,6 @@ impl PodmanClient {
                "nsmode": net_mode
            },
        });
-        // seccomp=unconfined for apps that need syscalls the default rootless
-        // profile blocks (e.g. fmcd's DHT) — libpod takes the literal "unconfined"
-        // as the profile path, mirroring `--security-opt seccomp=unconfined` (#7).
-        if manifest.app.security.seccomp_unconfined {
-            body.as_object_mut()
-                .expect("container create body is a JSON object")
-                .insert(
-                    "seccomp_profile_path".to_string(),
-                    serde_json::json!("unconfined"),
-                );
-        }
        if let Some(network) = custom_network {
            body.as_object_mut()
                .expect("container create body is a JSON object")