seccomp: add ppc support

This patch enables seccomp support for LXC containers running on PowerPC
architectures. It is based on the latest PowerPC support added to libseccomp, on
the working-ppc64 branch [1].

Libseccomp has been tested on ppc, ppc64 and ppc64le architectures. LXC with
seccomp support has been tested on ppc and ppc64 architectures, using the
default seccomp policy example files delivered with the LXC package.

[1] https://github.com/seccomp/libseccomp/commits/working-ppc64

v2:
- add #ifdefs in get_new_ctx to fix builds on systems not having SCMP_ARCH_PPC*
  defined

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 3ba6c9a6030343e6ccdec0e90b4707044db5f08c..108faa0a8d1382dd42b4f80d7c07e1fc9a66668d 100644 (file)
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -121,6 +121,9 @@ enum lxc_hostarch_t {
        lxc_seccomp_arch_i386,
        lxc_seccomp_arch_amd64,
        lxc_seccomp_arch_arm,
+       lxc_seccomp_arch_ppc64,
+       lxc_seccomp_arch_ppc64le,
+       lxc_seccomp_arch_ppc,
        lxc_seccomp_arch_unknown = 999,
 };
 
@@ -137,6 +140,12 @@ int get_hostarch(void)
                return lxc_seccomp_arch_amd64;
        else if (strncmp(uts.machine, "armv7", 5) == 0)
                return lxc_seccomp_arch_arm;
+       else if (strncmp(uts.machine, "ppc64le", 7) == 0)
+               return lxc_seccomp_arch_ppc64le;
+       else if (strncmp(uts.machine, "ppc64", 5) == 0)
+               return lxc_seccomp_arch_ppc64;
+       else if (strncmp(uts.machine, "ppc", 3) == 0)
+               return lxc_seccomp_arch_ppc;
        return lxc_seccomp_arch_unknown;
 }
 
@@ -150,6 +159,15 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
        case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
        case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
        case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
+#ifdef SCMP_ARCH_PPC64LE
+       case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break;
+#endif
+#ifdef SCMP_ARCH_PPC64
+       case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break;
+#endif
+#ifdef SCMP_ARCH_PPC
+       case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
+#endif
        default: return NULL;
        }
 
@@ -342,6 +360,36 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
                                }
                                cur_rule_arch = lxc_seccomp_arch_arm;
                        }
+#endif
+#ifdef SCMP_ARCH_PPC64LE
+                       else if (strcmp(line, "[ppc64le]") == 0 ||
+                                       strcmp(line, "[PPC64LE]") == 0) {
+                               if (native_arch != lxc_seccomp_arch_ppc64le) {
+                                       cur_rule_arch = lxc_seccomp_arch_unknown;
+                                       continue;
+                               }
+                               cur_rule_arch = lxc_seccomp_arch_ppc64le;
+                       }
+#endif
+#ifdef SCMP_ARCH_PPC64
+                       else if (strcmp(line, "[ppc64]") == 0 ||
+                                       strcmp(line, "[PPC64]") == 0) {
+                               if (native_arch != lxc_seccomp_arch_ppc64) {
+                                       cur_rule_arch = lxc_seccomp_arch_unknown;
+                                       continue;
+                               }
+                               cur_rule_arch = lxc_seccomp_arch_ppc64;
+                       }
+#endif
+#ifdef SCMP_ARCH_PPC
+                       else if (strcmp(line, "[ppc]") == 0 ||
+                                       strcmp(line, "[PPC]") == 0) {
+                               if (native_arch != lxc_seccomp_arch_ppc) {
+                                       cur_rule_arch = lxc_seccomp_arch_unknown;
+                                       continue;
+                               }
+                               cur_rule_arch = lxc_seccomp_arch_ppc;
+                       }
 #endif
                        else
                                goto bad_arch;