From 666174f112d1f6f765f6755e6f1ed4d3f8ca9055 Mon Sep 17 00:00:00 2001
From: tanyifeng <tanyifeng1@huawei.com>
Date: Thu, 17 Jan 2019 03:09:00 +0800
Subject: [PATCH 042/139] lxc: seccomp adopt to lxc3.0

Signed-off-by: LiFeng <lifeng68@huawei.com>
---
 src/lxc/seccomp.c | 127 ++++++++++++++++++++++++++++--------------------------
 1 file changed, 65 insertions(+), 62 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 1e14be1..27bdc22 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -936,86 +936,89 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 		     SCMP_ARCH_NATIVE, line, rule.action,
 		     get_action_name(rule.action));
 
-		if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
-			if (!do_resolve_add_rule(ctx.architectures[0], line,
-						 ctx.contexts[0], &rule))
-				goto bad_rule;
-
-			INFO("Added compat rule for arch %d for %s action %d(%s)",
-			     ctx.architectures[0], line, rule.action,
-			     get_action_name(rule.action));
-		}
+		if (cur_rule_arch == lxc_seccomp_arch_all) {
+			if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
+				if (!do_resolve_add_rule(ctx.architectures[0], line,
+							ctx.contexts[0], &rule))
+					goto bad_rule;
+
+					INFO("Added compat rule for arch %d for %s action %d(%s)",
+						ctx.architectures[0], line, rule.action,
+						get_action_name(rule.action));
+			}
 
-		if (ctx.architectures[1] != SCMP_ARCH_NATIVE) {
-			if (!do_resolve_add_rule(ctx.architectures[1], line,
-						 ctx.contexts[1], &rule))
-				goto bad_rule;
+			if (ctx.architectures[1] != SCMP_ARCH_NATIVE) {
+				if (!do_resolve_add_rule(ctx.architectures[1], line,
+							ctx.contexts[1], &rule))
+					goto bad_rule;
 
-			INFO("Added compat rule for arch %d for %s action %d(%s)",
-			     ctx.architectures[1], line, rule.action,
-			     get_action_name(rule.action));
-		}
+				INFO("Added compat rule for arch %d for %s action %d(%s)",
+					ctx.architectures[1], line, rule.action,
+					get_action_name(rule.action));
+			}
 
-		if (ctx.architectures[2] != SCMP_ARCH_NATIVE) {
-			if (!do_resolve_add_rule(ctx.architectures[2], line,
+			if (ctx.architectures[2] != SCMP_ARCH_NATIVE) {
+				if (!do_resolve_add_rule(ctx.architectures[2], line,
 						ctx.contexts[2], &rule))
-				goto bad_rule;
+					goto bad_rule;
 
-			INFO("Added native rule for arch %d for %s action %d(%s)",
-			     ctx.architectures[2], line, rule.action,
-			     get_action_name(rule.action));
+				INFO("Added native rule for arch %d for %s action %d(%s)",
+					ctx.architectures[2], line, rule.action,
+					get_action_name(rule.action));
+			}
 		}
 	}
 
-	INFO("Merging compat seccomp contexts into main context");
-	if (ctx.contexts[0]) {
-		if (ctx.needs_merge[0]) {
-			ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]);
-			if (ret < 0) {
-				ERROR("Failed to merge first compat seccomp "
+	if (cur_rule_arch == lxc_seccomp_arch_all) {
+		INFO("Merging compat seccomp contexts into main context");
+		if (ctx.contexts[0]) {
+			if (ctx.needs_merge[0]) {
+				ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[0]);
+				if (ret < 0) {
+					ERROR("Failed to merge first compat seccomp "
 				      "context into main context");
-				goto bad;
-			}
+					goto bad;
+				}
 
-			TRACE("Merged first compat seccomp context into main context");
-		} else {
-			seccomp_release(ctx.contexts[0]);
-			ctx.contexts[0] = NULL;
+				TRACE("Merged first compat seccomp context into main context");
+			} else {
+				seccomp_release(ctx.contexts[0]);
+				ctx.contexts[0] = NULL;
+			}
 		}
-	}
 
-	if (ctx.contexts[1]) {
-		if (ctx.needs_merge[1]) {
-			ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]);
-			if (ret < 0) {
-				ERROR("Failed to merge first compat seccomp "
-				      "context into main context");
-				goto bad;
-			}
+		if (ctx.contexts[1]) {
+			if (ctx.needs_merge[1]) {
+				ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[1]);
+				if (ret < 0) {
+					ERROR("Failed to merge first compat seccomp "
+					      "context into main context");
+					goto bad;
+				}
 
-			TRACE("Merged second compat seccomp context into main context");
-		} else {
-			seccomp_release(ctx.contexts[1]);
-			ctx.contexts[1] = NULL;
+				TRACE("Merged second compat seccomp context into main context");
+			} else {
+				seccomp_release(ctx.contexts[1]);
+				ctx.contexts[1] = NULL;
+			}
 		}
-	}
 
-	if (ctx.contexts[2]) {
-		if (ctx.needs_merge[2]) {
-			ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]);
-			if (ret < 0) {
-				ERROR("Failed to merge third compat seccomp "
-				      "context into main context");
-				goto bad;
-			}
+		if (ctx.contexts[2]) {
+			if (ctx.needs_merge[2]) {
+				ret = seccomp_merge(conf->seccomp_ctx, ctx.contexts[2]);
+				if (ret < 0) {
+					ERROR("Failed to merge third compat seccomp "
+					      "context into main context");
+					goto bad;
+				}
 
-			TRACE("Merged third compat seccomp context into main context");
-		} else {
-			seccomp_release(ctx.contexts[2]);
-			ctx.contexts[2] = NULL;
+				TRACE("Merged third compat seccomp context into main context");
+			} else {
+				seccomp_release(ctx.contexts[2]);
+				ctx.contexts[2] = NULL;
+			}
 		}
 	}
-
 	free(line);
 	return 0;
 
-- 
1.8.3.1