seccomp: add swapcontext into @process for ppc32#9487
Merged
poettering merged 1 commit intosystemd:masterfrom Jul 3, 2018
Merged
seccomp: add swapcontext into @process for ppc32#9487poettering merged 1 commit intosystemd:masterfrom
poettering merged 1 commit intosystemd:masterfrom
Conversation
There are some modern programming languages use userspace context switches to implement coroutine features. PowerPC (32-bit) needs syscall "swapcontext" to get contexts or switch between contexts, which is special. Adding this rule should fix systemd#9485.
keszybz
reviewed
Jul 3, 2018
| "rt_sigqueueinfo\0" | ||
| "rt_tgsigqueueinfo\0" | ||
| "setns\0" | ||
| "swapcontext\0" /* Some archs e.g. powerpc32 are using it to do userspace context switches */ |
Member
There was a problem hiding this comment.
Why not include the other calls (getcontext, setcontext, etc) here? It seems strange to allow just one of them.
Member
There was a problem hiding this comment.
only swapcontext is a system call, the other two are just libc calls
evol262
pushed a commit
to evol262/moby
that referenced
this pull request
Jan 12, 2022
This system call is only available on the 32- and 64-bit PowerPC, it is used by modern programming language implementations (such as gcc-go) to implement coroutine features through userspace context switches. Other container environment, such as Systemd nspawn already whitelist this system call in their seccomp profile [1] [2]. As such, it would be nice to also whitelist it in moby. This issue was encountered on Alpine Linux GitLab CI system, which uses moby, when attempting to execute gcc-go compiled software on ppc64le. [1]: systemd/systemd#9487 [2]: systemd/systemd#9485 Signed-off-by: Sören Tempel <[email protected]>
wllenyj
pushed a commit
to wllenyj/containerd
that referenced
this pull request
Feb 8, 2022
This system call is only available on 32- and 64-bit PowerPC, it is used by modern programming language implementations to implement coroutine features through userspace context switches. moby [1] and systemd nspawn [2] already whitelist this system call so it makes sense to whitelist it in containerd as well. [1]: moby/moby#43092 [2]: systemd/systemd#9487 Signed-off-by: Sören Tempel <[email protected]>
katiewasnothere
pushed a commit
to katiewasnothere/containerd
that referenced
this pull request
Apr 21, 2022
This system call is only available on 32- and 64-bit PowerPC, it is used by modern programming language implementations to implement coroutine features through userspace context switches. moby [1] and systemd nspawn [2] already whitelist this system call so it makes sense to whitelist it in containerd as well. [1]: moby/moby#43092 [2]: systemd/systemd#9487 Signed-off-by: Sören Tempel <[email protected]>
thaJeztah
pushed a commit
to thaJeztah/docker
that referenced
this pull request
Dec 1, 2022
This system call is only available on the 32- and 64-bit PowerPC, it is used by modern programming language implementations (such as gcc-go) to implement coroutine features through userspace context switches. Other container environment, such as Systemd nspawn already whitelist this system call in their seccomp profile [1] [2]. As such, it would be nice to also whitelist it in moby. This issue was encountered on Alpine Linux GitLab CI system, which uses moby, when attempting to execute gcc-go compiled software on ppc64le. [1]: systemd/systemd#9487 [2]: systemd/systemd#9485 Signed-off-by: Sören Tempel <[email protected]> (cherry picked from commit 85eaf23) Signed-off-by: Sebastiaan van Stijn <[email protected]>
martinetd
added a commit
to martinetd/containers-common
that referenced
this pull request
Jun 5, 2024
swapcontext seems to be used for coroutines in some languages (at least ruby), enough to have been added to other major engines by an actual user. Link: moby/moby#43092 Link: systemd/systemd#9487 Link: containerd/containerd#6411
martinetd
added a commit
to martinetd/containers-common
that referenced
this pull request
Jun 5, 2024
swapcontext seems to be used for coroutines in some languages (at least ruby), enough to have been added to other major engines by an actual user. Link: moby/moby#43092 Link: systemd/systemd#9487 Link: containerd/containerd#6411 Signed-off-by: Dominique Martinet <[email protected]>
kiashok
pushed a commit
to kiashok/containerd
that referenced
this pull request
Oct 23, 2024
This system call is only available on 32- and 64-bit PowerPC, it is used by modern programming language implementations to implement coroutine features through userspace context switches. moby [1] and systemd nspawn [2] already whitelist this system call so it makes sense to whitelist it in containerd as well. [1]: moby/moby#43092 [2]: systemd/systemd#9487 Signed-off-by: Sören Tempel <[email protected]>
thaJeztah
pushed a commit
to moby/profiles
that referenced
this pull request
Jul 22, 2025
This system call is only available on the 32- and 64-bit PowerPC, it is used by modern programming language implementations (such as gcc-go) to implement coroutine features through userspace context switches. Other container environment, such as Systemd nspawn already whitelist this system call in their seccomp profile [1] [2]. As such, it would be nice to also whitelist it in moby. This issue was encountered on Alpine Linux GitLab CI system, which uses moby, when attempting to execute gcc-go compiled software on ppc64le. [1]: systemd/systemd#9487 [2]: systemd/systemd#9485 Signed-off-by: Sören Tempel <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There are some modern programming languages use userspace context switches
to implement coroutine features. PowerPC (32-bit) needs syscall "swapcontext" to get
contexts or switch between contexts, which is special.
Adding this rule should fix #9485.