From a83cedddc6d3e0fe1df352ec54245090df641ab8 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Mon, 23 May 2016 15:19:19 -0700
Subject: [PATCH] Enable seccomp on ppc64le

In order to do this, allow the socketcall syscall in the default
seccomp profile. This is a multiplexing syscall for the socket
operations, which is becoming obsolete gradually, but it is used
in some architectures. libseccomp has special handling for it for
x86 where it is common, so we did not need it in the profile,
but does not have any handling for ppc64le. It turns out that the
Debian images we use for tests do use the socketcall, while the
newer images such as Ubuntu 16.04 do not. Enabling this does no
harm as we allow all the socket operations anyway, and we allow
the similar ipc call for similar reasons already.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
---
 Dockerfile.ppc64le                  | 2 +-
 profiles/seccomp/default.json       | 5 +++++
 profiles/seccomp/seccomp_default.go | 5 +++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le
index ec01544997..f2f0c28e2a 100644
--- a/Dockerfile.ppc64le
+++ b/Dockerfile.ppc64le
@@ -168,7 +168,7 @@ RUN useradd --create-home --gid docker unprivilegeduser
 
 VOLUME /var/lib/docker
 WORKDIR /go/src/github.com/docker/docker
-ENV DOCKER_BUILDTAGS apparmor pkcs11 selinux
+ENV DOCKER_BUILDTAGS apparmor pkcs11 seccomp selinux
 
 # Let us use a .bashrc file
 RUN ln -sfv $PWD/.bashrc ~/.bashrc
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
index 049195fe97..212ff49942 100755
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@@ -1292,6 +1292,11 @@
 			"action": "SCMP_ACT_ALLOW",
 			"args": []
 		},
+		{
+			"name": "socketcall",
+			"action": "SCMP_ACT_ALLOW",
+			"args": []
+		},
 		{
 			"name": "socketpair",
 			"action": "SCMP_ACT_ALLOW",
diff --git a/profiles/seccomp/seccomp_default.go b/profiles/seccomp/seccomp_default.go
index 36aab3479a..a088412351 100644
--- a/profiles/seccomp/seccomp_default.go
+++ b/profiles/seccomp/seccomp_default.go
@@ -1321,6 +1321,11 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
 			Action: types.ActAllow,
 			Args:   []*types.Arg{},
 		},
+		{
+			Name:   "socketcall",
+			Action: types.ActAllow,
+			Args:   []*types.Arg{},
+		},
 		{
 			Name:   "socketpair",
 			Action: types.ActAllow,