On Tue, Feb 18, 2014 at 02:44:14PM -0500, Dave Reisner wrote: > Arch Linux uses nspawn as a container for building packages and needs > to be able to start a 32bit chroot from a 64bit host. 24fb11120756 > disrupted this feature when seccomp handling was added. > --- > Lennart suggested this approach, and it works nicely.
I suppose it's also possible to run an x32 chroot from an x86_64 host, so we might want to allow that. Alternatively, it seems we can just change the default action to allow (instead of kill) when a bad architecture is encountered. I don't know if there's side effects with that change that we'd want to avoid. > > src/nspawn/nspawn.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c > index 089af07..5a2467d 100644 > --- a/src/nspawn/nspawn.c > +++ b/src/nspawn/nspawn.c > @@ -1539,6 +1539,14 @@ static int audit_still_doesnt_work_in_containers(void) > { > goto finish; > } > > +#ifdef __x86_64__ > + r = seccomp_arch_add(seccomp, SCMP_ARCH_X86); > + if (r < 0 && r != -EEXIST) { > + log_error("Failed to add x86 to seccomp filter: %s", > strerror(-r)); > + goto finish; > + } > +#endif > + > r = seccomp_load(seccomp); > if (r < 0) > log_error("Failed to install seccomp audit filter: %s", > strerror(-r)); > -- > 1.9.0 > _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel