Generally we enforce that a [arch] seccomp section can only be used on [arch].
However, on amd64 we allow [i386] sections for i386 containers, and there we
also take [all] sections and apply them for both 32- and 64-bit.
Do that also for ppc64 and arm64. This allows seccomp-protected armhf
containers to run on arm64.
Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
---
src/lxc/seccomp.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 0208646..c5f1885 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -300,6 +300,20 @@ static int parse_config_v2(FILE *f, char *line, struct
lxc_conf *conf)
default_policy_action);
if (!compat_ctx)
goto bad;
+ } else if (native_arch == lxc_seccomp_arch_ppc64) {
+ cur_rule_arch = lxc_seccomp_arch_all;
+ compat_arch = SCMP_ARCH_PPC;
+ compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
+ default_policy_action);
+ if (!compat_ctx)
+ goto bad;
+ } else if (native_arch == lxc_seccomp_arch_arm64) {
+ cur_rule_arch = lxc_seccomp_arch_all;
+ compat_arch = SCMP_ARCH_ARM;
+ compat_ctx = get_new_ctx(lxc_seccomp_arch_arm,
+ default_policy_action);
+ if (!compat_ctx)
+ goto bad;
}
if (default_policy_action != SCMP_ACT_KILL) {
@@ -327,7 +341,7 @@ static int parse_config_v2(FILE *f, char *line, struct
lxc_conf *conf)
if (strcmp(line, "[x86]") == 0 ||
strcmp(line, "[X86]") == 0) {
if (native_arch != lxc_seccomp_arch_i386 &&
- native_arch != lxc_seccomp_arch_amd64) {
+ native_arch !=
lxc_seccomp_arch_amd64) {
cur_rule_arch =
lxc_seccomp_arch_unknown;
continue;
}
@@ -346,7 +360,8 @@ static int parse_config_v2(FILE *f, char *line, struct
lxc_conf *conf)
#ifdef SCMP_ARCH_ARM
else if (strcmp(line, "[arm]") == 0 ||
strcmp(line, "[ARM]") == 0) {
- if (native_arch != lxc_seccomp_arch_arm) {
+ if (native_arch != lxc_seccomp_arch_arm &&
+ native_arch !=
lxc_seccomp_arch_arm64) {
cur_rule_arch =
lxc_seccomp_arch_unknown;
continue;
}
@@ -386,7 +401,8 @@ static int parse_config_v2(FILE *f, char *line, struct
lxc_conf *conf)
#ifdef SCMP_ARCH_PPC
else if (strcmp(line, "[ppc]") == 0 ||
strcmp(line, "[PPC]") == 0) {
- if (native_arch != lxc_seccomp_arch_ppc) {
+ if (native_arch != lxc_seccomp_arch_ppc &&
+ native_arch !=
lxc_seccomp_arch_ppc64) {
cur_rule_arch =
lxc_seccomp_arch_unknown;
continue;
}
@@ -435,7 +451,7 @@ static int parse_config_v2(FILE *f, char *line, struct
lxc_conf *conf)
if (compat_ctx) {
INFO("Merging in the compat seccomp ctx into the main one");
if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) {
- ERROR("Error merging i386 seccomp contexts");
+ ERROR("Error merging compat seccomp contexts");
goto bad;
}
}
--
2.5.0
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
