!268 Add loongarch64 seccomp support

From: @zhaixiaojuan Reviewed-by: @zhangsong234 Signed-off-by: @zhangsong234
2024-06-15 09:24:28 +00:00 · 2024-06-15 09:24:28 +00:00 · df49170ede
commit df49170ede
parent db5aceb297 5fc3d80af7
3 changed files with 158 additions and 1 deletions
--- a/patch/0040-add-loongarch64-seccomp-support.patch
+++ b/patch/0040-add-loongarch64-seccomp-support.patch
@ -0,0 +1,150 @@
+diff --git a/libcontainer/seccomp/config.go b/libcontainer/seccomp/config.go
+index 2b15576..841f9d9 100644
+--- a/libcontainer/seccomp/config.go
+++ b/libcontainer/seccomp/config.go
+@@ -69,6 +69,7 @@ var archs = map[string]string{
+ 	"SCMP_ARCH_RISCV64":     "riscv64",
+ 	"SCMP_ARCH_S390":        "s390",
+ 	"SCMP_ARCH_S390X":       "s390x",
+	"SCMP_ARCH_LOONGARCH64": "loong64",
+ }
+ 
+ // KnownArchs returns the list of the known archs.
+diff --git a/libcontainer/seccomp/patchbpf/enosys_linux.go b/libcontainer/seccomp/patchbpf/enosys_linux.go
+index 6376512..391c319 100644
+--- a/libcontainer/seccomp/patchbpf/enosys_linux.go
+++ b/libcontainer/seccomp/patchbpf/enosys_linux.go
+@@ -75,6 +75,7 @@ const uint32_t C_AUDIT_ARCH_PPC64LE      = AUDIT_ARCH_PPC64LE;
+ const uint32_t C_AUDIT_ARCH_S390         = AUDIT_ARCH_S390;
+ const uint32_t C_AUDIT_ARCH_S390X        = AUDIT_ARCH_S390X;
+ const uint32_t C_AUDIT_ARCH_RISCV64      = AUDIT_ARCH_RISCV64;
+const uint32_t C_AUDIT_ARCH_LOONGARCH64  = AUDIT_ARCH_LOONGARCH64;
+ */
+ import "C"
+ 
+@@ -212,6 +213,8 @@ func archToNative(arch libseccomp.ScmpArch) (nativeArch, error) {
+ 		return nativeArch(C.C_AUDIT_ARCH_S390X), nil
+ 	case libseccomp.ArchRISCV64:
+ 		return nativeArch(C.C_AUDIT_ARCH_RISCV64), nil
+	case libseccomp.ArchLOONGARCH64:
+		return nativeArch(C.C_AUDIT_ARCH_LOONGARCH64), nil
+ 	default:
+ 		return invalidArch, fmt.Errorf("unknown architecture: %v", arch)
+ 	}
+diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
+index e2d363a..a66fe35 100644
+--- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go
+++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
+@@ -105,6 +105,7 @@ var testArches = []string{
+ 	"ppc64le",
+ 	"s390",
+ 	"s390x",
+	"loong64",
+ }
+ 
+ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string) {
+diff --git a/libcontainer/system/syscall_linux_64.go b/libcontainer/system/syscall_linux_64.go
+index 97f1ba0..5db345a 100644
+--- a/libcontainer/system/syscall_linux_64.go
+++ b/libcontainer/system/syscall_linux_64.go
+@@ -1,6 +1,6 @@
+ //go:build linux && (arm64 || amd64 || mips || mipsle || mips64 || mips64le || loong64 || ppc || ppc64 || ppc64le || riscv64 || s390x)
+ // +build linux
+-// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le riscv64 s390x
+// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le riscv64 s390x loong64
+ 
+ package system
+ 
+diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+index 135f74a..e32af2f 100644
+--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+@@ -643,6 +643,7 @@ const (
+ 	ArchPARISC      Arch = "SCMP_ARCH_PARISC"
+ 	ArchPARISC64    Arch = "SCMP_ARCH_PARISC64"
+ 	ArchRISCV64     Arch = "SCMP_ARCH_RISCV64"
+	ArchLOONGARCH64 Arch = "SCMP_ARCH_LOONGARCH64"
+ )
+ 
+ // LinuxSeccompAction taken upon Seccomp rule match
+diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
+index 8dad12f..2552394 100644
+--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
+++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp.go
