diff options
| author | Adin Scannell <ascannell@google.com> | 2019-09-12 23:36:18 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2019-09-12 23:37:31 -0700 |
| commit | a8834fc555539bd6b0b46936c4a79817812658ff (patch) | |
| tree | 112981aadbc6b3db1146c8765f8542fd305a6433 /runsc/boot | |
| parent | 7c6ab6a219f37a1d4c18ced4a602458fcf363f85 (diff) | |
Update p9 to support flipcall.
PiperOrigin-RevId: 268845090
Diffstat (limited to 'runsc/boot')
| -rw-r--r-- | runsc/boot/filter/config.go | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index 7ca776b3a..a2ecc6bcb 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -88,14 +88,24 @@ var allowedSyscalls = seccomp.SyscallRules{ seccomp.AllowValue(linux.FUTEX_WAIT | linux.FUTEX_PRIVATE_FLAG), seccomp.AllowAny{}, seccomp.AllowAny{}, - seccomp.AllowValue(0), }, { seccomp.AllowAny{}, seccomp.AllowValue(linux.FUTEX_WAKE | linux.FUTEX_PRIVATE_FLAG), seccomp.AllowAny{}, + }, + // Non-private variants are included for flipcall support. They are otherwise + // unncessary, as the sentry will use only private futexes internally. + { + seccomp.AllowAny{}, + seccomp.AllowValue(linux.FUTEX_WAIT), + seccomp.AllowAny{}, + seccomp.AllowAny{}, + }, + { + seccomp.AllowAny{}, + seccomp.AllowValue(linux.FUTEX_WAKE), seccomp.AllowAny{}, - seccomp.AllowValue(0), }, }, syscall.SYS_GETPID: {}, |