193 lines
6.8 KiB
Diff
193 lines
6.8 KiB
Diff
From fb356f57bc8783e28c611a25877f3a9d47218264 Mon Sep 17 00:00:00 2001
|
|
From: LiFeng <lifeng68@huawei.com>
|
|
Date: Mon, 21 Jan 2019 23:28:43 -0500
|
|
Subject: [PATCH 052/131] Fix seccomp fail when [all] specified in config
|
|
|
|
Signed-off-by: LiFeng <lifeng68@huawei.com>
|
|
---
|
|
src/lxc/seccomp.c | 56 +++++++++++++++++++++++------------------------
|
|
1 file changed, 28 insertions(+), 28 deletions(-)
|
|
|
|
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
|
|
index 4a9143bb..3218a603 100644
|
|
--- a/src/lxc/seccomp.c
|
|
+++ b/src/lxc/seccomp.c
|
|
@@ -346,7 +346,7 @@ int get_hostarch(void)
|
|
}
|
|
|
|
scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch,
|
|
- uint32_t default_policy_action)
|
|
+ uint32_t default_policy_action, uint32_t *architectures)
|
|
{
|
|
int ret;
|
|
uint32_t arch;
|
|
@@ -464,8 +464,10 @@ scmp_filter_ctx get_new_ctx(enum lxc_arch_t n_arch,
|
|
return NULL;
|
|
}
|
|
TRACE("Removed native arch from main seccomp context");
|
|
+ *architectures = arch;
|
|
} else {
|
|
TRACE("Arch %d already present in main seccomp context", (int)n_arch);
|
|
+ *architectures = SCMP_ARCH_NATIVE;
|
|
}
|
|
|
|
return ctx;
|
|
@@ -630,41 +632,36 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
|
|
if (native_arch == lxc_seccomp_arch_amd64) {
|
|
cur_rule_arch = lxc_seccomp_arch_all;
|
|
|
|
- ctx.architectures[0] = SCMP_ARCH_X86;
|
|
ctx.lxc_arch[0] = lxc_seccomp_arch_i386;
|
|
ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_i386,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[0]);
|
|
if (!ctx.contexts[0])
|
|
goto bad;
|
|
|
|
- ctx.architectures[1] = SCMP_ARCH_X32;
|
|
ctx.lxc_arch[1] = lxc_seccomp_arch_x32;
|
|
ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_x32,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[1]);
|
|
if (!ctx.contexts[1])
|
|
goto bad;
|
|
|
|
- ctx.architectures[2] = SCMP_ARCH_X86_64;
|
|
ctx.lxc_arch[2] = lxc_seccomp_arch_amd64;
|
|
ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_amd64,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[2]);
|
|
if (!ctx.contexts[2])
|
|
goto bad;
|
|
#ifdef SCMP_ARCH_PPC
|
|
} else if (native_arch == lxc_seccomp_arch_ppc64) {
|
|
cur_rule_arch = lxc_seccomp_arch_all;
|
|
|
|
- ctx.architectures[0] = SCMP_ARCH_PPC;
|
|
ctx.lxc_arch[0] = lxc_seccomp_arch_ppc;
|
|
ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_ppc,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[0]);
|
|
if (!ctx.contexts[0])
|
|
goto bad;
|
|
|
|
- ctx.architectures[1] = SCMP_ARCH_PPC64;
|
|
ctx.lxc_arch[1] = lxc_seccomp_arch_ppc64;
|
|
ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_ppc64,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[1]);
|
|
if (!ctx.contexts[1])
|
|
goto bad;
|
|
#endif
|
|
@@ -672,18 +669,16 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
|
|
} else if (native_arch == lxc_seccomp_arch_arm64) {
|
|
cur_rule_arch = lxc_seccomp_arch_all;
|
|
|
|
- ctx.architectures[0] = SCMP_ARCH_ARM;
|
|
ctx.lxc_arch[0] = lxc_seccomp_arch_arm;
|
|
ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[0]);
|
|
if (!ctx.contexts[0])
|
|
goto bad;
|
|
|
|
#ifdef SCMP_ARCH_AARCH64
|
|
- ctx.architectures[1] = SCMP_ARCH_AARCH64;
|
|
