Merge pull request #295 from mheon/seccomp_architecture

Libcontainer: Add support for multiple architectures in Seccomp
2015-09-23 11:08:47 -07:00 · 2015-09-23 11:08:47 -07:00 · 83b2975c8b
parent 5765dcd086 795a6c9702
commit 83b2975c8b
2 changed files with 16 additions and 0 deletions
--- a/libcontainer/configs/config.go
+++ b/libcontainer/configs/config.go
@ -20,8 +20,12 @@ type IDMap struct {
 }

 // Seccomp represents syscall restrictions
+// By default, only the native architecture of the kernel is allowed to be used
+// for syscalls. Additional architectures can be added by specifying them in
+// Architectures.
 type Seccomp struct {
 	DefaultAction Action     `json:"default_action"`
+	Architectures []string   `json:"architectures"`
 	Syscalls      []*Syscall `json:"syscalls"`
 }

--- a/libcontainer/seccomp/seccomp_linux.go
+++ b/libcontainer/seccomp/seccomp_linux.go
@ -37,6 +37,18 @@ func InitSeccomp(config *configs.Seccomp) error {
 		return fmt.Errorf("error creating filter: %s", err)
 	}

+	// Add extra architectures
+	for _, arch := range config.Architectures {
+		scmpArch, err := libseccomp.GetArchFromString(arch)
+		if err != nil {
+			return err
+		}
+
+		if err := filter.AddArch(scmpArch); err != nil {
+			return err
+		}
+	}
+
 	// Unset no new privs bit
 	if err := filter.SetNoNewPrivsBit(false); err != nil {
 		return fmt.Errorf("error setting no new privileges: %s", err)