Re: [lxc-devel] [PATCH] seccomp: support 32-bit arm on arm64, and 32-bit ppc on ppc64

2015-12-03 Thread Christian Brauner 
On Wed, Dec 02, 2015 at 10:42:36PM +, Serge Hallyn wrote:
> Generally we enforce that a [arch] seccomp section can only be used on [arch].
> However, on amd64 we allow [i386] sections for i386 containers, and there we
> also take [all] sections and apply them for both 32- and 64-bit.
> 
> Do that also for ppc64 and arm64.  This allows seccomp-protected armhf
> containers to run on arm64.
> 
> Signed-off-by: Serge Hallyn 
> ---
>  src/lxc/seccomp.c | 24 
>  1 file changed, 20 insertions(+), 4 deletions(-)
> 
> diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
> index 0208646..c5f1885 100644
> --- a/src/lxc/seccomp.c
> +++ b/src/lxc/seccomp.c
> @@ -300,6 +300,20 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>   default_policy_action);
>   if (!compat_ctx)
>   goto bad;
> + } else if (native_arch == lxc_seccomp_arch_ppc64) {
> + cur_rule_arch = lxc_seccomp_arch_all;
> + compat_arch = SCMP_ARCH_PPC;
> + compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
> + default_policy_action);
> + if (!compat_ctx)
> + goto bad;
> + } else if (native_arch == lxc_seccomp_arch_arm64) {
> + cur_rule_arch = lxc_seccomp_arch_all;
> + compat_arch = SCMP_ARCH_ARM;

I get SCMP_ARCH_PPC undeclared (first use in this function) error when I try to
compile it.
Either this needs to be ifdef'd (seccomp.c:305):

#ifdef SCMP_ARCH_PPC
} else if (native_arch == lxc_seccomp_arch_ppc64) {
cur_rule_arch = lxc_seccomp_arch_all;
compat_arch = SCMP_ARCH_PPC;
compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
default_policy_action);
if (!compat_ctx)
goto bad;
#endif

Or we need to declare SCMP_ARCH_PPC in the following block by removing the ifdef
for SCMP_ARCH_PPC and make it a standard case (seccomp:174):

switch(n_arch) {
case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
#ifdef SCMP_ARCH_AARCH64
case lxc_seccomp_arch_arm64: arch = SCMP_ARCH_AARCH64; break;
#endif
#ifdef SCMP_ARCH_PPC64LE
case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break;
#endif
#ifdef SCMP_ARCH_PPC64
case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break;
#endif
#ifdef SCMP_ARCH_PPC
case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
#endif

I can send a patch for this if you want.

> + compat_ctx = get_new_ctx(lxc_seccomp_arch_arm,
> + default_policy_action);
> + if (!compat_ctx)
> + goto bad;
>   }
>  
>   if (default_policy_action != SCMP_ACT_KILL) {
> @@ -327,7 +341,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>   if (strcmp(line, "[x86]") == 0 ||
>   strcmp(line, "[X86]") == 0) {
>   if (native_arch != lxc_seccomp_arch_i386 &&
> - native_arch != lxc_seccomp_arch_amd64) {
> + native_arch != 
> lxc_seccomp_arch_amd64) {
>   cur_rule_arch = 
> lxc_seccomp_arch_unknown;
>   continue;
>   }
> @@ -346,7 +360,8 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>  #ifdef SCMP_ARCH_ARM
>   else if (strcmp(line, "[arm]") == 0 ||
>   strcmp(line, "[ARM]") == 0) {
> - if (native_arch != lxc_seccomp_arch_arm) {
> + if (native_arch != lxc_seccomp_arch_arm &&
> + native_arch != 
> lxc_seccomp_arch_arm64) {
>   cur_rule_arch = 
> lxc_seccomp_arch_unknown;
>   continue;
>   }
> @@ -386,7 +401,8 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>  #ifdef SCMP_ARCH_PPC
>   else if (strcmp(line, "[ppc]") == 0 ||
>   strcmp(line, "[PPC]") == 0) {
> - if (native_arch != lxc_seccomp_arch_ppc) {
> + if (native_arch != lxc_seccomp_arch_ppc &&
> + native_arch != 
> lxc_seccomp_arch_ppc64) {
>   cur_rule_arch = 
> lxc_seccomp_arch_unknown;
>

Re: [lxc-devel] [PATCH] seccomp: support 32-bit arm on arm64, and 32-bit ppc on ppc64

