From 5c54d741ab4b4c4a064aaf006c38ef10c4f43dca Mon Sep 17 00:00:00 2001
From: LiFeng <lifeng68@huawei.com>
Date: Mon, 21 Jan 2019 23:28:43 -0500
Subject: [PATCH 052/138] Fix seccomp fail when [all] specified in config

Signed-off-by: LiFeng <lifeng68@huawei.com>
---
 src/lxc/seccomp.c | 56 +++++++++++++++++++++++++++----------------------------
 1 file changed, 28 insertions(+), 28 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 4a9143b..3218a60 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -346,7 +346,7 @@ int get_hostarch(void)
 }
 
 scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch,
-			    uint32_t default_policy_action)
+			    uint32_t default_policy_action, uint32_t *architectures)
 {
 	int ret;
 	uint32_t arch;
@@ -464,8 +464,10 @@ scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch,
 			return NULL;
 		}
 		TRACE("Removed native arch from main seccomp context");
+		*architectures = arch;
 	} else {
 		TRACE("Arch %d already present in main seccomp context", (int)n_arch);
+		*architectures = SCMP_ARCH_NATIVE;
 	}
 
 	return ctx;
@@ -630,41 +632,36 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 	if (native_arch == lxc_seccomp_arch_amd64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
 
-		ctx.architectures[0] = SCMP_ARCH_X86;
 		ctx.lxc_arch[0] = lxc_seccomp_arch_i386;
 		ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_i386,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[0]);
 		if (!ctx.contexts[0])
 			goto bad;
 
-		ctx.architectures[1] = SCMP_ARCH_X32;
 		ctx.lxc_arch[1] = lxc_seccomp_arch_x32;
 		ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_x32,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[1]);
 		if (!ctx.contexts[1])
 			goto bad;
 
-		ctx.architectures[2] = SCMP_ARCH_X86_64;
 		ctx.lxc_arch[2] = lxc_seccomp_arch_amd64;
 		ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_amd64,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[2]);
 		if (!ctx.contexts[2])
 			goto bad;
 #ifdef SCMP_ARCH_PPC
 	} else if (native_arch == lxc_seccomp_arch_ppc64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
 
-		ctx.architectures[0] = SCMP_ARCH_PPC;
 		ctx.lxc_arch[0] = lxc_seccomp_arch_ppc;
 		ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_ppc,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[0]);
 		if (!ctx.contexts[0])
 			goto bad;
 
-		ctx.architectures[1] = SCMP_ARCH_PPC64;
 		ctx.lxc_arch[1] = lxc_seccomp_arch_ppc64;
 		ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_ppc64,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[1]);
 		if (!ctx.contexts[1])
 			goto bad;
 #endif
@@ -672,18 +669,16 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 	} else if (native_arch == lxc_seccomp_arch_arm64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
 
-		ctx.architectures[0] = SCMP_ARCH_ARM;
 		ctx.lxc_arch[0] = lxc_seccomp_arch_arm;
 		ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[0]);
 		if (!ctx.contexts[0])
 			goto bad;
 
 #ifdef SCMP_ARCH_AARCH64
-		ctx.architectures[1] = SCMP_ARCH_AARCH64;
 		ctx.lxc_arch[1] = lxc_seccomp_arch_arm64;
 		ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_arm64,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[1]);
 		if (!ctx.contexts[1])
 			goto bad;
 #endif
@@ -692,47 +687,41 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 	} else if (native_arch == lxc_seccomp_arch_mips64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
 
-		ctx.architectures[0] = SCMP_ARCH_MIPS;
 		ctx.lxc_arch[0] = lxc_seccomp_arch_mips;
 		ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mips,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[0]);
 		if (!ctx.contexts[0])
 			goto bad;
 
-		ctx.architectures[1] = SCMP_ARCH_MIPS64N32;
 		ctx.lxc_arch[1] = lxc_seccomp_arch_mips64n32;
 		ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mips64n32,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[1]);
 		if (!ctx.contexts[1])
 			goto bad;
 
-		ctx.architectures[2] = SCMP_ARCH_MIPS64;
 		ctx.lxc_arch[2] = lxc_seccomp_arch_mips64;
 		ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mips64,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[2]);
 		if (!ctx.contexts[2])
 			goto bad;
 	} else if (native_arch == lxc_seccomp_arch_mipsel64) {
 		cur_rule_arch = lxc_seccomp_arch_all;
-
-		ctx.architectures[0] = SCMP_ARCH_MIPSEL;
+;
 		ctx.lxc_arch[0] = lxc_seccomp_arch_mipsel;
 		ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[0]);
 		if (!ctx.contexts[0])
 			goto bad;
 
-		ctx.architectures[1] = SCMP_ARCH_MIPSEL64N32;
 		ctx.lxc_arch[1] = lxc_seccomp_arch_mipsel64n32;
 		ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[1]);
 		if (!ctx.contexts[1])
 			goto bad;
 
-		ctx.architectures[2] = SCMP_ARCH_MIPSEL64;
 		ctx.lxc_arch[2] = lxc_seccomp_arch_mipsel64;
 		ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mipsel64,
-					      default_policy_action);
+					      default_policy_action, &ctx.architectures[2]);
 		if (!ctx.contexts[2])
 			goto bad;
 #endif
@@ -943,6 +932,7 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 		}
 
 		if (cur_rule_arch == native_arch) {
+			/* add for native arch */
 			if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
 						 conf->seccomp_ctx, &rule))
 				goto bad_rule;
@@ -951,6 +941,7 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 			     SCMP_ARCH_NATIVE, line, rule.action,
 			     get_action_name(rule.action));
 		} else if (cur_rule_arch != lxc_seccomp_arch_all) {
+			/* add for compat specified arch */
 			int arch_index = get_arch_index(cur_rule_arch, &ctx);
 			if (arch_index < 0)
 				goto bad_arch;
@@ -964,6 +955,15 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 			     get_action_name(rule.action));
 			ctx.needs_merge[arch_index] = true;
 		} else {
+			/* add for all compat archs */
+			if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
+						 conf->seccomp_ctx, &rule))
+				goto bad_rule;
+
+			INFO("Added native rule for arch %d for %s action %d(%s)",
+			     SCMP_ARCH_NATIVE, line, rule.action,
+			     get_action_name(rule.action));
+
 			if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
 				if (!do_resolve_add_rule(ctx.architectures[0], line,
 							 ctx.contexts[0], &rule))
-- 
1.8.3.1