From 15044cd19c8454b20ee46fdb17dd0c8dd85366b1 Mon Sep 17 00:00:00 2001 From: Ruben Jenster Date: Fri, 23 Oct 2020 16:03:12 +0200 Subject: [PATCH] seccomp: Avoid duplicate processing of rules for host native arch. Signed-off-by: Ruben Jenster --- src/lxc/seccomp.c | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index f97e5cb86..4faf693f6 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -653,6 +653,8 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c default_rule_action = SCMP_ACT_ALLOW; } + DEBUG("Host native arch is [%u]", seccomp_arch_native()); + memset(&ctx, 0, sizeof(ctx)); ctx.architectures[0] = SCMP_ARCH_NATIVE; ctx.architectures[1] = SCMP_ARCH_NATIVE; @@ -1001,23 +1003,15 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c if (ret == lxc_seccomp_rule_undefined_syscall) continue; - if (ctx.architectures[0] != SCMP_ARCH_NATIVE) { - if (lxc_seccomp_rule_err == do_resolve_add_rule(ctx.architectures[0], line, - ctx.contexts[0], &rule)) - goto bad_rule; - } - - if (ctx.architectures[1] != SCMP_ARCH_NATIVE) { - if (lxc_seccomp_rule_err == do_resolve_add_rule(ctx.architectures[1], line, - ctx.contexts[1], &rule)) - goto bad_rule; + for (int i = 0; i < 3; i++ ) { + uint32_t arch = ctx.architectures[i]; + if (arch != SCMP_ARCH_NATIVE && arch != seccomp_arch_native()) { + if (lxc_seccomp_rule_err == do_resolve_add_rule(arch, line, + ctx.contexts[i], &rule)) + goto bad_rule; + } } - if (ctx.architectures[2] != SCMP_ARCH_NATIVE) { - if (lxc_seccomp_rule_err == do_resolve_add_rule(ctx.architectures[2], line, - ctx.contexts[2], &rule)) - goto bad_rule; - } } INFO("Merging compat seccomp contexts into main context"); -- 2.47.2