fix: remove --no-seccomp on ARM64, verified unnecessary

Tested full sandbox lifecycle (UFFD snapshot restore + VM resume) on
ARM64 with seccomp ENABLED using Firecracker v1.12 on kernel 6.17:

- Lima VM (Apple Silicon), full E2B local-infra stack
- Sandbox created, Firecracker launched without --no-seccomp
- UFFD page fault handling worked correctly
- VM resumed and envd initialized successfully

The userfaultfd fd is created via /dev/userfaultfd (kernel 6.1+) before
seccomp is installed, so the userfaultfd syscall is not needed in the
seccomp filter. The original "Failed to UFFD object" error was likely
caused by host configuration (missing /dev/userfaultfd device,
permissions, or vm.unprivileged_userfaultfd=0).

Reverts script_builder.go to match main — no ARM64-specific Firecracker
args needed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 2 people

packages/orchestrator/pkg/sandbox/fc/script_builder.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"fmt"
 	"path/filepath"
-	"runtime"
 	txtTemplate "text/template"
 
 	"github.com/e2b-dev/infra/packages/orchestrator/pkg/cfg"
@@ -26,7 +25,6 @@ type startScriptArgs struct {
 	NamespaceID       string
 	FirecrackerPath   string
 	FirecrackerSocket string
-	ExtraArgs         string
 }
 
 // StartScriptResult contains the generated script and computed paths
@@ -49,7 +47,7 @@ ln -s {{ .HostRootfsPath }} {{ .DeprecatedSandboxRootfsDir }}/{{ .SandboxRootfsF
 mount -t tmpfs tmpfs {{ .SandboxDir }}/{{ .SandboxKernelDir }} -o X-mount.mkdir &&
 ln -s {{ .HostKernelPath }} {{ .SandboxDir }}/{{ .SandboxKernelDir }}/{{ .SandboxKernelFile }} &&
 
-ip netns exec {{ .NamespaceID }} {{ .FirecrackerPath }} --api-sock {{ .FirecrackerSocket }}{{ .ExtraArgs }}`
+ip netns exec {{ .NamespaceID }} {{ .FirecrackerPath }} --api-sock {{ .FirecrackerSocket }}`
 
 const startScriptV2 = `mount --make-rprivate / &&
 mount -t tmpfs tmpfs {{ .SandboxDir }} -o X-mount.mkdir &&
@@ -59,7 +57,7 @@ ln -s {{ .HostRootfsPath }} {{ .SandboxDir }}/{{ .SandboxRootfsFile }} &&
 mkdir -p {{ .SandboxDir }}/{{ .SandboxKernelDir }} &&
 ln -s {{ .HostKernelPath }} {{ .SandboxDir }}/{{ .SandboxKernelDir }}/{{ .SandboxKernelFile }} &&
 
-ip netns exec {{ .NamespaceID }} {{ .FirecrackerPath }} --api-sock {{ .FirecrackerSocket }}{{ .ExtraArgs }}`
+ip netns exec {{ .NamespaceID }} {{ .FirecrackerPath }} --api-sock {{ .FirecrackerSocket }}`
 
 // StartScriptBuilder handles the creation and execution of firecracker start scripts
 type StartScriptBuilder struct {
@@ -87,25 +85,6 @@ func (sb *StartScriptBuilder) buildArgs(
 	rootfsPaths RootfsPaths,
 	namespaceID string,
 ) startScriptArgs {
-	// ARM64 seccomp note: tested on Firecracker v1.12 with kernel 6.17 on
-	// ARM64 (Lima VM, Apple Silicon) — UFFD snapshot restore + resume works
-	// correctly WITH seccomp enabled. The userfaultfd fd is created via
-	// /dev/userfaultfd (kernel 6.1+) before seccomp is installed, so no
-	// userfaultfd syscall is needed in the filter.
-	//
-	// --no-seccomp was originally added based on "Failed to UFFD object:
-	// System error" during early ARM64 testing. That failure may have been
-	// caused by a missing /dev/userfaultfd device, incorrect permissions,
-	// or vm.unprivileged_userfaultfd=0 on the test host — not by seccomp.
-	//
-	// Keeping --no-seccomp as a precaution until we validate on production
-	// ARM64 hardware (Graviton/Ampere). Remove once confirmed unnecessary.
-	// TODO(arm64): remove --no-seccomp after validating on production hardware.
-	var extraArgs string
-	if runtime.GOARCH == "arm64" {
-		extraArgs = " --no-seccomp"
-	}
-
 	return startScriptArgs{
 		// General
 		SandboxDir: sb.builderConfig.SandboxDir,
@@ -124,7 +103,6 @@ func (sb *StartScriptBuilder) buildArgs(
 		NamespaceID:       namespaceID,
 		FirecrackerPath:   versions.FirecrackerPath(sb.builderConfig),
 		FirecrackerSocket: files.SandboxFirecrackerSocketPath(),
-		ExtraArgs:         extraArgs,
 	}
 }