@@ -19,13 +19,15 @@ var (

 	//go:embed testdata/af_vsock.c

 	afVSOCKSource string

+

+	//go:embed testdata/af_alg_socketcall.c

+	afALGSocketcallSource string

 )

 // compileAndExecSocketDenied writes a C source file into the container,

 // compiles it with the given compiler command, runs the binary as uid 1000,

-// and asserts that socket creation fails with a permission or

-// address-family error (not EFAULT or other unrelated failures).

-func compileAndExecSocketDenied(ctx context.Context, t *testing.T, apiClient client.APIClient, cID string, name string, src string, cc []string) {

+// and asserts that socket creation fails with the expected error.

+func compileAndExecSocketDenied(ctx context.Context, t *testing.T, apiClient client.APIClient, cID string, name string, src string, cc []string, expectedErr string) {

 	t.Helper()

 	binPath := "/tmp/" + name

@@ -50,12 +52,7 @@ func compileAndExecSocketDenied(ctx context.Context, t *testing.T, apiClient cli

 	out := strings.ToLower(res.Combined())

 	assert.Check(t, is.Contains(out, "socket"), "expected socket-related error message")

-

-	// Seccomp blocks return either EPERM ("operation not permitted") or

-	// EAFNOSUPPORT ("address family not supported"). Make sure the failure

-	// is from seccomp, not from a bogus pointer (EFAULT) or other issue.

-	permErr := strings.Contains(out, "not permitted") || strings.Contains(out, "not supported")

-	assert.Check(t, permErr, "expected EPERM or EAFNOSUPPORT, got: %s", res.Combined())

+	assert.Check(t, is.Contains(out, expectedErr), "expected %s, got: %s", expectedErr, res.Combined())

 }

 // TestExecSocketDenied verifies that AF_ALG and AF_VSOCK sockets cannot be

@@ -77,10 +74,39 @@ func TestExecSocketDenied(t *testing.T) {

 	gcc := []string{"gcc"}

+	arch := testEnv.DaemonInfo.Architecture

+	isAmd64 := arch == "amd64" || arch == "x86_64"

+

 	t.Run("AF_ALG", func(t *testing.T) {

-		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_ALG", afALGSource, gcc)

+		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_ALG", afALGSource, gcc, "not permitted")

 	})

 	t.Run("AF_VSOCK", func(t *testing.T) {

-		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_VSOCK", afVSOCKSource, gcc)

+		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_VSOCK", afVSOCKSource, gcc, "not permitted")

+	})

+

+	// Test AF_ALG via the socketcall(2) multiplexer using int $0x80 to

+	// invoke the ia32 compat syscall path from a native 64-bit binary.

+	// MAP_32BIT is used to place the args array below 4 GB, since the

+	// ia32 compat path truncates all registers to 32 bits.

+	t.Run("AF_ALG_socketcall_int80", func(t *testing.T) {

+		skip.If(t, !isAmd64, "int $0x80 ia32 compat only available on amd64")

+

+		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_ALG_socketcall_int80", afALGSocketcallSource, gcc, "not implemented")

+	})

+

+	// Test AF_ALG with a real i386 binary cross-compiled from amd64. glibc

+	// on i386 routes socket() through the socketcall(2) multiplexer, which

+	// is a different seccomp path than the native socket(2) syscall.

+	t.Run("AF_ALG_socketcall_i386", func(t *testing.T) {

+		skip.If(t, !isAmd64, "i386 cross-compilation only available on amd64")

+

+		res := container.ExecT(ctx, t, apiClient, cID, []string{

+			"sh", "-c", "apt-get install -y --no-install-recommends gcc-i686-linux-gnu libc6-dev-i386-cross linux-libc-dev-i386-cross",

+		})

+		res.AssertSuccess(t)

+

+		compileAndExecSocketDenied(ctx, t, apiClient, cID, "AF_ALG_socketcall_i386", afALGSource,

+			[]string{"i686-linux-gnu-gcc", "-static"}, "not implemented",

+		)

 	})

 }

new file mode 100644

@@ -0,0 +1,43 @@

+#include <stdio.h>

+#include <errno.h>

+#include <sys/mman.h>

+

+#define SYS_SOCKETCALL_I386 102

+#define SYS_SOCKET 1

+#define AF_ALG 38

+#define SOCK_SEQPACKET 5

+

+int main() {

+    /*

+     * The int $0x80 ia32 compat path truncates all registers to 32 bits.

+     * The args pointer must live below 4 GB, so allocate it with MAP_32BIT.

+     */

+    unsigned int *args = mmap(NULL, 4096,

+        PROT_READ | PROT_WRITE,

+        MAP_PRIVATE | MAP_ANONYMOUS | MAP_32BIT,

+        -1, 0);

+    if (args == MAP_FAILED) {

+        perror("mmap");

+        return 2;

+    }

+    args[0] = AF_ALG;

+    args[1] = SOCK_SEQPACKET;

+    args[2] = 0;

+

+    int ret;

+    asm volatile (

+        "int $0x80"

+        : "=a"(ret)

+        : "a"(SYS_SOCKETCALL_I386), "b"(SYS_SOCKET), "c"(args)

+        : "memory"

+    );

+

+    if (ret < 0) {

+        errno = -ret;

+        perror("socket");

+        return 1;

+    }

+

+    printf("AF_ALG socket created via socketcall\n");

+    return 0;

+}