From 85eaf23bf46b12827273ab2ff523c753117dbdc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6ren=20Tempel?= Date: Sat, 18 Dec 2021 14:06:07 +0100 Subject: [PATCH] seccomp: add support for "swapcontext" syscall in default policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This system call is only available on the 32- and 64-bit PowerPC, it is used by modern programming language implementations (such as gcc-go) to implement coroutine features through userspace context switches. Other container environment, such as Systemd nspawn already whitelist this system call in their seccomp profile [1] [2]. As such, it would be nice to also whitelist it in moby. This issue was encountered on Alpine Linux GitLab CI system, which uses moby, when attempting to execute gcc-go compiled software on ppc64le. [1]: https://github.com/systemd/systemd/pull/9487 [2]: https://github.com/systemd/systemd/issues/9485 Signed-off-by: Sören Tempel --- profiles/seccomp/default.json | 3 ++- profiles/seccomp/default_linux.go | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index fbf3ac8396..80213ddaca 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -474,7 +474,8 @@ }, { "names": [ - "sync_file_range2" + "sync_file_range2", + "swapcontext" ], "action": "SCMP_ACT_ALLOW", "includes": { diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index f7d93d2cc4..e51f1018aa 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -474,6 +474,7 @@ func DefaultProfile() *Seccomp { LinuxSyscall: specs.LinuxSyscall{ Names: []string{ "sync_file_range2", + "swapcontext", }, Action: specs.ActAllow, },