From: Ruben Jenster <r.jenster@drachenfels.de>
Date: Fri, 23 Oct 2020 14:03:12 +0000 (+0200)
Subject: seccomp: Avoid duplicate processing of rules for host native arch.
X-Git-Tag: lxc-5.0.0~347^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=15044cd19c8454b20ee46fdb17dd0c8dd85366b1;p=thirdparty%2Flxc.git

seccomp: Avoid duplicate processing of rules for host native arch.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
---

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index f97e5cb86..4faf693f6 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -653,6 +653,8 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 			default_rule_action = SCMP_ACT_ALLOW;
 	}
 
+	DEBUG("Host native arch is [%u]", seccomp_arch_native());
+
 	memset(&ctx, 0, sizeof(ctx));
 	ctx.architectures[0] = SCMP_ARCH_NATIVE;
 	ctx.architectures[1] = SCMP_ARCH_NATIVE;
@@ -1001,23 +1003,15 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 		if (ret == lxc_seccomp_rule_undefined_syscall)
 			continue;
 
-		if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
-			if (lxc_seccomp_rule_err == do_resolve_add_rule(ctx.architectures[0], line,
-						 ctx.contexts[0], &rule))
-				goto bad_rule;
-		}
-
-		if (ctx.architectures[1] != SCMP_ARCH_NATIVE) {
-			if (lxc_seccomp_rule_err == do_resolve_add_rule(ctx.architectures[1], line,
-						 ctx.contexts[1], &rule))
-				goto bad_rule;
+		for (int i = 0; i < 3; i++ ) {
+			uint32_t arch = ctx.architectures[i];
+			if (arch != SCMP_ARCH_NATIVE && arch != seccomp_arch_native()) {
+				if (lxc_seccomp_rule_err == do_resolve_add_rule(arch, line,
+							ctx.contexts[i], &rule))
+					goto bad_rule;
+			}
 		}
 
-		if (ctx.architectures[2] != SCMP_ARCH_NATIVE) {
-			if (lxc_seccomp_rule_err == do_resolve_add_rule(ctx.architectures[2], line,
-						ctx.contexts[2], &rule))
-				goto bad_rule;
-		}
 	}
 
 	INFO("Merging compat seccomp contexts into main context");