summaryrefslogtreecommitdiffhomepage
path: root/runsc
diff options
context:
space:
mode:
authorMichael Pratt <mpratt@google.com>2021-02-04 14:54:42 -0800
committergVisor bot <gvisor-bot@google.com>2021-02-04 14:56:26 -0800
commit41510d2746756818269b0bf8f3961f026a0c247c (patch)
treed43f34014298b0c11dc654da3ab754c6a1277ff2 /runsc
parentaed9d8ce9a80f35dda2e44290d14e6ed5a627e30 (diff)
Move getcpu() to core filter list
Some versions of the Go runtime call getcpu(), so add it for compatibility. The hostcpu package already uses getcpu() on arm64. PiperOrigin-RevId: 355717757
Diffstat (limited to 'runsc')
-rw-r--r--runsc/boot/filter/config.go9
-rw-r--r--runsc/fsgofer/filter/config.go9
2 files changed, 18 insertions, 0 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index eacd73531..2a8c916d5 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -100,6 +100,15 @@ var allowedSyscalls = seccomp.SyscallRules{
seccomp.MatchAny{},
},
},
+ // getcpu is used by some versions of the Go runtime and by the hostcpu
+ // package on arm64.
+ unix.SYS_GETCPU: []seccomp.Rule{
+ {
+ seccomp.MatchAny{},
+ seccomp.EqualTo(0),
+ seccomp.EqualTo(0),
+ },
+ },
syscall.SYS_GETPID: {},
unix.SYS_GETRANDOM: {},
syscall.SYS_GETSOCKOPT: []seccomp.Rule{
diff --git a/runsc/fsgofer/filter/config.go b/runsc/fsgofer/filter/config.go
index 39b8a0b1e..f92e2f80e 100644
--- a/runsc/fsgofer/filter/config.go
+++ b/runsc/fsgofer/filter/config.go
@@ -107,6 +107,15 @@ var allowedSyscalls = seccomp.SyscallRules{
seccomp.MatchAny{},
},
},
+ // getcpu is used by some versions of the Go runtime and by the hostcpu
+ // package on arm64.
+ unix.SYS_GETCPU: []seccomp.Rule{
+ {
+ seccomp.MatchAny{},
+ seccomp.EqualTo(0),
+ seccomp.EqualTo(0),
+ },
+ },
syscall.SYS_GETDENTS64: {},
syscall.SYS_GETPID: {},
unix.SYS_GETRANDOM: {},