ctx.lxc_arch[1] = lxc_seccomp_arch_arm64;
|
|
ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_arm64,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[1]);
|
|
if (!ctx.contexts[1])
|
|
goto bad;
|
|
#endif
|
|
@@ -692,47 +687,41 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
|
|
} else if (native_arch == lxc_seccomp_arch_mips64) {
|
|
cur_rule_arch = lxc_seccomp_arch_all;
|
|
|
|
- ctx.architectures[0] = SCMP_ARCH_MIPS;
|
|
ctx.lxc_arch[0] = lxc_seccomp_arch_mips;
|
|
ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mips,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[0]);
|
|
if (!ctx.contexts[0])
|
|
goto bad;
|
|
|
|
- ctx.architectures[1] = SCMP_ARCH_MIPS64N32;
|
|
ctx.lxc_arch[1] = lxc_seccomp_arch_mips64n32;
|
|
ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mips64n32,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[1]);
|
|
if (!ctx.contexts[1])
|
|
goto bad;
|
|
|
|
- ctx.architectures[2] = SCMP_ARCH_MIPS64;
|
|
ctx.lxc_arch[2] = lxc_seccomp_arch_mips64;
|
|
ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mips64,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[2]);
|
|
if (!ctx.contexts[2])
|
|
goto bad;
|
|
} else if (native_arch == lxc_seccomp_arch_mipsel64) {
|
|
cur_rule_arch = lxc_seccomp_arch_all;
|
|
-
|
|
- ctx.architectures[0] = SCMP_ARCH_MIPSEL;
|
|
+;
|
|
ctx.lxc_arch[0] = lxc_seccomp_arch_mipsel;
|
|
ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[0]);
|
|
if (!ctx.contexts[0])
|
|
goto bad;
|
|
|
|
- ctx.architectures[1] = SCMP_ARCH_MIPSEL64N32;
|
|
ctx.lxc_arch[1] = lxc_seccomp_arch_mipsel64n32;
|
|
ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[1]);
|
|
if (!ctx.contexts[1])
|
|
goto bad;
|
|
|
|
- ctx.architectures[2] = SCMP_ARCH_MIPSEL64;
|
|
ctx.lxc_arch[2] = lxc_seccomp_arch_mipsel64;
|
|
ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mipsel64,
|
|
- default_policy_action);
|
|
+ default_policy_action, &ctx.architectures[2]);
|
|
if (!ctx.contexts[2])
|
|
goto bad;
|
|
#endif
|
|
@@ -943,6 +932,7 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
|
|
}
|
|
|
|
if (cur_rule_arch == native_arch) {
|
|
+ /* add for native arch */
|
|
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
|
|
conf->seccomp_ctx, &rule))
|
|
goto bad_rule;
|
|
@@ -951,6 +941,7 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
|
|
SCMP_ARCH_NATIVE, line, rule.action,
|
|
get_action_name(rule.action));
|
|
} else if (cur_rule_arch != lxc_seccomp_arch_all) {
|
|
+ /* add for compat specified arch */
|
|
int arch_index = get_arch_index(cur_rule_arch, &ctx);
|
|
if (arch_index < 0)
|
|
goto bad_arch;
|
|
@@ -964,6 +955,15 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
|
|
get_action_name(rule.action));
|
|
ctx.needs_merge[arch_index] = true;
|
|
} else {
|
|
+ /* add for all compat archs */
|
|
+ if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
|
|
+ conf->seccomp_ctx, &rule))
|
|
+ goto bad_rule;
|
|
+
|
|
+ INFO("Added native rule for arch %d for %s action %d(%s)",
|
|
+ SCMP_ARCH_NATIVE, line, rule.action,
|
|
+ get_action_name(rule.action));
|
|
+
|
|
if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
|
|
if (!do_resolve_add_rule(ctx.architectures[0], line,
|
|
ctx.contexts[0], &rule))
|
|
--
|
|
2.23.0
|
|
|