[systemd-devel] [PATCH] nspawn: allow 32-bit chroots from 64-bit hosts
Lennart Poettering
lennart at poettering.net
Tue Feb 18 14:11:31 PST 2014
On Tue, 18.02.14 14:44, Dave Reisner (dreisner at archlinux.org) wrote:
> Arch Linux uses nspawn as a container for building packages and needs
> to be able to start a 32bit chroot from a 64bit host. 24fb11120756
> disrupted this feature when seccomp handling was added.
As mentioned on IRC. I have commited this and then generalized this and
used it for executing services, too.
> ---
> Lennart suggested this approach, and it works nicely.
>
> src/nspawn/nspawn.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
> index 089af07..5a2467d 100644
> --- a/src/nspawn/nspawn.c
> +++ b/src/nspawn/nspawn.c
> @@ -1539,6 +1539,14 @@ static int audit_still_doesnt_work_in_containers(void) {
> goto finish;
> }
>
> +#ifdef __x86_64__
> + r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
> + if (r < 0 && r != -EEXIST) {
> + log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
> + goto finish;
> + }
> +#endif
> +
> r = seccomp_load(seccomp);
> if (r < 0)
> log_error("Failed to install seccomp audit filter: %s", strerror(-r));
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list