From 1aaa0599d97fed6a666c36f47a02d7698b35a738 Mon Sep 17 00:00:00 2001
From: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Date: Mon, 1 Nov 2021 22:47:39 +0900
Subject: [PATCH 1/2] agent: "Revert agent: Disable seccomp feature on aarch64
 temporarily"

Re-enable seccomp feature on aarch64 because CI is ready
by https://github.com/kata-containers/tests/pull/4124.

This reverts commit 42add7f201cf082d0d06d676c5cf20e6088ac2fb.

Fixes: #2939

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
---
 src/agent/rustjail/Cargo.toml       | 3 ---
 src/agent/rustjail/src/container.rs | 6 +++---
 src/agent/rustjail/src/lib.rs       | 2 +-
 3 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/src/agent/rustjail/Cargo.toml b/src/agent/rustjail/Cargo.toml
index e6d1d7ee68..497a862105 100644
--- a/src/agent/rustjail/Cargo.toml
+++ b/src/agent/rustjail/Cargo.toml
@@ -30,9 +30,6 @@ tokio = { version = "1.2.0", features = ["sync", "io-util", "process", "time", "
 futures = "0.3"
 async-trait = "0.1.31"
 inotify = "0.9.2"
-
-# Disable libseccomp on aarch64 temporarily in order to pass CI
-[target.'cfg(not(target_arch = "aarch64"))'.dependencies]
 libseccomp = { version = "0.1.3", optional = true }
 
 [dev-dependencies]
diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs
index 2cd270668a..03ad662872 100644
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@@ -25,7 +25,7 @@ use crate::cgroups::mock::Manager as FsManager;
 use crate::cgroups::Manager;
 use crate::log_child;
 use crate::process::Process;
-#[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
+#[cfg(feature = "seccomp")]
 use crate::seccomp;
 use crate::specconv::CreateOpts;
 use crate::{mount, validator};
@@ -603,7 +603,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
     // Without NoNewPrivileges, we need to set seccomp
     // before dropping capabilities because the calling thread
     // must have the CAP_SYS_ADMIN.
-    #[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
+    #[cfg(feature = "seccomp")]
     if !oci_process.no_new_privileges {
         if let Some(ref scmp) = linux.seccomp {
             seccomp::init_seccomp(scmp)?;
@@ -685,7 +685,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
     // With NoNewPrivileges, we should set seccomp as close to
     // do_exec as possible in order to reduce the amount of
     // system calls in the seccomp profiles.
-    #[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
+    #[cfg(feature = "seccomp")]
     if oci_process.no_new_privileges {
         if let Some(ref scmp) = linux.seccomp {
             seccomp::init_seccomp(scmp)?;
diff --git a/src/agent/rustjail/src/lib.rs b/src/agent/rustjail/src/lib.rs
index f9327dc3f1..7535bf9901 100644
--- a/src/agent/rustjail/src/lib.rs
+++ b/src/agent/rustjail/src/lib.rs
@@ -34,7 +34,7 @@ pub mod container;
 pub mod mount;
 pub mod pipestream;
 pub mod process;
-#[cfg(all(not(target_arch = "aarch64"), feature = "seccomp"))]
+#[cfg(feature = "seccomp")]
 pub mod seccomp;
 pub mod specconv;
 pub mod sync;

From b468dc500a865d1107282e824bab3750c11111a5 Mon Sep 17 00:00:00 2001
From: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
Date: Tue, 2 Nov 2021 19:32:54 +0900
Subject: [PATCH 2/2] agent: Use dup3 system call in unit tests of seccomp

Use `dup3` system call instead of `dup2` in unit tests of seccomp
because `dup2` is obsolete on aarch64.

Fixes: #2939

Signed-off-by: Manabu Sugimoto <Manabu.Sugimoto@sony.com>
---
 src/agent/rustjail/src/seccomp.rs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/agent/rustjail/src/seccomp.rs b/src/agent/rustjail/src/seccomp.rs
index 37eb175767..58e85c482f 100644
--- a/src/agent/rustjail/src/seccomp.rs
+++ b/src/agent/rustjail/src/seccomp.rs
@@ -95,7 +95,7 @@ pub fn init_seccomp(scmp: &LinuxSeccomp) -> Result<()> {
 mod tests {
     use super::*;
     use crate::skip_if_not_root;
-    use libc::{dup2, process_vm_readv, EPERM};
+    use libc::{dup3, process_vm_readv, EPERM, O_CLOEXEC};
     use std::io::Error;
     use std::ptr::null;
 
@@ -135,7 +135,7 @@ mod tests {
             "syscalls": [
                 {
                    "names": [
-                        "dup2"
+                        "dup3"
                     ],
                     "action": "SCMP_ACT_ERRNO"
                 },
@@ -212,7 +212,7 @@ mod tests {
         init_seccomp(&scmp).unwrap();
 
         // Basic syscall with simple rule
-        syscall_assert!(unsafe { dup2(0, 1) }, -EPERM);
+        syscall_assert!(unsafe { dup3(0, 1, O_CLOEXEC) }, -EPERM);
 
         // Syscall with permitted arguments
         syscall_assert!(unsafe { process_vm_readv(1, null(), 0, null(), 0, 0) }, 0);