[systemd-devel] [PATCH] nspawn: allow 32-bit chroots from 64-bit hosts
Dave Reisner
d at falconindy.com
Tue Feb 18 11:52:05 PST 2014
On Tue, Feb 18, 2014 at 02:44:14PM -0500, Dave Reisner wrote:
> Arch Linux uses nspawn as a container for building packages and needs
> to be able to start a 32bit chroot from a 64bit host. 24fb11120756
> disrupted this feature when seccomp handling was added.
> ---
> Lennart suggested this approach, and it works nicely.
I suppose it's also possible to run an x32 chroot from an x86_64 host,
so we might want to allow that. Alternatively, it seems we can just
change the default action to allow (instead of kill) when a bad
architecture is encountered. I don't know if there's side effects with
that change that we'd want to avoid.
>
> src/nspawn/nspawn.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
> index 089af07..5a2467d 100644
> --- a/src/nspawn/nspawn.c
> +++ b/src/nspawn/nspawn.c
> @@ -1539,6 +1539,14 @@ static int audit_still_doesnt_work_in_containers(void) {
> goto finish;
> }
>
> +#ifdef __x86_64__
> + r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
> + if (r < 0 && r != -EEXIST) {
> + log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
> + goto finish;
> + }
> +#endif
> +
> r = seccomp_load(seccomp);
> if (r < 0)
> log_error("Failed to install seccomp audit filter: %s", strerror(-r));
> --
> 1.9.0
>
More information about the systemd-devel
mailing list