Re: [lxc-devel] [PATCH] seccomp: support 32-bit arm on arm64, and 32-bit ppc on ppc64

Thu, 03 Dec 2015 01:36:06 -0800 

On Wed, Dec 02, 2015 at 10:42:36PM +0000, Serge Hallyn wrote:
> Generally we enforce that a [arch] seccomp section can only be used on [arch].
> However, on amd64 we allow [i386] sections for i386 containers, and there we
> also take [all] sections and apply them for both 32- and 64-bit.
> 
> Do that also for ppc64 and arm64.  This allows seccomp-protected armhf
> containers to run on arm64.
> 
> Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
> ---
>  src/lxc/seccomp.c | 24 ++++++++++++++++++++----
>  1 file changed, 20 insertions(+), 4 deletions(-)
> 
> diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
> index 0208646..c5f1885 100644
> --- a/src/lxc/seccomp.c
> +++ b/src/lxc/seccomp.c
> @@ -300,6 +300,20 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>                               default_policy_action);
>               if (!compat_ctx)
>                       goto bad;
> +     } else if (native_arch == lxc_seccomp_arch_ppc64) {
> +             cur_rule_arch = lxc_seccomp_arch_all;
> +             compat_arch = SCMP_ARCH_PPC;
> +             compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
> +                             default_policy_action);
> +             if (!compat_ctx)
> +                     goto bad;
> +     } else if (native_arch == lxc_seccomp_arch_arm64) {
> +             cur_rule_arch = lxc_seccomp_arch_all;
> +             compat_arch = SCMP_ARCH_ARM;

I get SCMP_ARCH_PPC undeclared (first use in this function) error when I try to
compile it.
Either this needs to be ifdef'd (seccomp.c:305):

        #ifdef SCMP_ARCH_PPC
                } else if (native_arch == lxc_seccomp_arch_ppc64) {
                        cur_rule_arch = lxc_seccomp_arch_all;
                        compat_arch = SCMP_ARCH_PPC;
                        compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
                                        default_policy_action);
                        if (!compat_ctx)
                                goto bad;
        #endif

Or we need to declare SCMP_ARCH_PPC in the following block by removing the ifdef
for SCMP_ARCH_PPC and make it a standard case (seccomp:174):

        switch(n_arch) {
        case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
        case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
        case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
#ifdef SCMP_ARCH_AARCH64
        case lxc_seccomp_arch_arm64: arch = SCMP_ARCH_AARCH64; break;
#endif
#ifdef SCMP_ARCH_PPC64LE
        case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break;
#endif
#ifdef SCMP_ARCH_PPC64
        case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break;
#endif
#ifdef SCMP_ARCH_PPC
        case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
#endif

I can send a patch for this if you want.

> +             compat_ctx = get_new_ctx(lxc_seccomp_arch_arm,
> +                             default_policy_action);
> +             if (!compat_ctx)
> +                     goto bad;
>       }
>  
>       if (default_policy_action != SCMP_ACT_KILL) {
> @@ -327,7 +341,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>                       if (strcmp(line, "[x86]") == 0 ||
>                                       strcmp(line, "[X86]") == 0) {
>                               if (native_arch != lxc_seccomp_arch_i386 &&
> -                                     native_arch != lxc_seccomp_arch_amd64) {
> +                                             native_arch != 
> lxc_seccomp_arch_amd64) {
>                                       cur_rule_arch = 
> lxc_seccomp_arch_unknown;
>                                       continue;
>                               }
> @@ -346,7 +360,8 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>  #ifdef SCMP_ARCH_ARM
>                       else if (strcmp(line, "[arm]") == 0 ||
>                                       strcmp(line, "[ARM]") == 0) {
> -                             if (native_arch != lxc_seccomp_arch_arm) {
> +                             if (native_arch != lxc_seccomp_arch_arm &&
> +                                             native_arch != 
> lxc_seccomp_arch_arm64) {
>                                       cur_rule_arch = 
> lxc_seccomp_arch_unknown;
>                                       continue;
>                               }
> @@ -386,7 +401,8 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>  #ifdef SCMP_ARCH_PPC
>                       else if (strcmp(line, "[ppc]") == 0 ||
>                                       strcmp(line, "[PPC]") == 0) {
> -                             if (native_arch != lxc_seccomp_arch_ppc) {
> +                             if (native_arch != lxc_seccomp_arch_ppc &&
> +                                             native_arch != 
> lxc_seccomp_arch_ppc64) {
>                                       cur_rule_arch = 
> lxc_seccomp_arch_unknown;
>                                       continue;
>                               }
> @@ -435,7 +451,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>       if (compat_ctx) {
>               INFO("Merging in the compat seccomp ctx into the main one");
>               if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) {
> -                     ERROR("Error merging i386 seccomp contexts");
> +                     ERROR("Error merging compat seccomp contexts");
>                       goto bad;
>               }
>       }
> -- 
> 2.5.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

Attachment: signature.asc
Description: PGP signature

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to