Skip to content

L
lxc
Commit c5bce6ee by Serge Hallyn Committed by GitHub
Options

Merge pull request #1428 from kilobyte/master

fix seccomp blocking x32 guests on amd64 (userspace) hosts
parents 1f14c2ea 11de80d6
Showing with 14 additions and 1 deletion
src/lxc/seccomp.c
...@@ -119,6 +119,7 @@ enum lxc_hostarch_t { ...@@ -119,6 +119,7 @@ enum lxc_hostarch_t {
lxc_seccomp_arch_all = 0, lxc_seccomp_arch_all = 0,
lxc_seccomp_arch_native, lxc_seccomp_arch_native,
lxc_seccomp_arch_i386, lxc_seccomp_arch_i386,
lxc_seccomp_arch_x32,
lxc_seccomp_arch_amd64, lxc_seccomp_arch_amd64,
lxc_seccomp_arch_arm, lxc_seccomp_arch_arm,
lxc_seccomp_arch_arm64, lxc_seccomp_arch_arm64,
...@@ -152,6 +153,7 @@ int get_hostarch(void) ...@@ -152,6 +153,7 @@ int get_hostarch(void)
} }
if (strcmp(uts.machine, "i686") == 0) if (strcmp(uts.machine, "i686") == 0)
return lxc_seccomp_arch_i386; return lxc_seccomp_arch_i386;
// no x32 kernels
else if (strcmp(uts.machine, "x86_64") == 0) else if (strcmp(uts.machine, "x86_64") == 0)
return lxc_seccomp_arch_amd64; return lxc_seccomp_arch_amd64;
else if (strncmp(uts.machine, "armv7", 5) == 0) else if (strncmp(uts.machine, "armv7", 5) == 0)
...@@ -181,6 +183,7 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_ ...@@ -181,6 +183,7 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
switch(n_arch) { switch(n_arch) {
case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break; case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
case lxc_seccomp_arch_x32: arch = SCMP_ARCH_X32; break;
case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break; case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break; case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
#ifdef SCMP_ARCH_AARCH64 #ifdef SCMP_ARCH_AARCH64
...@@ -336,7 +339,10 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) ...@@ -336,7 +339,10 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
compat_arch[0] = SCMP_ARCH_X86; compat_arch[0] = SCMP_ARCH_X86;
compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_i386, compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_i386,
default_policy_action); default_policy_action);
if (!compat_ctx[0]) compat_arch[1] = SCMP_ARCH_X32;
compat_ctx[1] = get_new_ctx(lxc_seccomp_arch_x32,
default_policy_action);
if (!compat_ctx[0] || !compat_ctx[1])
goto bad; goto bad;
#ifdef SCMP_ARCH_PPC #ifdef SCMP_ARCH_PPC
} else if (native_arch == lxc_seccomp_arch_ppc64) { } else if (native_arch == lxc_seccomp_arch_ppc64) {
...@@ -410,6 +416,13 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) ...@@ -410,6 +416,13 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
continue; continue;
} }
cur_rule_arch = lxc_seccomp_arch_i386; cur_rule_arch = lxc_seccomp_arch_i386;
} else if (strcmp(line, "[x32]") == 0 ||
strcmp(line, "[X32]") == 0) {
if (native_arch != lxc_seccomp_arch_amd64) {
cur_rule_arch = lxc_seccomp_arch_unknown;
continue;
}
cur_rule_arch = lxc_seccomp_arch_x32;
} else if (strcmp(line, "[X86_64]") == 0 || } else if (strcmp(line, "[X86_64]") == 0 ||
strcmp(line, "[x86_64]") == 0) { strcmp(line, "[x86_64]") == 0) {
if (native_arch != lxc_seccomp_arch_amd64) { if (native_arch != lxc_seccomp_arch_amd64) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment