seccomp: support 32-bit arm on arm64, and 32-bit ppc on ppc64

Generally we enforce that a [arch] seccomp section can only be used on [arch]. However, on amd64 we allow [i386] sections for i386 containers, and there we also take [all] sections and apply them for both 32- and 64-bit. Do that also for ppc64 and arm64. This allows seccomp-protected armhf containers to run on arm64. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

seccomp: support 32-bit arm on arm64, and 32-bit ppc on ppc64
7635139a · Serge Hallyn · Stéphane Graber · 480c876b · 7635139a
Commit 7635139a authored Dec 02, 2015 by Serge Hallyn Committed by Stéphane Graber Dec 03, 2015
Show whitespace changes
Inline Side-by-side

Showing with 19 additions and 3 deletions

seccomp.c src/lxc/seccomp.c +19 -3

No files found.
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -300,6 +300,20 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 				default_policy_action);
 		if (!compat_ctx)
 			goto bad;
+	} else if (native_arch == lxc_seccomp_arch_ppc64) {
+		cur_rule_arch = lxc_seccomp_arch_all;
+		compat_arch = SCMP_ARCH_PPC;
+		compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
+				default_policy_action);
+		if (!compat_ctx)
+			goto bad;
+	} else if (native_arch == lxc_seccomp_arch_arm64) {
+		cur_rule_arch = lxc_seccomp_arch_all;
+		compat_arch = SCMP_ARCH_ARM;
+		compat_ctx = get_new_ctx(lxc_seccomp_arch_arm,
+				default_policy_action);
+		if (!compat_ctx)
+			goto bad;
 	}
 	if (default_policy_action != SCMP_ACT_KILL) {
@@ -346,7 +360,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 #ifdef SCMP_ARCH_ARM
 			else if (strcmp(line, "[arm]") == 0 ||
 					strcmp(line, "[ARM]") == 0) {
-				if (native_arch != lxc_seccomp_arch_arm) {
+				if (native_arch != lxc_seccomp_arch_arm &&
+						native_arch != lxc_seccomp_arch_arm64) {
 					cur_rule_arch = lxc_seccomp_arch_unknown;
 					continue;
 				}
@@ -386,7 +401,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 #ifdef SCMP_ARCH_PPC
 			else if (strcmp(line, "[ppc]") == 0 ||
 					strcmp(line, "[PPC]") == 0) {
-				if (native_arch != lxc_seccomp_arch_ppc) {
+				if (native_arch != lxc_seccomp_arch_ppc &&
+						native_arch != lxc_seccomp_arch_ppc64) {
 					cur_rule_arch = lxc_seccomp_arch_unknown;
 					continue;
 				}
@@ -435,7 +451,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 	if (compat_ctx) {
 		INFO("Merging in the compat seccomp ctx into the main one");
 		if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) {
-			ERROR("Error merging i386 seccomp contexts");
+			ERROR("Error merging compat seccomp contexts");
 			goto bad;
 		}
 	}