diff options
| author | Michael Pratt <mpratt@google.com> | 2020-09-22 09:56:06 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2020-09-22 09:58:09 -0700 |
| commit | 13a9a622e13ccdda76ed02d3de99b565212f6b2f (patch) | |
| tree | 434959a5e7709ecd5e0cef35f3179951b4254def /runsc/boot | |
| parent | f134f873fc75f941405de7d0e046852a38795bec (diff) | |
Allow CLONE_SETTLS for Go 1.16
https://go.googlesource.com/go/+/0941fc3 switches the Go runtime (on amd64)
from using arch_prctl(ARCH_SET_FS) to CLONE_SETTLS to set the TLS.
PiperOrigin-RevId: 333100550
Diffstat (limited to 'runsc/boot')
| -rw-r--r-- | runsc/boot/filter/config_amd64.go | 16 | ||||
| -rw-r--r-- | runsc/boot/filter/config_arm64.go | 2 |
2 files changed, 16 insertions, 2 deletions
diff --git a/runsc/boot/filter/config_amd64.go b/runsc/boot/filter/config_amd64.go index b4b4be88b..cea5613b8 100644 --- a/runsc/boot/filter/config_amd64.go +++ b/runsc/boot/filter/config_amd64.go @@ -25,6 +25,7 @@ import ( func init() { allowedSyscalls[syscall.SYS_ARCH_PRCTL] = []seccomp.Rule{ + // TODO(b/168828518): No longer used in Go 1.16+. {seccomp.EqualTo(linux.ARCH_SET_FS)}, } @@ -36,6 +37,21 @@ func init() { syscall.CLONE_VM | syscall.CLONE_FS | syscall.CLONE_FILES | + syscall.CLONE_SETTLS | + syscall.CLONE_SIGHAND | + syscall.CLONE_SYSVSEM | + syscall.CLONE_THREAD), + seccomp.MatchAny{}, // newsp + seccomp.EqualTo(0), // parent_tidptr + seccomp.EqualTo(0), // child_tidptr + seccomp.MatchAny{}, // tls + }, + { + // TODO(b/168828518): No longer used in Go 1.16+ (on amd64). + seccomp.EqualTo( + syscall.CLONE_VM | + syscall.CLONE_FS | + syscall.CLONE_FILES | syscall.CLONE_SIGHAND | syscall.CLONE_SYSVSEM | syscall.CLONE_THREAD), diff --git a/runsc/boot/filter/config_arm64.go b/runsc/boot/filter/config_arm64.go index 4eb9699d2..37313f97f 100644 --- a/runsc/boot/filter/config_arm64.go +++ b/runsc/boot/filter/config_arm64.go @@ -24,8 +24,6 @@ import ( func init() { allowedSyscalls[syscall.SYS_CLONE] = []seccomp.Rule{ - // parent_tidptr and child_tidptr are always 0 because neither - // CLONE_PARENT_SETTID nor CLONE_CHILD_SETTID are used. { seccomp.EqualTo( syscall.CLONE_VM | |