]> git.ipfire.org Git - thirdparty/lxc.git/commit
projects / thirdparty / lxc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 855452a) | patch
seccomp: handle arch inversion 2274/head
authorChristian Brauner <christian.brauner@ubuntu.com>
Fri, 13 Apr 2018 12:02:24 +0000 (14:02 +0200)
committerChristian Brauner <christian.brauner@ubuntu.com>
Fri, 13 Apr 2018 12:11:09 +0000 (14:11 +0200)
commitb5ed021bbc47efe77732b38b5946116be94367e1
tree4c309b377d4ac16877b6cba541c789df226cd43etree
parent855452aede6136e2786bb8ea03e7baf23827ec50commit | diff
seccomp: handle arch inversion

This commit deals with different kernel and userspace layouts and nesting. Here
are three examples:
1. 64bit kernel and 64bit userspace running 32bit containers
2. 64bit kernel and 32bit userspace running 64bit containers
3. 64bit kernel and 64bit userspace running 32bit containers running 64bit containers
Two things to lookout for:
1. The compat arch that is detected might have already been present in the main
   context. So check that it actually hasn't been and only then add it.
2. The contexts don't need merging if the architectures are the same and also can't be.
With these changes I can run all crazy/weird combinations with proper seccomp
isolation.

Closes #654.

Link: https://bugs.chromium.org/p/chromium/issues/detail?id=832366
Reported-by: Chirantan Ekbote <chirantan@chromium.org>
Reported-by: Sonny Rao <sonnyrao@chromium.org>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
src/lxc/seccomp.c diff | blob | blame | history
Mirror of https://github.com/lxc/lxc.git