2015-12-03 Thread Serge Hallyn 
Quoting Christian Brauner (christian.brau...@mailbox.org):
> On Wed, Dec 02, 2015 at 10:42:36PM +, Serge Hallyn wrote:
> > Generally we enforce that a [arch] seccomp section can only be used on 
> > [arch].
> > However, on amd64 we allow [i386] sections for i386 containers, and there we
> > also take [all] sections and apply them for both 32- and 64-bit.
> > 
> > Do that also for ppc64 and arm64.  This allows seccomp-protected armhf
> > containers to run on arm64.
> > 
> > Signed-off-by: Serge Hallyn 
> > ---
> >  src/lxc/seccomp.c | 24 
> >  1 file changed, 20 insertions(+), 4 deletions(-)
> > 
> > diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
> > index 0208646..c5f1885 100644
> > --- a/src/lxc/seccomp.c
> > +++ b/src/lxc/seccomp.c
> > @@ -300,6 +300,20 @@ static int parse_config_v2(FILE *f, char *line, struct 
> > lxc_conf *conf)
> > default_policy_action);
> > if (!compat_ctx)
> > goto bad;
> > +   } else if (native_arch == lxc_seccomp_arch_ppc64) {
> > +   cur_rule_arch = lxc_seccomp_arch_all;
> > +   compat_arch = SCMP_ARCH_PPC;
> > +   compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
> > +   default_policy_action);
> > +   if (!compat_ctx)
> > +   goto bad;
> > +   } else if (native_arch == lxc_seccomp_arch_arm64) {
> > +   cur_rule_arch = lxc_seccomp_arch_all;
> > +   compat_arch = SCMP_ARCH_ARM;
> 
> I get SCMP_ARCH_PPC undeclared (first use in this function) error when I try 
> to
> compile it.

Hm, odd, I don't get that.  Newer libseccomp must always define them?

But anyway,

> Either this needs to be ifdef'd (seccomp.c:305):
> 
> #ifdef SCMP_ARCH_PPC
>   } else if (native_arch == lxc_seccomp_arch_ppc64) {
>   cur_rule_arch = lxc_seccomp_arch_all;
>   compat_arch = SCMP_ARCH_PPC;
>   compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
>   default_policy_action);
>   if (!compat_ctx)
>   goto bad;
> #endif

That looks nicer, and probably need the same for the SCMP_ARCH_ARM block.

> Or we need to declare SCMP_ARCH_PPC in the following block by removing the 
> ifdef
> for SCMP_ARCH_PPC and make it a standard case (seccomp:174):
> 
>   switch(n_arch) {
>   case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
>   case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
>   case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
> #ifdef SCMP_ARCH_AARCH64
>   case lxc_seccomp_arch_arm64: arch = SCMP_ARCH_AARCH64; break;
> #endif
> #ifdef SCMP_ARCH_PPC64LE
>   case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break;
> #endif
> #ifdef SCMP_ARCH_PPC64
>   case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break;
> #endif
> #ifdef SCMP_ARCH_PPC
>   case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
> #endif
> 
> I can send a patch for this if you want.

Please do.

thanks!
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH] seccomp: support 32-bit arm on arm64, and 32-bit ppc on ppc64

2015-12-02 Thread Serge Hallyn 
Generally we enforce that a [arch] seccomp section can only be used on [arch].
However, on amd64 we allow [i386] sections for i386 containers, and there we
also take [all] sections and apply them for both 32- and 64-bit.

Do that also for ppc64 and arm64.  This allows seccomp-protected armhf
containers to run on arm64.

Signed-off-by: Serge Hallyn 
---
 src/lxc/seccomp.c | 24 
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 0208646..c5f1885 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -300,6 +300,20 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
default_policy_action);
if (!compat_ctx)
goto bad;
+   } else if (native_arch == lxc_seccomp_arch_ppc64) {
+   cur_rule_arch = lxc_seccomp_arch_all;
+   compat_arch = SCMP_ARCH_PPC;
+   compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
+   default_policy_action);
+   if (!compat_ctx)
+   goto bad;
+   } else if (native_arch == lxc_seccomp_arch_arm64) {
+   cur_rule_arch = lxc_seccomp_arch_all;
+   compat_arch = SCMP_ARCH_ARM;
+   compat_ctx = get_new_ctx(lxc_seccomp_arch_arm,
+   default_policy_action);
+   if (!compat_ctx)
+   goto bad;
}
 
