[lxc-devel] [lxc/master] seccomp: only add arch if does not already exist

Fri Oct 21 21:12:49 UTC 2016

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 420 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161021/2d98826c/attachment.bin>
-------------- next part --------------
From c1f95bc77c506c5daebe07ddbad13b7cf7bfd48e Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at canonical.com>
Date: Fri, 21 Oct 2016 01:20:09 +0200
Subject: [PATCH 1/2] Revert "s390x: Fix seccomp handling of personalities"

This reverts commit 2b097b7b0a2bdd64de887ff8c3582bfed60db27d.
---
 src/lxc/seccomp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 57c95b0..ccffa9f 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -378,6 +378,15 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 		if (!compat_ctx[0] || !compat_ctx[1])
 			goto bad;
 #endif
+#ifdef SCMP_ARCH_S390X
+	} else if (native_arch == lxc_seccomp_arch_s390x) {
+		cur_rule_arch = lxc_seccomp_arch_all;
+		compat_arch[0] = SCMP_ARCH_S390X;
+		compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_s390x,
+				default_policy_action);
+		if (!compat_ctx[0])
+			goto bad;
+#endif
 	}
 
 	if (default_policy_action != SCMP_ACT_KILL) {

From bb3e3f6aeb9c371893e9d2bdd56e6cb042b84794 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at canonical.com>
Date: Fri, 21 Oct 2016 01:22:42 +0200
Subject: [PATCH 2/2] seccomp: do not fail if arch is already present

Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
---
 src/lxc/seccomp.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index ccffa9f..f69e7e2 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -218,17 +218,20 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
 		seccomp_release(ctx);
 		return NULL;
 	}
-	ret = seccomp_arch_add(ctx, arch);
-	if (ret != 0) {
-		ERROR("Seccomp error %d (%s) adding arch: %d", ret,
-		      strerror(-ret), (int)n_arch);
-		seccomp_release(ctx);
-		return NULL;
-	}
-	if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) {
-		ERROR("Seccomp error removing native arch");
-		seccomp_release(ctx);
-		return NULL;
+
+	if (seccomp_arch_exist(ctx, arch) == -EEXIST) {
+		ret = seccomp_arch_add(ctx, arch);
+		if (ret != 0 && ret != -EEXIST) {
+			ERROR("Seccomp error %d (%s) adding arch: %d", ret,
+					strerror(-ret), (int)n_arch);
+			seccomp_release(ctx);
+			return NULL;
+		}
+		if (seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE) != 0) {
+			ERROR("Seccomp error removing native arch");
+			seccomp_release(ctx);
+			return NULL;
+		}
 	}
 
 	return ctx;
