summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorBin Lu <bin.lu@arm.com>2019-05-03 22:02:51 -0700
committerShentubot <shentubot@google.com>2019-05-03 22:03:59 -0700
commitebe2f78d9bc8639f0967c08777a3c9431ac44700 (patch)
treefd0df799dc3dff06549d7c7fedfb04d24ef5f31f
parentbf0ac565d2873069799082ad7bc3e3c43acbc593 (diff)
Add arm64 support to pkg/seccomp
Signed-off-by: Bin Lu <bin.lu@arm.com> PiperOrigin-RevId: 246622505 Change-Id: I803639a0c5b0f75959c64fee5385314214834d10
-rw-r--r--pkg/seccomp/BUILD2
-rw-r--r--pkg/seccomp/seccomp.go4
-rw-r--r--pkg/seccomp/seccomp_amd64.go26
-rw-r--r--pkg/seccomp/seccomp_arm64.go26
-rw-r--r--pkg/seccomp/seccomp_unsafe.go5
5 files changed, 56 insertions, 7 deletions
diff --git a/pkg/seccomp/BUILD b/pkg/seccomp/BUILD
index 0e9c4692d..2a59ebbce 100644
--- a/pkg/seccomp/BUILD
+++ b/pkg/seccomp/BUILD
@@ -22,6 +22,8 @@ go_library(
name = "seccomp",
srcs = [
"seccomp.go",
+ "seccomp_amd64.go",
+ "seccomp_arm64.go",
"seccomp_rules.go",
"seccomp_unsafe.go",
],
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go
index 50c9409e4..cc142a497 100644
--- a/pkg/seccomp/seccomp.go
+++ b/pkg/seccomp/seccomp.go
@@ -123,11 +123,11 @@ func BuildProgram(rules []RuleSet, defaultAction linux.BPFAction) ([]linux.BPFIn
// Be paranoid and check that syscall is done in the expected architecture.
//
// A = seccomp_data.arch
- // if (A != AUDIT_ARCH_X86_64) goto defaultAction.
+ // if (A != AUDIT_ARCH) goto defaultAction.
program.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetArch)
// defaultLabel is at the bottom of the program. The size of program
// may exceeds 255 lines, which is the limit of a condition jump.
- program.AddJump(bpf.Jmp|bpf.Jeq|bpf.K, linux.AUDIT_ARCH_X86_64, skipOneInst, 0)
+ program.AddJump(bpf.Jmp|bpf.Jeq|bpf.K, LINUX_AUDIT_ARCH, skipOneInst, 0)
program.AddDirectJumpLabel(defaultLabel)
if err := buildIndex(rules, program); err != nil {
return nil, err
diff --git a/pkg/seccomp/seccomp_amd64.go b/pkg/seccomp/seccomp_amd64.go
new file mode 100644
index 000000000..02dfb8d9f
--- /dev/null
+++ b/pkg/seccomp/seccomp_amd64.go
@@ -0,0 +1,26 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build amd64
+
+package seccomp
+
+import (
+ "gvisor.googlesource.com/gvisor/pkg/abi/linux"
+)
+
+const (
+ LINUX_AUDIT_ARCH = linux.AUDIT_ARCH_X86_64
+ SYS_SECCOMP = 317
+)
diff --git a/pkg/seccomp/seccomp_arm64.go b/pkg/seccomp/seccomp_arm64.go
new file mode 100644
index 000000000..b575bcdbf
--- /dev/null
+++ b/pkg/seccomp/seccomp_arm64.go
@@ -0,0 +1,26 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build arm64
+
+package seccomp
+
+import (
+ "gvisor.googlesource.com/gvisor/pkg/abi/linux"
+)
+
+const (
+ LINUX_AUDIT_ARCH = linux.AUDIT_ARCH_AARCH64
+ SYS_SECCOMP = 277
+)
diff --git a/pkg/seccomp/seccomp_unsafe.go b/pkg/seccomp/seccomp_unsafe.go
index ccd40d9db..ebb6397e8 100644
--- a/pkg/seccomp/seccomp_unsafe.go
+++ b/pkg/seccomp/seccomp_unsafe.go
@@ -12,8 +12,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-// +build amd64
-
package seccomp
import (
@@ -65,9 +63,6 @@ func isKillProcessAvailable() (bool, error) {
//
//go:nosplit
func seccomp(op, flags uint32, ptr unsafe.Pointer) syscall.Errno {
- // SYS_SECCOMP is not available in syscall package.
- const SYS_SECCOMP = 317
-
if _, _, errno := syscall.RawSyscall(SYS_SECCOMP, uintptr(op), uintptr(flags), uintptr(ptr)); errno != 0 {
return errno
}