On Tue, 18.02.14 14:44, Dave Reisner (dreis...@archlinux.org) wrote: > Arch Linux uses nspawn as a container for building packages and needs > to be able to start a 32bit chroot from a 64bit host. 24fb11120756 > disrupted this feature when seccomp handling was added.
As mentioned on IRC. I have commited this and then generalized this and used it for executing services, too. > --- > Lennart suggested this approach, and it works nicely. > > src/nspawn/nspawn.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c > index 089af07..5a2467d 100644 > --- a/src/nspawn/nspawn.c > +++ b/src/nspawn/nspawn.c > @@ -1539,6 +1539,14 @@ static int audit_still_doesnt_work_in_containers(void) > { > goto finish; > } > > +#ifdef __x86_64__ > + r = seccomp_arch_add(seccomp, SCMP_ARCH_X86); > + if (r < 0 && r != -EEXIST) { > + log_error("Failed to add x86 to seccomp filter: %s", > strerror(-r)); > + goto finish; > + } > +#endif > + > r = seccomp_load(seccomp); > if (r < 0) > log_error("Failed to install seccomp audit filter: %s", > strerror(-r)); Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel