* [PATCH v2 1/2] lxc: Add PACKAGECONFIG for seccomp
@ 2015-03-11 8:52 Bogdan Purcareata
2015-03-11 8:52 ` [PATCH v2 2/2] lxc: Add support for seccomp on PPC architectures Bogdan Purcareata
2015-03-13 18:46 ` [PATCH v2 1/2] lxc: Add PACKAGECONFIG for seccomp Bruce Ashfield
0 siblings, 2 replies; 4+ messages in thread
From: Bogdan Purcareata @ 2015-03-11 8:52 UTC (permalink / raw)
To: meta-virtualization
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
recipes-containers/lxc/lxc_1.0.7.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-containers/lxc/lxc_1.0.7.bb b/recipes-containers/lxc/lxc_1.0.7.bb
index c618c84..b01c006 100644
--- a/recipes-containers/lxc/lxc_1.0.7.bb
+++ b/recipes-containers/lxc/lxc_1.0.7.bb
@@ -49,6 +49,7 @@ PACKAGECONFIG[rpath] = "--enable-rpath,--disable-rpath,,"
PACKAGECONFIG[apparmour] = "--enable-apparmor,--disable-apparmor,apparmor,apparmor"
PACKAGECONFIG[templates] = ",,, ${PN}-templates"
PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux"
+PACKAGECONFIG[seccomp] ="--enable-seccomp,--disable-seccomp,libseccomp,libseccomp"
inherit autotools pkgconfig ptest update-rc.d systemd
--
2.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 2/2] lxc: Add support for seccomp on PPC architectures
2015-03-11 8:52 [PATCH v2 1/2] lxc: Add PACKAGECONFIG for seccomp Bogdan Purcareata
@ 2015-03-11 8:52 ` Bogdan Purcareata
2015-03-11 12:13 ` akuster@mvista
2015-03-13 18:46 ` [PATCH v2 1/2] lxc: Add PACKAGECONFIG for seccomp Bruce Ashfield
1 sibling, 1 reply; 4+ messages in thread
From: Bogdan Purcareata @ 2015-03-11 8:52 UTC (permalink / raw)
To: meta-virtualization
Add the necessary bits to enable seccomp support for LXC running on PPC
architectures. libseccomp added support for PPC [1], yet to be applied to
Yocto/meta-security.
[1] https://github.com/seccomp/libseccomp/tree/working-ppc64
Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
---
.../files/ppc-add-seccomp-support-for-lxc.patch | 100 +++++++++++++++++++++
recipes-containers/lxc/lxc_1.0.7.bb | 1 +
2 files changed, 101 insertions(+)
create mode 100644 recipes-containers/lxc/files/ppc-add-seccomp-support-for-lxc.patch
diff --git a/recipes-containers/lxc/files/ppc-add-seccomp-support-for-lxc.patch b/recipes-containers/lxc/files/ppc-add-seccomp-support-for-lxc.patch
new file mode 100644
index 0000000..6faf791
--- /dev/null
+++ b/recipes-containers/lxc/files/ppc-add-seccomp-support-for-lxc.patch
@@ -0,0 +1,100 @@
+From 29ca2ec418cb496ac8a19f0718a8474a55cfe16d Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Date: Wed, 4 Feb 2015 11:28:32 +0000
+Subject: [PATCH] seccomp: add ppc support
+
+This patch enables seccomp support for LXC containers running on PowerPC
+architectures. It is based on the latest PowerPC support added to libseccomp, on
+the working-ppc64 branch [1].
+
+Libseccomp has been tested on ppc, ppc64 and ppc64le architectures. LXC with
+seccomp support has been tested on ppc and ppc64 architectures, using the
+default seccomp policy example files delivered with the LXC package.
