From b86b5cf8abed747f0d320da1be321574ff970b2c Mon Sep 17 00:00:00 2001
From: Privacy Sandbox Team <noreply@google.com>
Date: Fri, 28 Jul 2023 15:23:09 +0000
Subject: [PATCH] Release 0.38.0 (2023-07-28)

### Features

* Add cbuild flag --seccomp-unconfined

Bug: N/A
Change-Id: Ib33544752515c8cad1e2a5d09f8aee224c9e490a
GitOrigin-RevId: dd4001f0aacba67bbf31f54491d1a3971c39461e
---
 CHANGELOG.md |  7 +++++++
 tools/cbuild | 10 ++++++++++
 version.txt  |  2 +-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e9dc9e3..eceeaf1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## 0.38.0 (2023-07-28)
+
+
+### Features
+
+* Add cbuild flag --seccomp-unconfined
+
 ## 0.37.0 (2023-07-27)
 
 
diff --git a/tools/cbuild b/tools/cbuild
index c9afe42..aadf30b 100755
--- a/tools/cbuild
+++ b/tools/cbuild
@@ -48,6 +48,7 @@ USAGE
     --without-shared-cache     Containers will not mount ${HOME}/.cache/bazel
     --without-embedded-docker  Disable docker client within container
     --docker-network <value>   Specify docker network type or name, value passed to docker run --network
+    --seccomp-unconfined       Run docker container without a seccomp profile
     --verbose                  Enable verbose output
 
 Environment variables (all optional):
@@ -67,6 +68,7 @@ USAGE
 WITH_SHARED_CACHE=1
 WITH_DOCKER_SOCK=1
 DOCKER_NETWORK=bridge
+DOCKER_SECCOMP_UNCONFINED=0
 
 while [[ $# -gt 0 ]]; do
   case "$1" in
@@ -94,6 +96,10 @@ while [[ $# -gt 0 ]]; do
       DOCKER_NETWORK="$2"
       shift 2 || usage
       ;;
+    --seccomp-unconfined)
+      DOCKER_SECCOMP_UNCONFINED=1
+      shift
+      ;;
     --verbose)
       VERBOSE=1
       shift
@@ -145,6 +151,10 @@ DOCKER_RUN_ARGS+=(
   "$(echo "${EXTRA_DOCKER_RUN_ARGS}" | envsubst)"
 )
 
+if [[ ${DOCKER_SECCOMP_UNCONFINED} -eq 1 ]]; then
+  DOCKER_RUN_ARGS+=("--security-opt=seccomp=unconfined")
+fi
+
 # inside the docker build images, /bazel_root is the bazel cache dir, per the system-wide bazelrc
 readonly BAZEL_ROOT=/bazel_root
 if [[ ${WITH_SHARED_CACHE} -eq 0 ]]; then
diff --git a/version.txt b/version.txt
index e095beb..095a108 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-0.37.0
\ No newline at end of file
+0.38.0
\ No newline at end of file