From ebe2f78d9bc8639f0967c08777a3c9431ac44700 Mon Sep 17 00:00:00 2001 From: Bin Lu Date: Fri, 3 May 2019 22:02:51 -0700 Subject: Add arm64 support to pkg/seccomp Signed-off-by: Bin Lu PiperOrigin-RevId: 246622505 Change-Id: I803639a0c5b0f75959c64fee5385314214834d10 --- pkg/seccomp/BUILD | 2 ++ pkg/seccomp/seccomp.go | 4 ++-- pkg/seccomp/seccomp_amd64.go | 26 ++++++++++++++++++++++++++ pkg/seccomp/seccomp_arm64.go | 26 ++++++++++++++++++++++++++ pkg/seccomp/seccomp_unsafe.go | 5 ----- 5 files changed, 56 insertions(+), 7 deletions(-) create mode 100644 pkg/seccomp/seccomp_amd64.go create mode 100644 pkg/seccomp/seccomp_arm64.go diff --git a/pkg/seccomp/BUILD b/pkg/seccomp/BUILD index 0e9c4692d..2a59ebbce 100644 --- a/pkg/seccomp/BUILD +++ b/pkg/seccomp/BUILD @@ -22,6 +22,8 @@ go_library( name = "seccomp", srcs = [ "seccomp.go", + "seccomp_amd64.go", + "seccomp_arm64.go", "seccomp_rules.go", "seccomp_unsafe.go", ], diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go index 50c9409e4..cc142a497 100644 --- a/pkg/seccomp/seccomp.go +++ b/pkg/seccomp/seccomp.go @@ -123,11 +123,11 @@ func BuildProgram(rules []RuleSet, defaultAction linux.BPFAction) ([]linux.BPFIn // Be paranoid and check that syscall is done in the expected architecture. // // A = seccomp_data.arch - // if (A != AUDIT_ARCH_X86_64) goto defaultAction. + // if (A != AUDIT_ARCH) goto defaultAction. program.AddStmt(bpf.Ld|bpf.Abs|bpf.W, seccompDataOffsetArch) // defaultLabel is at the bottom of the program. The size of program // may exceeds 255 lines, which is the limit of a condition jump. - program.AddJump(bpf.Jmp|bpf.Jeq|bpf.K, linux.AUDIT_ARCH_X86_64, skipOneInst, 0) + program.AddJump(bpf.Jmp|bpf.Jeq|bpf.K, LINUX_AUDIT_ARCH, skipOneInst, 0) program.AddDirectJumpLabel(defaultLabel) if err := buildIndex(rules, program); err != nil { return nil, err diff --git a/pkg/seccomp/seccomp_amd64.go b/pkg/seccomp/seccomp_amd64.go new file mode 100644 index 000000000..02dfb8d9f --- /dev/null +++ b/pkg/seccomp/seccomp_amd64.go @@ -0,0 +1,26 @@ +// Copyright 2018 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// +build amd64 + +package seccomp + +import ( + "gvisor.googlesource.com/gvisor/pkg/abi/linux" +) + +const ( + LINUX_AUDIT_ARCH = linux.AUDIT_ARCH_X86_64 + SYS_SECCOMP = 317 +) diff --git a/pkg/seccomp/seccomp_arm64.go b/pkg/seccomp/seccomp_arm64.go new file mode 100644 index 000000000..b575bcdbf --- /dev/null +++ b/pkg/seccomp/seccomp_arm64.go @@ -0,0 +1,26 @@ +// Copyright 2018 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// +build arm64 + +package seccomp + +import ( + "gvisor.googlesource.com/gvisor/pkg/abi/linux" +) + +const ( + LINUX_AUDIT_ARCH = linux.AUDIT_ARCH_AARCH64 + SYS_SECCOMP = 277 +) diff --git a/pkg/seccomp/seccomp_unsafe.go b/pkg/seccomp/seccomp_unsafe.go index ccd40d9db..ebb6397e8 100644 --- a/pkg/seccomp/seccomp_unsafe.go +++ b/pkg/seccomp/seccomp_unsafe.go @@ -12,8 +12,6 @@ // See the License for the specific language governing permissions and // limitations under the License. -// +build amd64 - package seccomp import ( @@ -65,9 +63,6 @@ func isKillProcessAvailable() (bool, error) { // //go:nosplit func seccomp(op, flags uint32, ptr unsafe.Pointer) syscall.Errno { - // SYS_SECCOMP is not available in syscall package. - const SYS_SECCOMP = 317 - if _, _, errno := syscall.RawSyscall(SYS_SECCOMP, uintptr(op), uintptr(flags), uintptr(ptr)); errno != 0 { return errno } -- cgit v1.2.3