+
+[1] https://github.com/seccomp/libseccomp/commits/working-ppc64
+
+Upstream-Status: Pending
+[https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-March/011437.html]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+---
+ src/lxc/seccomp.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
+index 3ba6c9a..0e2310f 100644
+--- a/src/lxc/seccomp.c
++++ b/src/lxc/seccomp.c
+@@ -121,6 +121,9 @@ enum lxc_hostarch_t {
+ lxc_seccomp_arch_i386,
+ lxc_seccomp_arch_amd64,
+ lxc_seccomp_arch_arm,
++ lxc_seccomp_arch_ppc64,
++ lxc_seccomp_arch_ppc64le,
++ lxc_seccomp_arch_ppc,
+ lxc_seccomp_arch_unknown = 999,
+ };
+
+@@ -137,6 +140,12 @@ int get_hostarch(void)
+ return lxc_seccomp_arch_amd64;
+ else if (strncmp(uts.machine, "armv7", 5) == 0)
+ return lxc_seccomp_arch_arm;
++ else if (strncmp(uts.machine, "ppc64le", 7) == 0)
++ return lxc_seccomp_arch_ppc64le;
++ else if (strncmp(uts.machine, "ppc64", 5) == 0)
++ return lxc_seccomp_arch_ppc64;
++ else if (strncmp(uts.machine, "ppc", 3) == 0)
++ return lxc_seccomp_arch_ppc;
+ return lxc_seccomp_arch_unknown;
+ }
+
+@@ -150,6 +159,9 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
+ case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
+ case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
+ case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
++ case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break;
++ case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break;
++ case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
+ default: return NULL;
+ }
+
+@@ -343,6 +355,36 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
+ cur_rule_arch = lxc_seccomp_arch_arm;
+ }
+ #endif
++#ifdef SCMP_ARCH_PPC64LE
++ else if (strcmp(line, "[ppc64le]") == 0 ||
++ strcmp(line, "[PPC64LE]") == 0) {
++ if (native_arch != lxc_seccomp_arch_ppc64le) {
++ cur_rule_arch = lxc_seccomp_arch_unknown;
++ continue;
++ }
++ cur_rule_arch = lxc_seccomp_arch_ppc64le;
++ }
++#endif
++#ifdef SCMP_ARCH_PPC64
++ else if (strcmp(line, "[ppc64]") == 0 ||
++ strcmp(line, "[PPC64]") == 0) {
++ if (native_arch != lxc_seccomp_arch_ppc64) {
++ cur_rule_arch = lxc_seccomp_arch_unknown;
++ continue;
++ }
++ cur_rule_arch = lxc_seccomp_arch_ppc64;
++ }
++#endif
++#ifdef SCMP_ARCH_PPC
++ else if (strcmp(line, "[ppc]") == 0 ||
++ strcmp(line, "[PPC]") == 0) {
++ if (native_arch != lxc_seccomp_arch_ppc) {
++ cur_rule_arch = lxc_seccomp_arch_unknown;
++ continue;
++ }
++ cur_rule_arch = lxc_seccomp_arch_ppc;
++ }
++#endif
+ else
+ goto bad_arch;
+
+--
+2.1.4
+
diff --git a/recipes-containers/lxc/lxc_1.0.7.bb b/recipes-containers/lxc/lxc_1.0.7.bb
index b01c006..c9eef75 100644
--- a/recipes-containers/lxc/lxc_1.0.7.bb
+++ b/recipes-containers/lxc/lxc_1.0.7.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
file://add-lxc.rebootsignal.patch \
file://document-lxc.rebootsignal.patch \
file://lxc-busybox-use-lxc.rebootsignal-SIGTERM.patch \
+ file://ppc-add-seccomp-support-for-lxc.patch \
"
SRC_URI[md5sum] = "b48f468a9bef0e4e140dd723f0a65ad0"
--
2.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 2/2] lxc: Add support for seccomp on PPC architectures
2015-03-11 8:52 ` [PATCH v2 2/2] lxc: Add support for seccomp on PPC architectures Bogdan Purcareata
@ 2015-03-11 12:13 ` akuster@mvista
0 siblings, 0 replies; 4+ messages in thread
From: akuster@mvista @ 2015-03-11 12:13 UTC (permalink / raw)
To: meta-virtualization
On 3/11/15 1:52 AM, Bogdan Purcareata wrote:
> Add the necessary bits to enable seccomp support for LXC running on PPC
> architectures. libseccomp added support for PPC [1], yet to be applied to
> Yocto/meta-security.
Cool, I will update meta-security soon. (thought I was on that mailing
list??)
