diff options
-rw-r--r-- | pkg/seccomp/BUILD | 2 | ||||
-rw-r--r-- | pkg/seccomp/seccomp.go | 4 | ||||
-rw-r--r-- | pkg/seccomp/seccomp_amd64.go | 26 | ||||
-rw-r--r-- | pkg/seccomp/seccomp_arm64.go | 26 | ||||
-rw-r--r-- | pkg/seccomp/seccomp_unsafe.go | 5 |
5 files changed, 56 insertions, 7 deletions
diff --git a/pkg/seccomp/BUILD b/pkg/seccomp/BUILD index 0e9c4692d..2a59ebbce 100644 --- a/pkg/seccomp/BUILD +++ b/pkg/seccomp/BUILD @@ -22,6 +22,8 @@ go_library( name = "seccomp", srcs = [ "seccomp.go", + "seccomp_amd64.go", + "seccomp_arm64.go", "seccomp_rules.go", "seccomp_unsafe.go", ], diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go index 50c9409e4..cc142a497 100644 --- a/pkg/seccomp/seccomp.go +++ b/pkg/seccomp/seccomp.go @@ -123,11 +123,11 @@ func BuildProgram(rules []RuleSet, defaultAction linux.BPFAction) ([]linux.BPFIn // Be paranoid and check that syscall is done in the expected architecture. // // A = seccomp_data.arch - // if (A != AUDIT_ARCH_X86_64) goto defaultAction. + // if (A != AUDIT_ARCH) goto defaultAction. program.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetArch) // defaultLabel is at the bottom of the program. The size of program // may exceeds 255 lines, which is the limit of a condition jump. - program.AddJump(bpf.Jmp|bpf.Jeq|bpf.K, linux.AUDIT_ARCH_X86_64, skipOneInst, 0) + program.AddJump(bpf.Jmp|bpf.Jeq|bpf.K, LINUX_AUDIT_ARCH, skipOneInst, 0) program.AddDirectJumpLabel(defaultLabel) if err := buildIndex(rules, program); err != nil { return nil, err diff --git a/pkg/seccomp/seccomp_amd64.go b/pkg/seccomp/seccomp_amd64.go new file mode 100644 index 000000000..02dfb8d9f --- /dev/null +++ b/pkg/seccomp/seccomp_amd64.go @@ -0,0 +1,26 @@ +// Copyright 2018 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// +build amd64 + +package seccomp + +import ( + "gvisor.googlesource.com/gvisor/pkg/abi/linux" +) + +const ( + LINUX_AUDIT_ARCH = linux.AUDIT_ARCH_X86_64 + SYS_SECCOMP = 317 +) diff --git a/pkg/seccomp/seccomp_arm64.go b/pkg/seccomp/seccomp_arm64.go new file mode 100644 index 000000000..b575bcdbf --- /dev/null +++ b/pkg/seccomp/seccomp_arm64.go @@ -0,0 +1,26 @@ +// Copyright 2018 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// +build arm64 + +package seccomp + +import ( + "gvisor.googlesource.com/gvisor/pkg/abi/linux" +) + +const ( + LINUX_AUDIT_ARCH = linux.AUDIT_ARCH_AARCH64 + SYS_SECCOMP = 277 +) diff --git a/pkg/seccomp/seccomp_unsafe.go b/pkg/seccomp/seccomp_unsafe.go index ccd40d9db..ebb6397e8 100644 --- a/pkg/seccomp/seccomp_unsafe.go +++ b/pkg/seccomp/seccomp_unsafe.go @@ -12,8 +12,6 @@ // See the License for the specific language governing permissions and // limitations under the License. -// +build amd64 - package seccomp import ( @@ -65,9 +63,6 @@ func isKillProcessAvailable() (bool, error) { // //go:nosplit func seccomp(op, flags uint32, ptr unsafe.Pointer) syscall.Errno { - // SYS_SECCOMP is not available in syscall package. - const SYS_SECCOMP = 317 - if _, _, errno := syscall.RawSyscall(SYS_SECCOMP, uintptr(op), uintptr(flags), uintptr(ptr)); errno != 0 { return errno } |