Browse code
Enable seccomp on ppc64le
In order to do this, allow the socketcall syscall in the default
seccomp profile. This is a multiplexing syscall for the socket
operations, which is becoming obsolete gradually, but it is used
in some architectures. libseccomp has special handling for it for
x86 where it is common, so we did not need it in the profile,
but does not have any handling for ppc64le. It turns out that the
Debian images we use for tests do use the socketcall, while the
newer images such as Ubuntu 16.04 do not. Enabling this does no
harm as we allow all the socket operations anyway, and we allow
the similar ipc call for similar reasons already.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/05/24 07:19:19Showing 3 changed files
| ... | ... |
@@ -168,7 +168,7 @@ RUN useradd --create-home --gid docker unprivilegeduser |
| 168 | 168 |
|
| 169 | 169 |
VOLUME /var/lib/docker |
| 170 | 170 |
WORKDIR /go/src/github.com/docker/docker |
| 171 |
-ENV DOCKER_BUILDTAGS apparmor pkcs11 selinux |
|
| 171 |
+ENV DOCKER_BUILDTAGS apparmor pkcs11 seccomp selinux |
|
| 172 | 172 |
|
| 173 | 173 |
# Let us use a .bashrc file |
| 174 | 174 |
RUN ln -sfv $PWD/.bashrc ~/.bashrc |
| ... | ... |
@@ -1322,6 +1322,11 @@ func DefaultProfile(rs *specs.Spec) *types.Seccomp {
|
| 1322 | 1322 |
Args: []*types.Arg{},
|
| 1323 | 1323 |
}, |
| 1324 | 1324 |
{
|
| 1325 |
+ Name: "socketcall", |
|
| 1326 |
+ Action: types.ActAllow, |
|
| 1327 |
+ Args: []*types.Arg{},
|
|
| 1328 |
+ }, |
|
| 1329 |
+ {
|
|
| 1325 | 1330 |
Name: "socketpair", |
| 1326 | 1331 |
Action: types.ActAllow, |
| 1327 | 1332 |
Args: []*types.Arg{},
|