- armin
>
> [1] https://github.com/seccomp/libseccomp/tree/working-ppc64
>
> Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
> ---
> .../files/ppc-add-seccomp-support-for-lxc.patch | 100 +++++++++++++++++++++
> recipes-containers/lxc/lxc_1.0.7.bb | 1 +
> 2 files changed, 101 insertions(+)
> create mode 100644 recipes-containers/lxc/files/ppc-add-seccomp-support-for-lxc.patch
>
> diff --git a/recipes-containers/lxc/files/ppc-add-seccomp-support-for-lxc.patch b/recipes-containers/lxc/files/ppc-add-seccomp-support-for-lxc.patch
> new file mode 100644
> index 0000000..6faf791
> --- /dev/null
> +++ b/recipes-containers/lxc/files/ppc-add-seccomp-support-for-lxc.patch
> @@ -0,0 +1,100 @@
> +From 29ca2ec418cb496ac8a19f0718a8474a55cfe16d Mon Sep 17 00:00:00 2001
> +From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
> +Date: Wed, 4 Feb 2015 11:28:32 +0000
> +Subject: [PATCH] seccomp: add ppc support
> +
> +This patch enables seccomp support for LXC containers running on PowerPC
> +architectures. It is based on the latest PowerPC support added to libseccomp, on
> +the working-ppc64 branch [1].
> +
> +Libseccomp has been tested on ppc, ppc64 and ppc64le architectures. LXC with
> +seccomp support has been tested on ppc and ppc64 architectures, using the
> +default seccomp policy example files delivered with the LXC package.
> +
> +[1] https://github.com/seccomp/libseccomp/commits/working-ppc64
> +
> +Upstream-Status: Pending
> +[https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-March/011437.html]
> +
> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
> +---
> + src/lxc/seccomp.c | 42 ++++++++++++++++++++++++++++++++++++++++++
> + 1 file changed, 42 insertions(+)
> +
> +diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
> +index 3ba6c9a..0e2310f 100644
> +--- a/src/lxc/seccomp.c
> ++++ b/src/lxc/seccomp.c
> +@@ -121,6 +121,9 @@ enum lxc_hostarch_t {
> + lxc_seccomp_arch_i386,
> + lxc_seccomp_arch_amd64,
> + lxc_seccomp_arch_arm,
> ++ lxc_seccomp_arch_ppc64,
> ++ lxc_seccomp_arch_ppc64le,
> ++ lxc_seccomp_arch_ppc,
> + lxc_seccomp_arch_unknown = 999,
> + };
> +
> +@@ -137,6 +140,12 @@ int get_hostarch(void)
> + return lxc_seccomp_arch_amd64;
> + else if (strncmp(uts.machine, "armv7", 5) == 0)
> + return lxc_seccomp_arch_arm;
> ++ else if (strncmp(uts.machine, "ppc64le", 7) == 0)
> ++ return lxc_seccomp_arch_ppc64le;
> ++ else if (strncmp(uts.machine, "ppc64", 5) == 0)
> ++ return lxc_seccomp_arch_ppc64;
> ++ else if (strncmp(uts.machine, "ppc", 3) == 0)
> ++ return lxc_seccomp_arch_ppc;
> + return lxc_seccomp_arch_unknown;
> + }
> +
> +@@ -150,6 +159,9 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, uint32_t default_policy_
> + case lxc_seccomp_arch_i386: arch = SCMP_ARCH_X86; break;
> + case lxc_seccomp_arch_amd64: arch = SCMP_ARCH_X86_64; break;
> + case lxc_seccomp_arch_arm: arch = SCMP_ARCH_ARM; break;
> ++ case lxc_seccomp_arch_ppc64le: arch = SCMP_ARCH_PPC64LE; break;
> ++ case lxc_seccomp_arch_ppc64: arch = SCMP_ARCH_PPC64; break;
> ++ case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
> + default: return NULL;
> + }
> +
> +@@ -343,6 +355,36 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
> + cur_rule_arch = lxc_seccomp_arch_arm;
> + }
> + #endif
> ++#ifdef SCMP_ARCH_PPC64LE
> ++ else if (strcmp(line, "[ppc64le]") == 0 ||
