Allow CLONE_SETTLS for Go 1.16

https://go.googlesource.com/go/+/0941fc3 switches the Go runtime (on amd64) from using arch_prctl(ARCH_SET_FS) to CLONE_SETTLS to set the TLS. PiperOrigin-RevId: 333100550
author: Michael Pratt <mpratt@google.com> 2020-09-22 09:56:06 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-09-22 09:58:09 -0700
commit: 13a9a622e13ccdda76ed02d3de99b565212f6b2f (patch)
tree: 434959a5e7709ecd5e0cef35f3179951b4254def /runsc/fsgofer
parent: f134f873fc75f941405de7d0e046852a38795bec (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/runsc/fsgofer/filter/config_amd64.go b/runsc/fsgofer/filter/config_amd64.go
index 57b741a5c..686753d96 100644
--- a/runsc/fsgofer/filter/config_amd64.go
+++ b/runsc/fsgofer/filter/config_amd64.go
@@ -25,6 +25,7 @@ import (
 
 func init() {
 	allowedSyscalls[syscall.SYS_ARCH_PRCTL] = []seccomp.Rule{
+		// TODO(b/168828518): No longer used in Go 1.16+.
 		{seccomp.EqualTo(linux.ARCH_SET_FS)},
 	}
 
@@ -36,6 +37,21 @@ func init() {
 				syscall.CLONE_VM |
 					syscall.CLONE_FS |
 					syscall.CLONE_FILES |
+					syscall.CLONE_SETTLS |
+					syscall.CLONE_SIGHAND |
+					syscall.CLONE_SYSVSEM |
+					syscall.CLONE_THREAD),
+			seccomp.MatchAny{}, // newsp
+			seccomp.EqualTo(0), // parent_tidptr
+			seccomp.EqualTo(0), // child_tidptr
+			seccomp.MatchAny{}, // tls
+		},
+		{
+			// TODO(b/168828518): No longer used in Go 1.16+ (on amd64).
+			seccomp.EqualTo(
+				syscall.CLONE_VM |
+					syscall.CLONE_FS |
+					syscall.CLONE_FILES |
 					syscall.CLONE_SIGHAND |
 					syscall.CLONE_SYSVSEM |
 					syscall.CLONE_THREAD),
author	Michael Pratt <mpratt@google.com>	2020-09-22 09:56:06 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-09-22 09:58:09 -0700
commit	13a9a622e13ccdda76ed02d3de99b565212f6b2f (patch)
tree	434959a5e7709ecd5e0cef35f3179951b4254def /runsc/fsgofer
parent	f134f873fc75f941405de7d0e046852a38795bec (diff)