Merge release-20190806.1-143-ga8834fc (automated)

author: gVisor bot <gvisor-bot@google.com> 2019-09-13 06:41:23 +0000
committer: gVisor bot <gvisor-bot@google.com> 2019-09-13 06:41:23 +0000
commit: e14a0a36cb11bd6adb8b9ee79834eccdbd5ac15e (patch)
tree: 0b1ce89a674bf02c61ae4061a432e0a9eea3f4c6 /runsc/boot
parent: c65b5a8d44c27127001097108af9032ad6bb4286 (diff)
parent: a8834fc555539bd6b0b46936c4a79817812658ff (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 7ca776b3a..a2ecc6bcb 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -88,14 +88,24 @@ var allowedSyscalls = seccomp.SyscallRules{
 			seccomp.AllowValue(linux.FUTEX_WAIT | linux.FUTEX_PRIVATE_FLAG),
 			seccomp.AllowAny{},
 			seccomp.AllowAny{},
-			seccomp.AllowValue(0),
 		},
 		{
 			seccomp.AllowAny{},
 			seccomp.AllowValue(linux.FUTEX_WAKE | linux.FUTEX_PRIVATE_FLAG),
 			seccomp.AllowAny{},
+		},
+		// Non-private variants are included for flipcall support. They are otherwise
+		// unncessary, as the sentry will use only private futexes internally.
+		{
+			seccomp.AllowAny{},
+			seccomp.AllowValue(linux.FUTEX_WAIT),
+			seccomp.AllowAny{},
+			seccomp.AllowAny{},
+		},
+		{
+			seccomp.AllowAny{},
+			seccomp.AllowValue(linux.FUTEX_WAKE),
 			seccomp.AllowAny{},
-			seccomp.AllowValue(0),
 		},
 	},
 	syscall.SYS_GETPID: {},
author	gVisor bot <gvisor-bot@google.com>	2019-09-13 06:41:23 +0000
committer	gVisor bot <gvisor-bot@google.com>	2019-09-13 06:41:23 +0000
commit	e14a0a36cb11bd6adb8b9ee79834eccdbd5ac15e (patch)
tree	0b1ce89a674bf02c61ae4061a432e0a9eea3f4c6 /runsc/boot
parent	c65b5a8d44c27127001097108af9032ad6bb4286 (diff)
parent	a8834fc555539bd6b0b46936c4a79817812658ff (diff)