seccomp: support riscv64

AkihiroSuda · AkihiroSuda · commit 4c2f18f6cca5 · 2022-05-02T17:41:43.000+09:00
Corresponds to containerd PR 6882

Signed-off-by: Akihiro Suda &lt;akihiro.suda.cz@hco.ntt.co.jp&gt;
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
@@ -48,6 +48,10 @@
 			"subArchitectures": [
 				"SCMP_ARCH_S390"
 			]
+		},
+		{
+			"architecture": "SCMP_ARCH_RISCV64",
+			"subArchitectures": null
 		}
 	],
 	"syscalls": [
@@ -540,6 +544,17 @@
 				]
 			}
 		},
+		{
+			"names": [
+				"riscv_flush_icache"
+			],
+			"action": "SCMP_ACT_ALLOW",
+			"includes": {
+				"arches": [
+					"riscv64"
+				]
+			}
+		},
 		{
 			"names": [
 				"open_by_handle_at"
diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
@@ -38,6 +38,10 @@ func arches() []Architecture {
 			Arch:      specs.ArchS390X,
 			SubArches: []specs.Arch{specs.ArchS390},
 		},
+		{
+			Arch:      specs.ArchRISCV64,
+			SubArches: nil,
+		},
 	}
 }
 
@@ -533,6 +537,17 @@ func DefaultProfile() *Seccomp {
 				Arches: []string{"s390", "s390x"},
 			},
 		},
+		{
+			LinuxSyscall: specs.LinuxSyscall{
+				Names: []string{
+					"riscv_flush_icache",
+				},
+				Action: specs.ActAllow,
+			},
+			Includes: &Filter{
+				Arches: []string{"riscv64"},
+			},
+		},
 		{
 			LinuxSyscall: specs.LinuxSyscall{
 				Names: []string{

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,10 @@`
`48`	`48`	`"subArchitectures": [`
`49`	`49`	`"SCMP_ARCH_S390"`
`50`	`50`	`]`
	`51`	`+ },`
	`52`	`+ {`
	`53`	`+ "architecture": "SCMP_ARCH_RISCV64",`
	`54`	`+ "subArchitectures": null`
`51`	`55`	`}`
`52`	`56`	`],`
`53`	`57`	`"syscalls": [`
`@@ -540,6 +544,17 @@`
`540`	`544`	`]`
`541`	`545`	`}`
`542`	`546`	`},`
	`547`	`+ {`
	`548`	`+ "names": [`
	`549`	`+ "riscv_flush_icache"`
	`550`	`+ ],`
	`551`	`+ "action": "SCMP_ACT_ALLOW",`
	`552`	`+ "includes": {`
	`553`	`+ "arches": [`
	`554`	`+ "riscv64"`
	`555`	`+ ]`
	`556`	`+ }`
	`557`	`+ },`
`543`	`558`	`{`
`544`	`559`	`"names": [`
`545`	`560`	`"open_by_handle_at"`