From 1336af78d5dc2a6bc54d22ed45f4dd4793c2f964 Mon Sep 17 00:00:00 2001
From: Jamie Liu <jamieliu@google.com>
Date: Tue, 6 Oct 2020 13:53:26 -0700
Subject: Implement membarrier(2) commands other than *_SYNC_CORE.

Updates #267

PiperOrigin-RevId: 335713923
---
 runsc/boot/filter/config.go | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'runsc')

diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 6ac19668f..a7c4ebb0c 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -162,6 +162,12 @@ var allowedSyscalls = seccomp.SyscallRules{
 	},
 	syscall.SYS_LSEEK:   {},
 	syscall.SYS_MADVISE: {},
+	unix.SYS_MEMBARRIER: []seccomp.Rule{
+		{
+			seccomp.EqualTo(linux.MEMBARRIER_CMD_GLOBAL),
+			seccomp.EqualTo(0),
+		},
+	},
 	syscall.SYS_MINCORE: {},
 	// Used by the Go runtime as a temporarily workaround for a Linux
 	// 5.2-5.4 bug.
-- 
cgit v1.2.3