if (default_policy_action != SCMP_ACT_KILL) {
@@ -327,7 +341,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
if (strcmp(line, "[x86]") == 0 ||
strcmp(line, "[X86]") == 0) {
if (native_arch != lxc_seccomp_arch_i386 &&
-   native_arch != lxc_seccomp_arch_amd64) {
+   native_arch != 
lxc_seccomp_arch_amd64) {
cur_rule_arch = 
lxc_seccomp_arch_unknown;
continue;
}
@@ -346,7 +360,8 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 #ifdef SCMP_ARCH_ARM
else if (strcmp(line, "[arm]") == 0 ||
strcmp(line, "[ARM]") == 0) {
-   if (native_arch != lxc_seccomp_arch_arm) {
+   if (native_arch != lxc_seccomp_arch_arm &&
+   native_arch != 
lxc_seccomp_arch_arm64) {
cur_rule_arch = 
lxc_seccomp_arch_unknown;
continue;
}
@@ -386,7 +401,8 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 #ifdef SCMP_ARCH_PPC
else if (strcmp(line, "[ppc]") == 0 ||
strcmp(line, "[PPC]") == 0) {
-   if (native_arch != lxc_seccomp_arch_ppc) {
+   if (native_arch != lxc_seccomp_arch_ppc &&
+   native_arch != 
lxc_seccomp_arch_ppc64) {
cur_rule_arch = 
lxc_seccomp_arch_unknown;
continue;
}
@@ -435,7 +451,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
if (compat_ctx) {
INFO("Merging in the compat seccomp ctx into the main one");
if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) {
-   ERROR("Error merging i386 seccomp contexts");
+   ERROR("Error merging compat seccomp contexts");
goto bad;
}
}
-- 
2.5.0

___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] seccomp: support 32-bit arm on arm64, and 32-bit ppc on ppc64

2015-12-02 Thread Stéphane Graber 
On Wed, Dec 02, 2015 at 10:42:36PM +, Serge Hallyn wrote:
> Generally we enforce that a [arch] seccomp section can only be used on [arch].
> However, on amd64 we allow [i386] sections for i386 containers, and there we
> also take [all] sections and apply them for both 32- and 64-bit.
> 
> Do that also for ppc64 and arm64.  This allows seccomp-protected armhf
> containers to run on arm64.
> 
> Signed-off-by: Serge Hallyn 

Acked-by: Stéphane Graber 

> ---
>  src/lxc/seccomp.c | 24 
>  1 file changed, 20 insertions(+), 4 deletions(-)
> 
> diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
> index 0208646..c5f1885 100644
> --- a/src/lxc/seccomp.c
> +++ b/src/lxc/seccomp.c
> @@ -300,6 +300,20 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>   default_policy_action);
>   if (!compat_ctx)
>   goto bad;
> + } else if (native_arch == lxc_seccomp_arch_ppc64) {
> + cur_rule_arch = lxc_seccomp_arch_all;
> + compat_arch = SCMP_ARCH_PPC;
> + compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
> + default_policy_action);
> + if (!compat_ctx)
> + goto bad;
> + } else if (native_arch == lxc_seccomp_arch_arm64) {
> + cur_rule_arch = lxc_seccomp_arch_all;
> + compat_arch = SCMP_ARCH_ARM;
> + compat_ctx = get_new_ctx(lxc_seccomp_arch_arm,
> + default_policy_action);
> + if (!compat_ctx)
> + goto bad;
>   }
>  
>   if (default_policy_action != SCMP_ACT_KILL) {
> @@ -327,7 +341,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>   if (strcmp(line, "[x86]") == 0 ||
>   strcmp(line, "[X86]") == 0) {
>   if (native_arch != lxc_seccomp_arch_i386 &&
> - native_arch != lxc_seccomp_arch_amd64) {
> + native_arch != 
> lxc_seccomp_arch_amd64) {
>   cur_rule_arch = 
> lxc_seccomp_arch_unknown;
>   continue;
>   }
> @@ -346,7 +360,8 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>  #ifdef SCMP_ARCH_ARM
>   else if (strcmp(line, "[arm]") == 0 ||
>   strcmp(line, "[ARM]") == 0) {
> - if (native_arch != lxc_seccomp_arch_arm) {
> + if (native_arch != lxc_seccomp_arch_arm &&
> + native_arch != 
> lxc_seccomp_arch_arm64) {
>   cur_rule_arch = 
> lxc_seccomp_arch_unknown;
>   continue;
>   }
> @@ -386,7 +401,8 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>  #ifdef SCMP_ARCH_PPC
>   else if (strcmp(line, "[ppc]") == 0 ||
>   strcmp(line, "[PPC]") == 0) {
> - if (native_arch != lxc_seccomp_arch_ppc) {
> + if (native_arch != lxc_seccomp_arch_ppc &&
> + native_arch != 
> lxc_seccomp_arch_ppc64) {
>   cur_rule_arch = 
> lxc_seccomp_arch_unknown;
>   continue;
>   }
> @@ -435,7 +451,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
> lxc_conf *conf)
>   if (compat_ctx) {
>   INFO("Merging in the compat seccomp ctx into the main one");
>   if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) {
> - ERROR("Error merging i386 seccomp contexts");
> + ERROR("Error merging compat seccomp contexts");
>   goto bad;
>   }
>   }
> -- 
> 2.5.0
> 
> ___
> lxc-devel mailing list
> lxc-devel@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com


signature.asc
Description: Digital signature
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel