docker/profiles
Michael Holzheu bf2a577c13 Enable seccomp for s390x
To implement seccomp for s390x the following changes are required:

1) seccomp_default: Add s390 compat mode

   On s390x (64 bit) we can run s390 (32 bit) programs in 32 bit
   compat mode. Therefore add this information to arches().

2) seccomp_default: Use correct flags parameter for sys_clone on s390x

   On s390x the second parameter for the clone system call is the flags
   parameter. On all other architectures it is the first one.

   See kernel code kernel/fork.c:

   #elif defined(CONFIG_CLONE_BACKWARDS2)
   SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
                   int __user *, parent_tidptr,

   So fix the docker default seccomp rule and check for the second
   parameter on s390/s390x.

3) seccomp_default: Add s390 specific syscalls

  For s390 we currently have three additional system calls that should
  be added to the seccomp whitelist:

  - Other architectures can read/write unprivileged from/to PCI MMIO memory.
    On s390 the instructions are privileged and therefore we need system
    calls for that purpose:

    * s390_pci_mmio_write()
    * s390_pci_mmio_read()

  - Runtime instrumentation:

    * s390_runtime_instr()

4) test_integration: Do not run seccomp default profile test on s390x

   The generated profile that we check in is for amd64 and i386
   architectures and does not work correctly on s390x.

   See also: 75385dc216 ("Do not run the seccomp tests that use
   default.json on non x86 architectures")

5) Dockerfile.s390x: Add "seccomp" to DOCKER_BUILDTAGS

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-06-06 08:13:22 -04:00
..
apparmor profiles: apparmor: actually calculate version 2016-03-20 19:03:19 +11:00
seccomp Enable seccomp for s390x 2016-06-06 08:13:22 -04:00