github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/debian/patches/engine-seccomp-mipsx.patch (about)

     1  Origin: upstream, https://github.com/moby/moby/pull/43005
     2  
     3  Index: docker/engine/profiles/seccomp/default.json
     4  ===================================================================
     5  --- docker.orig/engine/profiles/seccomp/default.json
     6  +++ docker/engine/profiles/seccomp/default.json
     7  @@ -686,11 +686,41 @@
     8   			"action": "SCMP_ACT_ERRNO",
     9   			"errnoRet": 38,
    10   			"args": [],
    11  -			"comment": "",
    12  +			"comment": "ENOSYS for clone3 on non-mips architectures",
    13   			"includes": {},
    14   			"excludes": {
    15   				"caps": [
    16   					"CAP_SYS_ADMIN"
    17  +				],
    18  +				"arches": [
    19  +					"mips3l64n32",
    20  +					"mips64",
    21  +					"mips64n32",
    22  +					"mipsel",
    23  +					"mipsel64"
    24  +				]
    25  +			}
    26  +		},
    27  +		{
    28  +			"names": [
    29  +				"clone3"
    30  +			],
    31  +			"action": "SCMP_ACT_ERRNO",
    32  +			"errnoRet": 89,
    33  +			"args": [],
    34  +			"comment": "ENOSYS for clone3 on mips architectures",
    35  +			"includes": {
    36  +				"arches": [
    37  +					"mips3l64n32",
    38  +					"mips64",
    39  +					"mips64n32",
    40  +					"mipsel",
    41  +					"mipsel64"
    42  +				]
    43  +			},
    44  +			"excludes": {
    45  +				"caps": [
    46  +					"CAP_SYS_ADMIN"
    47   				]
    48   			}
    49   		},
    50  Index: docker/engine/profiles/seccomp/default_linux.go
    51  ===================================================================
    52  --- docker.orig/engine/profiles/seccomp/default_linux.go
    53  +++ docker/engine/profiles/seccomp/default_linux.go
    54  @@ -41,9 +41,26 @@ func arches() []Architecture {
    55   	}
    56   }
    57   
    58  +const (
    59  +	enosys     uint = 0x26 // enosys for non-mips architectures.
    60  +	enosysMIPS uint = 0x59 // enosys for mips architectures.
    61  +)
    62  +
    63   // DefaultProfile defines the allowed syscalls for the default seccomp profile.
    64   func DefaultProfile() *Seccomp {
    65  -	nosys := uint(unix.ENOSYS)
    66  +	// The value of ENOSYS differs between MIPS and non-MIPS architectures. While
    67  +	// this is not problematic for the embedded seccomp profile, it prevents the
    68  +	// profile from being saved as a portable JSON file that can be used for both
    69  +	// architectures.
    70  +	// To work around this situation, we include conditional rules for both arches.
    71  +	// and hard-code the value for ENOSYS in both.
    72  +	// For more details, refer to https://github.com/moby/moby/pull/42836#issuecomment-963429850
    73  +	// and https://github.com/opencontainers/runtime-spec/pull/1087#issuecomment-963463475
    74  +	var (
    75  +		nosys     = enosys
    76  +		nosysMIPS = enosysMIPS
    77  +	)
    78  +
    79   	syscalls := []*Syscall{
    80   		{
    81   			Names: []string{
    82  @@ -605,6 +622,23 @@ func DefaultProfile() *Seccomp {
    83   			Action:   specs.ActErrno,
    84   			ErrnoRet: &nosys,
    85   			Args:     []*specs.LinuxSeccompArg{},
    86  +			Comment:  "ENOSYS for clone3 on non-mips architectures",
    87  +			Excludes: Filter{
    88  +				Arches: []string{"mips3l64n32", "mips64", "mips64n32", "mipsel", "mipsel64"},
    89  +				Caps:   []string{"CAP_SYS_ADMIN"},
    90  +			},
    91  +		},
    92  +		{
    93  +			Names: []string{
    94  +				"clone3",
    95  +			},
    96  +			Action:   specs.ActErrno,
    97  +			ErrnoRet: &nosysMIPS,
    98  +			Args:     []*specs.LinuxSeccompArg{},
    99  +			Comment:  "ENOSYS for clone3 on mips architectures",
   100  +			Includes: Filter{
   101  +				Arches: []string{"mips3l64n32", "mips64", "mips64n32", "mipsel", "mipsel64"},
   102  +			},
   103   			Excludes: Filter{
   104   				Caps: []string{"CAP_SYS_ADMIN"},
   105   			},