clatd: implement seccomp system call protection but only enable it in enforcing mode on aarch64, since that gets good test coverage via Pixel on GoogleGuest ipv6-only wifi network and (for example) T-Mobile US cellular. For other architectures this will only result in (automatically ratelimitted to at most 5/s) audit logs for any 'unusual' system calls. Test: TreeHugger, manually on Pixel on GoogleGuest wifi Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Id14c6d9db8d7b4652c7358cac101a82ef09843e0

commit: 5ae193ae36ec7621a5f7bcf387997c5081e9c239 [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Fri Mar 14 12:44:50 2025 -0700
committer: Maciej Żenczykowski <maze@google.com> Tue Mar 18 02:57:06 2025 -0700
tree: 510c9d7e217f81fbe99a7bf004468536325a1886
parent: 19199ca6887b83622031517f54cf9f55e9d09d25 [diff] [blame]
diff --git a/clatd/clatd.h b/clatd/clatd.h
index daa5ebc..11e9687 100644
--- a/clatd/clatd.h
+++ b/clatd/clatd.h

@@ -48,7 +48,7 @@
 // plus some extra just-in-case headroom, because it doesn't hurt.
 #define MAXDUMPLEN (64 + MAXMTU)
 
-#define CLATD_VERSION "1.7"
+#define CLATD_VERSION "1.8"
 
 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
commit	5ae193ae36ec7621a5f7bcf387997c5081e9c239	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Fri Mar 14 12:44:50 2025 -0700
committer	Maciej Żenczykowski <maze@google.com>	Tue Mar 18 02:57:06 2025 -0700
tree	510c9d7e217f81fbe99a7bf004468536325a1886
parent	19199ca6887b83622031517f54cf9f55e9d09d25 [diff] [blame]