[lxc-devel] [PATCH] seccomp: support 32-bit arm on arm64, and 32-bit ppc on ppc64

Serge Hallyn serge.hallyn at ubuntu.com
Thu Dec 3 16:59:28 UTC 2015 

Quoting Christian Brauner (christian.brauner at mailbox.org):
> On Wed, Dec 02, 2015 at 10:42:36PM +0000, Serge Hallyn wrote:
> > Generally we enforce that a [arch] seccomp section can only be used on [arch].
> > However, on amd64 we allow [i386] sections for i386 containers, and there we
> > also take [all] sections and apply them for both 32- and 64-bit.
> > 
> > Do that also for ppc64 and arm64.  This allows seccomp-protected armhf
> > containers to run on arm64.
> > 
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > ---
> >  src/lxc/seccomp.c | 24 ++++++++++++++++++++----
> >  1 file changed, 20 insertions(+), 4 deletions(-)
> > 
> > diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
> > index 0208646..c5f1885 100644
> > --- a/src/lxc/seccomp.c
> > +++ b/src/lxc/seccomp.c
> > @@ -300,6 +300,20 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
> >  				default_policy_action);
> >  		if (!compat_ctx)
> >  			goto bad;
> > +	} else if (native_arch == lxc_seccomp_arch_ppc64) {
> > +		cur_rule_arch = lxc_seccomp_arch_all;
> > +		compat_arch = SCMP_ARCH_PPC;
> > +		compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
> > +				default_policy_action);
> > +		if (!compat_ctx)
> > +			goto bad;
> > +	} else if (native_arch == lxc_seccomp_arch_arm64) {
> > +		cur_rule_arch = lxc_seccomp_arch_all;
> > +		compat_arch = SCMP_ARCH_ARM;
> 
> I get SCMP_ARCH_PPC undeclared (first use in this function) error when I try to
> compile it.

Hm, odd, I don't get that.  Newer libseccomp must always define them?

But anyway,

> Either this needs to be ifdef'd (seccomp.c:305):
> 
>         #ifdef SCMP_ARCH_PPC
>         	} else if (native_arch == lxc_seccomp_arch_ppc64) {
>         		cur_rule_arch = lxc_seccomp_arch_all;
>         		compat_arch = SCMP_ARCH_PPC;
>         		compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
>         				default_policy_action);
>         		if (!compat_ctx)
>         			goto bad;
>         #endif

That looks nicer, and probably need the same for the SCMP_ARCH_ARM block.

> Or we need to declare SCMP_ARCH_PPC in the following block by removing the ifdef
> for SCMP_ARCH_PPC and make it a standard case (seccomp:174):
> 
> 	switch(n_arch) {
> 	case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
> 	case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
> 	case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
> #ifdef SCMP_ARCH_AARCH64
> 	case lxc_seccomp_arch_arm64: arch = SCMP_ARCH_AARCH64; break;
> #endif
> #ifdef SCMP_ARCH_PPC64LE
> 	case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break;
> #endif
> #ifdef SCMP_ARCH_PPC64
> 	case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break;
> #endif
> #ifdef SCMP_ARCH_PPC
> 	case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
> #endif
> 
> I can send a patch for this if you want.

Please do.

thanks!

More information about the lxc-devel mailing list