lxc/0052-Fix-seccomp-fail-when-all-specified-in-config.patch

From bbefc33a969a7cf0d4f671d96030fb044593a71a Mon Sep 17 00:00:00 2001
From: LiFeng <lifeng68@huawei.com>
Date: Mon, 21 Jan 2019 23:28:43 -0500
Subject: [PATCH 052/122] Fix seccomp fail when [all] specified in config

Signed-off-by: LiFeng <lifeng68@huawei.com>
---
 src/lxc/seccomp.c | 56 +++++++++++++++++++++++++++----------------------------
 1 file changed, 28 insertions(+), 28 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 4a9143b..3218a60 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -346,7 +346,7 @@ int get_hostarch(void)
 }
 
 scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch,
-			    uint32_t default_policy_action)
+			    uint32_t default_policy_action, uint32_t *architectures)
 {
 	int ret;
 	uint32_t arch;
@@ -464,8 +464,10 @@ scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch,
 			return NULL;
 		}
 		TRACE("Removed native arch from main seccomp context");
+		*architectures = arch;
 	} else {
 		TRACE("Arch %d already present in main seccomp context", (int)n_arch);
+		*architectures = SCMP_ARCH_NATIVE;
 	}
 
 	return ctx;
@@ -630,41 +632,36 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 	if (native_arch == lxc_seccomp_arch_amd64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
 
-		ctx.architectures[0] = SCMP_ARCH_X86;
 		ctx.lxc_arch[0] = lxc_seccomp_arch_i386;
 		ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_i386,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[0]);
 		if (!ctx.contexts[0])
 			goto bad;
 
-		ctx.architectures[1] = SCMP_ARCH_X32;
 		ctx.lxc_arch[1] = lxc_seccomp_arch_x32;
 		ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_x32,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[1]);
 		if (!ctx.contexts[1])
 			goto bad;
 
-		ctx.architectures[2] = SCMP_ARCH_X86_64;
 		ctx.lxc_arch[2] = lxc_seccomp_arch_amd64;
 		ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_amd64,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[2]);
 		if (!ctx.contexts[2])
 			goto bad;
 #ifdef SCMP_ARCH_PPC
 	} else if (native_arch == lxc_seccomp_arch_ppc64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
 
-		ctx.architectures[0] = SCMP_ARCH_PPC;
 		ctx.lxc_arch[0] = lxc_seccomp_arch_ppc;
 		ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_ppc,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[0]);
 		if (!ctx.contexts[0])
 			goto bad;
 
-		ctx.architectures[1] = SCMP_ARCH_PPC64;
 		ctx.lxc_arch[1] = lxc_seccomp_arch_ppc64;
 		ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_ppc64,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[1]);
 		if (!ctx.contexts[1])
 			goto bad;
 #endif
@@ -672,18 +669,16 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 	} else if (native_arch == lxc_seccomp_arch_arm64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
 
-		ctx.architectures[0] = SCMP_ARCH_ARM;
 		ctx.lxc_arch[0] = lxc_seccomp_arch_arm;
 		ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[0]);
 		if (!ctx.contexts[0])
 			goto bad;
 
 #ifdef SCMP_ARCH_AARCH64
-		ctx.architectures[1] = SCMP_ARCH_AARCH64;
 		ctx.lxc_arch[1] = lxc_seccomp_arch_arm64;
 		ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_arm64,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[1]);
 		if (!ctx.contexts[1])
 			goto bad;
 #endif
@@ -692,47 +687,41 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 	} else if (native_arch == lxc_seccomp_arch_mips64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
 
-		ctx.architectures[0] = SCMP_ARCH_MIPS;
 		ctx.lxc_arch[0] = lxc_seccomp_arch_mips;
 		ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mips,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[0]);
 		if (!ctx.contexts[0])
 			goto bad;
 
-		ctx.architectures[1] = SCMP_ARCH_MIPS64N32;
 		ctx.lxc_arch[1] = lxc_seccomp_arch_mips64n32;
 		ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mips64n32,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[1]);
 		if (!ctx.contexts[1])
 			goto bad;
 
-		ctx.architectures[2] = SCMP_ARCH_MIPS64;
 		ctx.lxc_arch[2] = lxc_seccomp_arch_mips64;
 		ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mips64,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[2]);
 		if (!ctx.contexts[2])
 			goto bad;
 	} else if (native_arch == lxc_seccomp_arch_mipsel64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
-
-		ctx.architectures[0] = SCMP_ARCH_MIPSEL;
+;
 		ctx.lxc_arch[0] = lxc_seccomp_arch_mipsel;
 		ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[0]);
 		if (!ctx.contexts[0])
 			goto bad;
 
-		ctx.architectures[1] = SCMP_ARCH_MIPSEL64N32;
 		ctx.lxc_arch[1] = lxc_seccomp_arch_mipsel64n32;
 		ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[1]);
 		if (!ctx.contexts[1])
 			goto bad;
 