> ++ strcmp(line, "[PPC64LE]") == 0) {
> ++ if (native_arch != lxc_seccomp_arch_ppc64le) {
> ++ cur_rule_arch = lxc_seccomp_arch_unknown;
> ++ continue;
> ++ }
> ++ cur_rule_arch = lxc_seccomp_arch_ppc64le;
> ++ }
> ++#endif
> ++#ifdef SCMP_ARCH_PPC64
> ++ else if (strcmp(line, "[ppc64]") == 0 ||
> ++ strcmp(line, "[PPC64]") == 0) {
> ++ if (native_arch != lxc_seccomp_arch_ppc64) {
> ++ cur_rule_arch = lxc_seccomp_arch_unknown;
> ++ continue;
> ++ }
> ++ cur_rule_arch = lxc_seccomp_arch_ppc64;
> ++ }
> ++#endif
> ++#ifdef SCMP_ARCH_PPC
> ++ else if (strcmp(line, "[ppc]") == 0 ||
> ++ strcmp(line, "[PPC]") == 0) {
> ++ if (native_arch != lxc_seccomp_arch_ppc) {
> ++ cur_rule_arch = lxc_seccomp_arch_unknown;
> ++ continue;
> ++ }
> ++ cur_rule_arch = lxc_seccomp_arch_ppc;
> ++ }
> ++#endif
> + else
> + goto bad_arch;
> +
> +--
> +2.1.4
> +
> diff --git a/recipes-containers/lxc/lxc_1.0.7.bb b/recipes-containers/lxc/lxc_1.0.7.bb
> index b01c006..c9eef75 100644
> --- a/recipes-containers/lxc/lxc_1.0.7.bb
> +++ b/recipes-containers/lxc/lxc_1.0.7.bb
> @@ -29,6 +29,7 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
> file://add-lxc.rebootsignal.patch \
> file://document-lxc.rebootsignal.patch \
> file://lxc-busybox-use-lxc.rebootsignal-SIGTERM.patch \
> + file://ppc-add-seccomp-support-for-lxc.patch \
> "
>
> SRC_URI[md5sum] = "b48f468a9bef0e4e140dd723f0a65ad0"
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2 1/2] lxc: Add PACKAGECONFIG for seccomp
2015-03-11 8:52 [PATCH v2 1/2] lxc: Add PACKAGECONFIG for seccomp Bogdan Purcareata
2015-03-11 8:52 ` [PATCH v2 2/2] lxc: Add support for seccomp on PPC architectures Bogdan Purcareata
@ 2015-03-13 18:46 ` Bruce Ashfield
1 sibling, 0 replies; 4+ messages in thread
From: Bruce Ashfield @ 2015-03-13 18:46 UTC (permalink / raw)
To: Bogdan Purcareata; +Cc: meta-virtualization@yoctoproject.org
Thanks!
I've merged v2.
Bruce
On Wed, Mar 11, 2015 at 4:52 AM, Bogdan Purcareata
<bogdan.purcareata@freescale.com> wrote:
> Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
> ---
> recipes-containers/lxc/lxc_1.0.7.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/recipes-containers/lxc/lxc_1.0.7.bb b/recipes-containers/lxc/lxc_1.0.7.bb
> index c618c84..b01c006 100644
> --- a/recipes-containers/lxc/lxc_1.0.7.bb
> +++ b/recipes-containers/lxc/lxc_1.0.7.bb
> @@ -49,6 +49,7 @@ PACKAGECONFIG[rpath] = "--enable-rpath,--disable-rpath,,"
> PACKAGECONFIG[apparmour] = "--enable-apparmor,--disable-apparmor,apparmor,apparmor"
> PACKAGECONFIG[templates] = ",,, ${PN}-templates"
> PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux"
> +PACKAGECONFIG[seccomp] ="--enable-seccomp,--disable-seccomp,libseccomp,libseccomp"
>
> inherit autotools pkgconfig ptest update-rc.d systemd
>
> --
> 2.1.4
>
> --
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization
--
"Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end"
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-03-13 18:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-11 8:52 [PATCH v2 1/2] lxc: Add PACKAGECONFIG for seccomp Bogdan Purcareata
2015-03-11 8:52 ` [PATCH v2 2/2] lxc: Add support for seccomp on PPC architectures Bogdan Purcareata
2015-03-11 12:13 ` akuster@mvista
2015-03-13 18:46 ` [PATCH v2 1/2] lxc: Add PACKAGECONFIG for seccomp Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.