Add seccomp(2) support.

Add support for the seccomp syscall and the flag SECCOMP_FILTER_FLAG_TSYNC.

PiperOrigin-RevId: 207101507
Change-Id: I5eb8ba9d5ef71b0e683930a6429182726dc23175

1 files changed, 2 insertions, 2 deletions

diff --git a/pkg/sentry/kernel/task_syscall.go b/pkg/sentry/kernel/task_syscall.go
index 79f4ff60c..92ca0acd9 100644
--- a/pkg/sentry/kernel/task_syscall.go
+++ b/pkg/sentry/kernel/task_syscall.go
@@ -194,7 +194,7 @@ func (t *Task) doSyscall() taskRunState {
 
 	// Check seccomp filters. The nil check is for performance (as seccomp use
 	// is rare), not needed for correctness.
-	if t.syscallFilters != nil {
+	if t.syscallFilters.Load() != nil {
 		switch r := t.checkSeccompSyscall(int32(sysno), args, usermem.Addr(t.Arch().IP())); r {
 		case seccompResultDeny:
 			t.Debugf("Syscall %d: denied by seccomp", sysno)
@@ -334,7 +334,7 @@ func (t *Task) doVsyscall(addr usermem.Addr, sysno uintptr) taskRunState {
 	// to syscall ABI because they both use RDI, RSI, and RDX for the first three
 	// arguments and none of the vsyscalls uses more than two arguments.
 	args := t.Arch().SyscallArgs()
-	if t.syscallFilters != nil {
+	if t.syscallFilters.Load() != nil {
 		switch r := t.checkSeccompSyscall(int32(sysno), args, addr); r {
 		case seccompResultDeny:
 			t.Debugf("vsyscall %d, caller %x: denied by seccomp", sysno, t.Arch().Value(caller))