Add arm64 support to pkg/seccomp

Signed-off-by: Bin Lu <bin.lu@arm.com>
PiperOrigin-RevId: 246622505
Change-Id: I803639a0c5b0f75959c64fee5385314214834d10

5 files changed, 56 insertions, 7 deletions

diff --git a/pkg/seccomp/BUILD b/pkg/seccomp/BUILD
index 0e9c4692d..2a59ebbce 100644
--- a/pkg/seccomp/BUILD
+++ b/pkg/seccomp/BUILD
@@ -22,6 +22,8 @@ go_library(
     name = "seccomp",
     srcs = [
         "seccomp.go",
+        "seccomp_amd64.go",
+        "seccomp_arm64.go",
         "seccomp_rules.go",
         "seccomp_unsafe.go",
     ],
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go
index 50c9409e4..cc142a497 100644
--- a/pkg/seccomp/seccomp.go
+++ b/pkg/seccomp/seccomp.go
@@ -123,11 +123,11 @@ func BuildProgram(rules []RuleSet, defaultAction linux.BPFAction) ([]linux.BPFIn
 	// Be paranoid and check that syscall is done in the expected architecture.
 	//
 	// A = seccomp_data.arch
-	// if (A != AUDIT_ARCH_X86_64) goto defaultAction.
+	// if (A != AUDIT_ARCH) goto defaultAction.
 	program.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetArch)
 	// defaultLabel is at the bottom of the program. The size of program
 	// may exceeds 255 lines, which is the limit of a condition jump.
-	program.AddJump(bpf.Jmp|bpf.Jeq|bpf.K, linux.AUDIT_ARCH_X86_64, skipOneInst, 0)
+	program.AddJump(bpf.Jmp|bpf.Jeq|bpf.K, LINUX_AUDIT_ARCH, skipOneInst, 0)
 	program.AddDirectJumpLabel(defaultLabel)
 	if err := buildIndex(rules, program); err != nil {
 		return nil, err
diff --git a/pkg/seccomp/seccomp_amd64.go b/pkg/seccomp/seccomp_amd64.go
new file mode 100644
index 000000000..02dfb8d9f
--- /dev/null
+++ b/pkg/seccomp/seccomp_amd64.go
@@ -0,0 +1,26 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build amd64
+
+package seccomp
+
+import (
+	"gvisor.googlesource.com/gvisor/pkg/abi/linux"
+)
+
+const (
+	LINUX_AUDIT_ARCH = linux.AUDIT_ARCH_X86_64
+	SYS_SECCOMP      = 317
+)
diff --git a/pkg/seccomp/seccomp_arm64.go b/pkg/seccomp/seccomp_arm64.go
new file mode 100644
index 000000000..b575bcdbf
--- /dev/null
+++ b/pkg/seccomp/seccomp_arm64.go
@@ -0,0 +1,26 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build arm64
+
+package seccomp
+
+import (
+	"gvisor.googlesource.com/gvisor/pkg/abi/linux"
+)
+
+const (
+	LINUX_AUDIT_ARCH = linux.AUDIT_ARCH_AARCH64
+	SYS_SECCOMP      = 277
+)
diff --git a/pkg/seccomp/seccomp_unsafe.go b/pkg/seccomp/seccomp_unsafe.go
index ccd40d9db..ebb6397e8 100644
--- a/pkg/seccomp/seccomp_unsafe.go
+++ b/pkg/seccomp/seccomp_unsafe.go
@@ -12,8 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build amd64
-
 package seccomp
 
 import (
@@ -65,9 +63,6 @@ func isKillProcessAvailable() (bool, error) {
 //
 //go:nosplit
 func seccomp(op, flags uint32, ptr unsafe.Pointer) syscall.Errno {
-	// SYS_SECCOMP is not available in syscall package.
-	const SYS_SECCOMP = 317
-
 	if _, _, errno := syscall.RawSyscall(SYS_SECCOMP, uintptr(op), uintptr(flags), uintptr(ptr)); errno != 0 {
 		return errno
 	}