seccomp: add support for "swapcontext" syscall in default policy

This system call is only available on the 32- and 64-bit PowerPC, it is used by modern programming language implementations (such as gcc-go) to implement coroutine features through userspace context switches. Other container environment, such as Systemd nspawn already whitelist this system call in their seccomp profile [1] [2]. As such, it would be nice to also whitelist it in moby. This issue was encountered on Alpine Linux GitLab CI system, which uses moby, when attempting to execute gcc-go compiled software on ppc64le. [1]: https://github.com/systemd/systemd/pull/9487 [2]: https://github.com/systemd/systemd/issues/9485 Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net>
2022-11-09 12:21:53 -05:00 · 2021-12-18 14:06:07 +01:00 · 2021-12-18 14:06:07 +01:00 · 85eaf23bf4
commit 85eaf23bf4
parent 10aecb0e65
2 changed files with 3 additions and 1 deletions
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@ -474,7 +474,8 @@
 		},
 		{
 			"names": [
-				"sync_file_range2"
+				"sync_file_range2",
+				"swapcontext"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"includes": {
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@ -474,6 +474,7 @@ func DefaultProfile() *Seccomp {
 			LinuxSyscall: specs.LinuxSyscall{
 				Names: []string{
 					"sync_file_range2",
+					"swapcontext",
 				},
 				Action: specs.ActAllow,
 			},