seccomp: add support for "swapcontext" syscall in default policy

This system call is only available on the 32- and 64-bit PowerPC, it is used by modern programming language implementations (such as gcc-go) to implement coroutine features through userspace context switches. Other container environment, such as Systemd nspawn already whitelist this system call in their seccomp profile [1] [2]. As such, it would be nice to also whitelist it in moby. This issue was encountered on Alpine Linux GitLab CI system, which uses moby, when attempting to execute gcc-go compiled software on ppc64le. [1]: systemd/systemd#9487 [2]: systemd/systemd#9485 Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net>
thaJeztah · Dec 18, 2021 · 85eaf23 · 85eaf23
1 parent 10aecb0
commit 85eaf23
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
@@ -474,7 +474,8 @@
 		},
 		{
 			"names": [
-				"sync_file_range2"
+				"sync_file_range2",
+				"swapcontext"
 			],
 			"action": "SCMP_ACT_ALLOW",
 			"includes": {

diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
@@ -474,6 +474,7 @@ func DefaultProfile() *Seccomp {
 			LinuxSyscall: specs.LinuxSyscall{
 				Names: []string{
 					"sync_file_range2",
+					"swapcontext",
 				},
 				Action: specs.ActAllow,
 			},