+@@ -174,6 +174,8 @@ const (
+ 	ArchPARISC64
+ 	// ArchRISCV64 represents RISCV64
+ 	ArchRISCV64
+	// ArchLOONGARCH64 represents 64-bit LoongArch System syscalls
+	ArchLOONGARCH64
+ )
+ 
+ const (
+@@ -305,6 +307,8 @@ func GetArchFromString(arch string) (ScmpArch, error) {
+ 		return ArchPARISC64, nil
+ 	case "riscv64":
+ 		return ArchRISCV64, nil
+	case "loongarch64", "loong64":
+		return ArchLOONGARCH64, nil
+ 	default:
+ 		return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %q", arch)
+ 	}
+@@ -351,6 +355,8 @@ func (a ScmpArch) String() string {
+ 		return "parisc64"
+ 	case ArchRISCV64:
+ 		return "riscv64"
+	case ArchLOONGARCH64:
+		return "loong64"
+ 	case ArchNative:
+ 		return "native"
+ 	case ArchInvalid:
+diff --git a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
+index df4dfb7..1997fb3 100644
+--- a/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
+++ b/vendor/github.com/seccomp/libseccomp-golang/seccomp_internal.go
+@@ -68,6 +68,10 @@ const uint32_t C_ARCH_BAD = ARCH_BAD;
+ #define SCMP_ARCH_RISCV64 ARCH_BAD
+ #endif
+ 
+#ifndef SCMP_ARCH_LOONGARCH64
+#define SCMP_ARCH_LOONGARCH64 ARCH_BAD
+#endif
+
+ const uint32_t C_ARCH_NATIVE       = SCMP_ARCH_NATIVE;
+ const uint32_t C_ARCH_X86          = SCMP_ARCH_X86;
+ const uint32_t C_ARCH_X86_64       = SCMP_ARCH_X86_64;
+@@ -88,6 +92,7 @@ const uint32_t C_ARCH_S390X        = SCMP_ARCH_S390X;
+ const uint32_t C_ARCH_PARISC       = SCMP_ARCH_PARISC;
+ const uint32_t C_ARCH_PARISC64     = SCMP_ARCH_PARISC64;
+ const uint32_t C_ARCH_RISCV64      = SCMP_ARCH_RISCV64;
+const uint32_t C_ARCH_LOONGARCH64 = SCMP_ARCH_LOONGARCH64;
+ 
+ #ifndef SCMP_ACT_LOG
+ #define SCMP_ACT_LOG 0x7ffc0000U
+@@ -291,7 +296,7 @@ const (
+ 	scmpError C.int = -1
+ 	// Comparison boundaries to check for architecture validity
+ 	archStart ScmpArch = ArchNative
+-	archEnd   ScmpArch = ArchRISCV64
+	archEnd   ScmpArch = ArchLOONGARCH64
+ 	// Comparison boundaries to check for action validity
+ 	actionStart ScmpAction = ActKillThread
+ 	actionEnd   ScmpAction = ActKillProcess
+@@ -551,6 +556,8 @@ func archFromNative(a C.uint32_t) (ScmpArch, error) {
+ 		return ArchPARISC64, nil
+ 	case C.C_ARCH_RISCV64:
+ 		return ArchRISCV64, nil
+	case C.C_ARCH_LOONGARCH64:
+		return ArchLOONGARCH64, nil
+ 	default:
+ 		return 0x0, fmt.Errorf("unrecognized architecture %#x", uint32(a))
+ 	}
+@@ -597,6 +604,8 @@ func (a ScmpArch) toNative() C.uint32_t {
+ 		return C.C_ARCH_PARISC64
+ 	case ArchRISCV64:
+ 		return C.C_ARCH_RISCV64
+	case ArchLOONGARCH64:
+		return C.C_ARCH_LOONGARCH64
+ 	case ArchNative:
+ 		return C.C_ARCH_NATIVE
+ 	default:
--- a/runc.spec
+++ b/runc.spec
@ -3,7 +3,7 @@

 Name: runc
 Version: 1.1.8
-Release: 16
+Release: 17
 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.

 License: ASL 2.0
@ -57,6 +57,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
 %{_bindir}/runc

 %changelog
+* Fri Jun 14 2024 zhaixiaojuan<zhaixiaojuan@loongson.cn> - 1.1.8-17
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:add loongarch64 seccomp support
+
 * Thu May 23 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.1.8-16
 - Type:bugfix
 - CVE:NA
--- a/series.conf
+++ b/series.conf
@ -36,3 +36,4 @@ patch/0036-runc-increase-the-number-of-cgroup-deletion-retries.patch
 patch/0037-runc-fix-CVE-2024-21626.patch
 patch/0038-runc-check-cmd-exist.patch
 patch/0039-runc-fix-CVE-2024-3154.patch
+patch/0040-add-loongarch64-seccomp-support.patch