seccomp: handle inverted arch

lxc uses uname to check the kernel version. Seccomp respects userspace. In the case of 32-bit userspace on 64-bit kernel, this was a bad combination. When we run into that case, make sure that the compat seccomp context is 32-bit, and the lxc->seccomp_ctx is the 64-bit. Closes #654 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

seccomp: handle inverted arch
473ebc77 · Serge Hallyn · 2681c0e7 · 473ebc77
Commit 473ebc77 authored Nov 12, 2015 by Serge Hallyn
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 4 deletions

seccomp.c src/lxc/seccomp.c +13 -4

No files found.
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -296,10 +296,19 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 	if (native_arch == lxc_seccomp_arch_amd64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
 		compat_arch = SCMP_ARCH_X86;
-		compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
+		// Detect if we are on x86_64 kernel with 32-bit userspace
-				default_policy_action);
+		if (seccomp_arch_exist(conf->seccomp_ctx, SCMP_ARCH_X86)) {
-		if (!compat_ctx)
+			compat_ctx = conf->seccomp_ctx;
-			goto bad;
+			conf->seccomp_ctx = get_new_ctx(lxc_seccomp_arch_amd64,
+					default_policy_action);
+			if (!conf->seccomp_ctx)
+				goto bad;
+		} else {
+			compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
+					default_policy_action);
+			if (!compat_ctx)
+				goto bad;
+		}
 	}
 	if (default_policy_action != SCMP_ACT_KILL) {