Add seccomp(2) support.

Add support for the seccomp syscall and the flag SECCOMP_FILTER_FLAG_TSYNC. PiperOrigin-RevId: 207101507 Change-Id: I5eb8ba9d5ef71b0e683930a6429182726dc23175
author: Brian Geffon <bgeffon@google.com> 2018-08-02 08:09:03 -0700
committer: Shentubot <shentubot@google.com> 2018-08-02 08:10:30 -0700
commit: cf44aff6e08b0e19935d5cd98455b4af98fd8794 (patch)
tree: b4c95523871f54a8ec739a426bb0cc84f7f11b48 /pkg/sentry/kernel/task_clone.go
parent: 3cd7824410302da00d1c8c8323db8959a124814a (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/pkg/sentry/kernel/task_clone.go b/pkg/sentry/kernel/task_clone.go
index a61283267..3b77a4965 100644
--- a/pkg/sentry/kernel/task_clone.go
+++ b/pkg/sentry/kernel/task_clone.go
@@ -280,7 +280,10 @@ func (t *Task) Clone(opts *CloneOptions) (ThreadID, *SyscallControl, error) {
 	// "If fork/clone and execve are allowed by @prog, any child processes will
 	// be constrained to the same filters and system call ABI as the parent." -
 	// Documentation/prctl/seccomp_filter.txt
-	nt.syscallFilters = append([]bpf.Program(nil), t.syscallFilters...)
+	if f := t.syscallFilters.Load(); f != nil {
+		copiedFilters := append([]bpf.Program(nil), f.([]bpf.Program)...)
+		nt.syscallFilters.Store(copiedFilters)
+	}
 	if opts.Vfork {
 		nt.vforkParent = t
 	}
author	Brian Geffon <bgeffon@google.com>	2018-08-02 08:09:03 -0700
committer	Shentubot <shentubot@google.com>	2018-08-02 08:10:30 -0700
commit	cf44aff6e08b0e19935d5cd98455b4af98fd8794 (patch)
tree	b4c95523871f54a8ec739a426bb0cc84f7f11b48 /pkg/sentry/kernel/task_clone.go
parent	3cd7824410302da00d1c8c8323db8959a124814a (diff)