moby--moby

History

Michael Holzheu bf2a577c13 Enable seccomp for s390x To implement seccomp for s390x the following changes are required: 1) seccomp_default: Add s390 compat mode On s390x (64 bit) we can run s390 (32 bit) programs in 32 bit compat mode. Therefore add this information to arches(). 2) seccomp_default: Use correct flags parameter for sys_clone on s390x On s390x the second parameter for the clone system call is the flags parameter. On all other architectures it is the first one. See kernel code kernel/fork.c: #elif defined(CONFIG_CLONE_BACKWARDS2) SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags, int __user , parent_tidptr, So fix the docker default seccomp rule and check for the second parameter on s390/s390x. 3) seccomp_default: Add s390 specific syscalls For s390 we currently have three additional system calls that should be added to the seccomp whitelist: - Other architectures can read/write unprivileged from/to PCI MMIO memory. On s390 the instructions are privileged and therefore we need system calls for that purpose: s390_pci_mmio_write() * s390_pci_mmio_read() - Runtime instrumentation: * s390_runtime_instr() 4) test_integration: Do not run seccomp default profile test on s390x The generated profile that we check in is for amd64 and i386 architectures and does not work correctly on s390x. See also: `75385dc216` ("Do not run the seccomp tests that use default.json on non x86 architectures") 5) Dockerfile.s390x: Add "seccomp" to DOCKER_BUILDTAGS Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>	2016-06-06 08:13:22 -04:00
..
apparmor	profiles: apparmor: actually calculate version	2016-03-20 19:03:19 +11:00
seccomp	Enable seccomp for s390x	2016-06-06 08:13:22 -04:00

Michael Holzheu bf2a577c13 Enable seccomp for s390x

To implement seccomp for s390x the following changes are required:

1) seccomp_default: Add s390 compat mode

   On s390x (64 bit) we can run s390 (32 bit) programs in 32 bit
   compat mode. Therefore add this information to arches().

2) seccomp_default: Use correct flags parameter for sys_clone on s390x

   On s390x the second parameter for the clone system call is the flags
   parameter. On all other architectures it is the first one.

   See kernel code kernel/fork.c:

   #elif defined(CONFIG_CLONE_BACKWARDS2)
   SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
                   int __user *, parent_tidptr,

   So fix the docker default seccomp rule and check for the second
   parameter on s390/s390x.

3) seccomp_default: Add s390 specific syscalls

  For s390 we currently have three additional system calls that should
  be added to the seccomp whitelist:

  - Other architectures can read/write unprivileged from/to PCI MMIO memory.
    On s390 the instructions are privileged and therefore we need system
    calls for that purpose:

    * s390_pci_mmio_write()
    * s390_pci_mmio_read()

  - Runtime instrumentation:

    * s390_runtime_instr()

4) test_integration: Do not run seccomp default profile test on s390x

   The generated profile that we check in is for amd64 and i386
   architectures and does not work correctly on s390x.

   See also: 75385dc216 ("Do not run the seccomp tests that use
   default.json on non x86 architectures")

5) Dockerfile.s390x: Add "seccomp" to DOCKER_BUILDTAGS

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>

2016-06-06 08:13:22 -04:00

apparmor profiles: apparmor: actually calculate version 2016-03-20 19:03:19 +11:00

seccomp Enable seccomp for s390x 2016-06-06 08:13:22 -04:00