summaryrefslogtreecommitdiffhomepage
path: root/pkg/seccomp
diff options
context:
space:
mode:
authorAndrei Vagin <avagin@google.com>2021-07-12 13:31:34 -0700
committergVisor bot <gvisor-bot@google.com>2021-07-12 13:34:03 -0700
commitebe99977a47d93ee769121f9463650cfb924e243 (patch)
treeb8e4d5ac5cb0c5ed6213a9293ebe61bd0099a1ff /pkg/seccomp
parent9c09db654e3304ce57a2757b33c87e28df7153dc (diff)
Mark all functions that are called from a forked child with go:norace
PiperOrigin-RevId: 384305599
Diffstat (limited to 'pkg/seccomp')
-rw-r--r--pkg/seccomp/seccomp_unsafe.go4
1 files changed, 4 insertions, 0 deletions
diff --git a/pkg/seccomp/seccomp_unsafe.go b/pkg/seccomp/seccomp_unsafe.go
index 061cd26ab..6701b5542 100644
--- a/pkg/seccomp/seccomp_unsafe.go
+++ b/pkg/seccomp/seccomp_unsafe.go
@@ -68,6 +68,10 @@ func SetFilter(instrs []linux.BPFInstruction) error {
// - Since fork()ed child processes cannot perform heap allocation, it returns
// a unix.Errno rather than an error.
//
+// - The race instrumentation has to be disabled for all functions that are
+// called in a forked child.
+//
+//go:norace
//go:nosplit
func SetFilterInChild(instrs []linux.BPFInstruction) unix.Errno {
if _, _, errno := unix.RawSyscall6(unix.SYS_PRCTL, linux.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0, 0); errno != 0 {