moby/profiles/seccomp
Michael Holzheu bf2a577c13 Enable seccomp for s390x
To implement seccomp for s390x the following changes are required:

1) seccomp_default: Add s390 compat mode

   On s390x (64 bit) we can run s390 (32 bit) programs in 32 bit
   compat mode. Therefore add this information to arches().

2) seccomp_default: Use correct flags parameter for sys_clone on s390x

   On s390x the second parameter for the clone system call is the flags
   parameter. On all other architectures it is the first one.

   See kernel code kernel/fork.c:

   #elif defined(CONFIG_CLONE_BACKWARDS2)
   SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
                   int __user *, parent_tidptr,

   So fix the docker default seccomp rule and check for the second
   parameter on s390/s390x.

3) seccomp_default: Add s390 specific syscalls

  For s390 we currently have three additional system calls that should
  be added to the seccomp whitelist:

  - Other architectures can read/write unprivileged from/to PCI MMIO memory.
    On s390 the instructions are privileged and therefore we need system
    calls for that purpose:

    * s390_pci_mmio_write()
    * s390_pci_mmio_read()

  - Runtime instrumentation:

    * s390_runtime_instr()

4) test_integration: Do not run seccomp default profile test on s390x

   The generated profile that we check in is for amd64 and i386
   architectures and does not work correctly on s390x.

   See also: 75385dc216 ("Do not run the seccomp tests that use
   default.json on non x86 architectures")

5) Dockerfile.s390x: Add "seccomp" to DOCKER_BUILDTAGS

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-06-06 08:13:22 -04:00
..
fixtures move default seccomp profile into package 2016-01-21 16:55:29 -08:00
default.json Do not restrict chown via seccomp, just let capabilities control access 2016-05-25 12:49:30 -07:00
generate.go Align default seccomp profile with selected capabilities 2016-05-11 09:30:23 +01:00
seccomp.go Align default seccomp profile with selected capabilities 2016-05-11 09:30:23 +01:00
seccomp_default.go Enable seccomp for s390x 2016-06-06 08:13:22 -04:00
seccomp_test.go add seccomp default profile fix tests 2016-02-19 13:32:54 -08:00
seccomp_unsupported.go Align default seccomp profile with selected capabilities 2016-05-11 09:30:23 +01:00