-		ctx.architectures[2] = SCMP_ARCH_MIPSEL64;
 		ctx.lxc_arch[2] = lxc_seccomp_arch_mipsel64;
 		ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mipsel64,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[2]);
 		if (!ctx.contexts[2])
 			goto bad;
 #endif
@@ -943,6 +932,7 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 		}
 
 		if (cur_rule_arch == native_arch) {
+			/* add for native arch */
 			if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
 						 conf->seccomp_ctx, &rule))
 				goto bad_rule;
@@ -951,6 +941,7 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 			     SCMP_ARCH_NATIVE, line, rule.action,
 			     get_action_name(rule.action));
 		} else if (cur_rule_arch != lxc_seccomp_arch_all) {
+			/* add for compat specified arch */
 			int arch_index = get_arch_index(cur_rule_arch, &ctx);
 			if (arch_index < 0)
 				goto bad_arch;
@@ -964,6 +955,15 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 			     get_action_name(rule.action));
 			ctx.needs_merge[arch_index] = true;
 		} else {
+			/* add for all compat archs */
+			if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
+						 conf->seccomp_ctx, &rule))
+				goto bad_rule;
+
+			INFO("Added native rule for arch %d for %s action %d(%s)",
+			     SCMP_ARCH_NATIVE, line, rule.action,
+			     get_action_name(rule.action));
+
 			if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
 				if (!do_resolve_add_rule(ctx.architectures[0], line,
 							 ctx.contexts[0], &rule))
-- 
1.8.3.1
Package init 2019-09-30 11:03:07 -04:00			`From bbefc33a969a7cf0d4f671d96030fb044593a71a Mon Sep 17 00:00:00 2001`
			`From: LiFeng <lifeng68@huawei.com>`
			`Date: Mon, 21 Jan 2019 23:28:43 -0500`
			`Subject: [PATCH 052/122] Fix seccomp fail when [all] specified in config`

			`Signed-off-by: LiFeng <lifeng68@huawei.com>`
			`---`
			`src/lxc/seccomp.c \| 56 +++++++++++++++++++++++++++----------------------------`
			`1 file changed, 28 insertions(+), 28 deletions(-)`

			`diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c`
			`index 4a9143b..3218a60 100644`
			`--- a/src/lxc/seccomp.c`
			`+++ b/src/lxc/seccomp.c`
			`@@ -346,7 +346,7 @@ int get_hostarch(void)`
			`}`

			`scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch,`
			`- uint32_t default_policy_action)`
			`+ uint32_t default_policy_action, uint32_t *architectures)`
			`{`
			`int ret;`
			`uint32_t arch;`
			`@@ -464,8 +464,10 @@ scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch,`
			`return NULL;`
			`}`
			`TRACE("Removed native arch from main seccomp context");`
			`+ *architectures = arch;`
			`} else {`
			`TRACE("Arch %d already present in main seccomp context", (int)n_arch);`
			`+ *architectures = SCMP_ARCH_NATIVE;`
			`}`

			`return ctx;`
			`@@ -630,41 +632,36 @@ static int parse_config_v2(FILE f, char line, size_t *line_bufsz, struct lxc_c`
			`if (native_arch == lxc_seccomp_arch_amd64) {`
			`cur_rule_arch = lxc_seccomp_arch_all;`

			`- ctx.architectures[0] = SCMP_ARCH_X86;`
			`ctx.lxc_arch[0] = lxc_seccomp_arch_i386;`
			`ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_i386,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[0]);`
			`if (!ctx.contexts[0])`
			`goto bad;`

			`- ctx.architectures[1] = SCMP_ARCH_X32;`
			`ctx.lxc_arch[1] = lxc_seccomp_arch_x32;`
			`ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_x32,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[1]);`
			`if (!ctx.contexts[1])`
			`goto bad;`

			`- ctx.architectures[2] = SCMP_ARCH_X86_64;`
			`ctx.lxc_arch[2] = lxc_seccomp_arch_amd64;`
			`ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_amd64,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[2]);`
			`if (!ctx.contexts[2])`
			`goto bad;`
			`#ifdef SCMP_ARCH_PPC`
			`} else if (native_arch == lxc_seccomp_arch_ppc64) {`
			`cur_rule_arch = lxc_seccomp_arch_all;`

			`- ctx.architectures[0] = SCMP_ARCH_PPC;`
			`ctx.lxc_arch[0] = lxc_seccomp_arch_ppc;`
			`ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_ppc,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[0]);`
			`if (!ctx.contexts[0])`
			`goto bad;`

