seccomp: support 32-bit arm on arm64, and 32-bit ppc on ppc64

Generally we enforce that a [arch] seccomp section can only be used on [arch].
However, on amd64 we allow [i386] sections for i386 containers, and there we
also take [all] sections and apply them for both 32- and 64-bit.

Do that also for ppc64 and arm64.  This allows seccomp-protected armhf
containers to run on arm64.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 02086464512825b262c88f217b64d101180840bd..c5f188550876041333e8c98111725d0ebfc30947 100644 (file)
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -300,6 +300,20 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
                                default_policy_action);
                if (!compat_ctx)
                        goto bad;
+       } else if (native_arch == lxc_seccomp_arch_ppc64) {
+               cur_rule_arch = lxc_seccomp_arch_all;
+               compat_arch = SCMP_ARCH_PPC;
+               compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
+                               default_policy_action);
+               if (!compat_ctx)
+                       goto bad;
+       } else if (native_arch == lxc_seccomp_arch_arm64) {
+               cur_rule_arch = lxc_seccomp_arch_all;
+               compat_arch = SCMP_ARCH_ARM;
+               compat_ctx = get_new_ctx(lxc_seccomp_arch_arm,
+                               default_policy_action);
+               if (!compat_ctx)
+                       goto bad;
        }
 
        if (default_policy_action != SCMP_ACT_KILL) {
@@ -327,7 +341,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
                        if (strcmp(line, "[x86]") == 0 ||
                                        strcmp(line, "[X86]") == 0) {
                                if (native_arch != lxc_seccomp_arch_i386 &&
-                                       native_arch != lxc_seccomp_arch_amd64) {
+                                               native_arch != lxc_seccomp_arch_amd64) {
                                        cur_rule_arch = lxc_seccomp_arch_unknown;
                                        continue;
                                }
@@ -346,7 +360,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 #ifdef SCMP_ARCH_ARM
                        else if (strcmp(line, "[arm]") == 0 ||
                                        strcmp(line, "[ARM]") == 0) {
-                               if (native_arch != lxc_seccomp_arch_arm) {
+                               if (native_arch != lxc_seccomp_arch_arm &&
+                                               native_arch != lxc_seccomp_arch_arm64) {
                                        cur_rule_arch = lxc_seccomp_arch_unknown;
                                        continue;
                                }
@@ -386,7 +401,8 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
 #ifdef SCMP_ARCH_PPC
                        else if (strcmp(line, "[ppc]") == 0 ||
                                        strcmp(line, "[PPC]") == 0) {
-                               if (native_arch != lxc_seccomp_arch_ppc) {
+                               if (native_arch != lxc_seccomp_arch_ppc &&
+                                               native_arch != lxc_seccomp_arch_ppc64) {
                                        cur_rule_arch = lxc_seccomp_arch_unknown;
                                        continue;
                                }
@@ -435,7 +451,7 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
        if (compat_ctx) {
                INFO("Merging in the compat seccomp ctx into the main one");
                if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) {
-                       ERROR("Error merging i386 seccomp contexts");
+                       ERROR("Error merging compat seccomp contexts");
                        goto bad;
                }
        }