From 795a6c9702c22384ae9992297df297c09ee3afbc Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Wed, 23 Sep 2015 10:52:53 -0400 Subject: [PATCH] Libcontainer: Add support for multiple architectures in Seccomp This commit allows additional architectures to be added to Seccomp filters created by containers. This allows containers to make syscalls using these architectures. For example, in a container on an AMD64 system, only AMD64 syscalls would be usable unless x86 was added to the filter using this patch, which would allow both 32-bit and 64-bit syscalls to be used. Signed-off-by: Matthew Heon --- libcontainer/configs/config.go | 4 ++++ libcontainer/seccomp/seccomp_linux.go | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go index f2628760..12fcf6f6 100644 --- a/libcontainer/configs/config.go +++ b/libcontainer/configs/config.go @@ -20,8 +20,12 @@ type IDMap struct { } // Seccomp represents syscall restrictions +// By default, only the native architecture of the kernel is allowed to be used +// for syscalls. Additional architectures can be added by specifying them in +// Architectures. type Seccomp struct { DefaultAction Action `json:"default_action"` + Architectures []string `json:"architectures"` Syscalls []*Syscall `json:"syscalls"` } diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go index 58bdbf6d..1e9ccf8f 100644 --- a/libcontainer/seccomp/seccomp_linux.go +++ b/libcontainer/seccomp/seccomp_linux.go @@ -37,6 +37,18 @@ func InitSeccomp(config *configs.Seccomp) error { return fmt.Errorf("error creating filter: %s", err) } + // Add extra architectures + for _, arch := range config.Architectures { + scmpArch, err := libseccomp.GetArchFromString(arch) + if err != nil { + return err + } + + if err := filter.AddArch(scmpArch); err != nil { + return err + } + } + // Unset no new privs bit if err := filter.SetNoNewPrivsBit(false); err != nil { return fmt.Errorf("error setting no new privileges: %s", err)