[lxc-devel] [PATCH] seccomp: support 32-bit arm on arm64, and 32-bit ppc on ppc64
Stéphane Graber
stgraber at ubuntu.com
Thu Dec 3 06:15:28 UTC 2015
On Wed, Dec 02, 2015 at 10:42:36PM +0000, Serge Hallyn wrote:
> Generally we enforce that a [arch] seccomp section can only be used on [arch].
> However, on amd64 we allow [i386] sections for i386 containers, and there we
> also take [all] sections and apply them for both 32- and 64-bit.
>
> Do that also for ppc64 and arm64. This allows seccomp-protected armhf
> containers to run on arm64.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> src/lxc/seccomp.c | 24 ++++++++++++++++++++----
> 1 file changed, 20 insertions(+), 4 deletions(-)
>
> diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
> index 0208646..c5f1885 100644
> --- a/src/lxc/seccomp.c
> +++ b/src/lxc/seccomp.c
> @@ -300,6 +300,20 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
> default_policy_action);
> if (!compat_ctx)
> goto bad;
> + } else if (native_arch == lxc_seccomp_arch_ppc64) {
> + cur_rule_arch = lxc_seccomp_arch_all;
> + compat_arch = SCMP_ARCH_PPC;
> + compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
> + default_policy_action);
> + if (!compat_ctx)
> + goto bad;
> + } else if (native_arch == lxc_seccomp_arch_arm64) {
> + cur_rule_arch = lxc_seccomp_arch_all;
> + compat_arch = SCMP_ARCH_ARM;
> + compat_ctx = get_new_ctx(lxc_seccomp_arch_arm,
> + default_policy_action);
> + if (!compat_ctx)
> + goto bad;
> }
>
> if (default_policy_action != SCMP_ACT_KILL) {
> @@ -327,7 +341,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
> if (strcmp(line, "[x86]") == 0 ||
> strcmp(line, "[X86]") == 0) {
> if (native_arch != lxc_seccomp_arch_i386 &&
> - native_arch != lxc_seccomp_arch_amd64) {
> + native_arch != lxc_seccomp_arch_amd64) {
> cur_rule_arch = lxc_seccomp_arch_unknown;
> continue;
> }
> @@ -346,7 +360,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
> #ifdef SCMP_ARCH_ARM
> else if (strcmp(line, "[arm]") == 0 ||
> strcmp(line, "[ARM]") == 0) {
> - if (native_arch != lxc_seccomp_arch_arm) {
> + if (native_arch != lxc_seccomp_arch_arm &&
> + native_arch != lxc_seccomp_arch_arm64) {
> cur_rule_arch = lxc_seccomp_arch_unknown;
> continue;
> }
> @@ -386,7 +401,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
> #ifdef SCMP_ARCH_PPC
> else if (strcmp(line, "[ppc]") == 0 ||
> strcmp(line, "[PPC]") == 0) {
> - if (native_arch != lxc_seccomp_arch_ppc) {
> + if (native_arch != lxc_seccomp_arch_ppc &&
> + native_arch != lxc_seccomp_arch_ppc64) {
> cur_rule_arch = lxc_seccomp_arch_unknown;
> continue;
> }
> @@ -435,7 +451,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
> if (compat_ctx) {
> INFO("Merging in the compat seccomp ctx into the main one");
> if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) {
> - ERROR("Error merging i386 seccomp contexts");
> + ERROR("Error merging compat seccomp contexts");
> goto bad;
> }
> }
> --
> 2.5.0
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20151203/9fc65ecc/attachment.sig>
More information about the lxc-devel
mailing list