			`- ctx.architectures[1] = SCMP_ARCH_PPC64;`
			`ctx.lxc_arch[1] = lxc_seccomp_arch_ppc64;`
			`ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_ppc64,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[1]);`
			`if (!ctx.contexts[1])`
			`goto bad;`
			`#endif`
			`@@ -672,18 +669,16 @@ static int parse_config_v2(FILE f, char line, size_t *line_bufsz, struct lxc_c`
			`} else if (native_arch == lxc_seccomp_arch_arm64) {`
			`cur_rule_arch = lxc_seccomp_arch_all;`

			`- ctx.architectures[0] = SCMP_ARCH_ARM;`
			`ctx.lxc_arch[0] = lxc_seccomp_arch_arm;`
			`ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[0]);`
			`if (!ctx.contexts[0])`
			`goto bad;`

			`#ifdef SCMP_ARCH_AARCH64`
			`- ctx.architectures[1] = SCMP_ARCH_AARCH64;`
			`ctx.lxc_arch[1] = lxc_seccomp_arch_arm64;`
			`ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_arm64,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[1]);`
			`if (!ctx.contexts[1])`
			`goto bad;`
			`#endif`
			`@@ -692,47 +687,41 @@ static int parse_config_v2(FILE f, char line, size_t *line_bufsz, struct lxc_c`
			`} else if (native_arch == lxc_seccomp_arch_mips64) {`
			`cur_rule_arch = lxc_seccomp_arch_all;`

			`- ctx.architectures[0] = SCMP_ARCH_MIPS;`
			`ctx.lxc_arch[0] = lxc_seccomp_arch_mips;`
			`ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mips,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[0]);`
			`if (!ctx.contexts[0])`
			`goto bad;`

			`- ctx.architectures[1] = SCMP_ARCH_MIPS64N32;`
			`ctx.lxc_arch[1] = lxc_seccomp_arch_mips64n32;`
			`ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mips64n32,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[1]);`
			`if (!ctx.contexts[1])`
			`goto bad;`

			`- ctx.architectures[2] = SCMP_ARCH_MIPS64;`
			`ctx.lxc_arch[2] = lxc_seccomp_arch_mips64;`
			`ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mips64,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[2]);`
			`if (!ctx.contexts[2])`
			`goto bad;`
			`} else if (native_arch == lxc_seccomp_arch_mipsel64) {`
			`cur_rule_arch = lxc_seccomp_arch_all;`
			`-`
			`- ctx.architectures[0] = SCMP_ARCH_MIPSEL;`
			`+;`
			`ctx.lxc_arch[0] = lxc_seccomp_arch_mipsel;`
			`ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[0]);`
			`if (!ctx.contexts[0])`
			`goto bad;`

			`- ctx.architectures[1] = SCMP_ARCH_MIPSEL64N32;`
			`ctx.lxc_arch[1] = lxc_seccomp_arch_mipsel64n32;`
			`ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[1]);`
			`if (!ctx.contexts[1])`
			`goto bad;`

			`- ctx.architectures[2] = SCMP_ARCH_MIPSEL64;`
			`ctx.lxc_arch[2] = lxc_seccomp_arch_mipsel64;`
			`ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mipsel64,`
			`- default_policy_action);`
			`+ default_policy_action, &ctx.architectures[2]);`
			`if (!ctx.contexts[2])`
			`goto bad;`
			`#endif`
			`@@ -943,6 +932,7 @@ static int parse_config_v2(FILE f, char line, size_t *line_bufsz, struct lxc_c`
			`}`

			`if (cur_rule_arch == native_arch) {`
			`+ /* add for native arch */`
			`if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,`
			`conf->seccomp_ctx, &rule))`
			`goto bad_rule;`
			`@@ -951,6 +941,7 @@ static int parse_config_v2(FILE f, char line, size_t *line_bufsz, struct lxc_c`
			`SCMP_ARCH_NATIVE, line, rule.action,`
			`get_action_name(rule.action));`
			`} else if (cur_rule_arch != lxc_seccomp_arch_all) {`
			`+ /* add for compat specified arch */`
			`int arch_index = get_arch_index(cur_rule_arch, &ctx);`
			`if (arch_index < 0)`
			`goto bad_arch;`
			`@@ -964,6 +955,15 @@ static int parse_config_v2(FILE f, char line, size_t *line_bufsz, struct lxc_c`
			`get_action_name(rule.action));`
			`ctx.needs_merge[arch_index] = true;`
			`} else {`
			`+ /* add for all compat archs */`
			`+ if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,`
			`+ conf->seccomp_ctx, &rule))`
			`+ goto bad_rule;`
			`+`
			`+ INFO("Added native rule for arch %d for %s action %d(%s)",`
			`+ SCMP_ARCH_NATIVE, line, rule.action,`
			`+ get_action_name(rule.action));`
			`+`
			`if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {`
			`if (!do_resolve_add_rule(ctx.architectures[0], line,`
			`ctx.contexts[0], &rule))`
			`--`
			`1.8.3.1`