seccomp: add support for the s390 architecture (#4287)

Add seccomp support for the s390 architecture (31-bit and 64-bit)
to systemd.

This requires libseccomp >= 2.3.1.

diff --git a/README b/README
index fb6fd6381bea29f166098c05a68ee4fe98e1db2b..d610baaf760921c091649d11845a7724f5f9b388 100644 (file)
--- a/README
+++ b/README
@@ -120,7 +120,7 @@ REQUIREMENTS:
         libcap
         libmount >= 2.27.1 (from util-linux)
                 (util-linux *must* be built with --enable-libmount-force-mountinfo)
-        libseccomp >= 1.0.0 (optional)
+        libseccomp >= 2.3.1 (optional)
         libblkid >= 2.24 (from util-linux) (optional)
         libkmod >= 15 (optional)
         PAM >= 1.1.2 (optional)

diff --git a/configure.ac b/configure.ac
index 4181483798baaf5876f5f7dbadd13723e39b2cad..ccd212ef138b9807e620f5d355cf57d129ec8002 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -459,7 +459,7 @@ AM_CONDITIONAL(HAVE_LIBMOUNT, [test "$have_libmount" = "yes"])
 have_seccomp=no
 AC_ARG_ENABLE(seccomp, AS_HELP_STRING([--disable-seccomp], [Disable optional SECCOMP support]))
 if test "x$enable_seccomp" != "xno"; then
-        PKG_CHECK_MODULES(SECCOMP, [libseccomp >= 1.0.0],
+        PKG_CHECK_MODULES(SECCOMP, [libseccomp >= 2.3.1],
                [AC_DEFINE(HAVE_SECCOMP, 1, [Define if seccomp is available])
                 have_seccomp=yes
                 M4_DEFINES="$M4_DEFINES -DHAVE_SECCOMP"],

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 2054267b9097d2ff75ba58d12fa1d8156e7b507c..5e6787338df7ab6359d7ce7275920e6a7a70fb6d 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1334,7 +1334,8 @@
         identifiers to include in the system call filter. The known
         architecture identifiers are <constant>x86</constant>,
         <constant>x86-64</constant>, <constant>x32</constant>,
-        <constant>arm</constant> as well as the special identifier
+        <constant>arm</constant>, <constant>s390</constant>,
+        <constant>s390x</constant> as well as the special identifier
         <constant>native</constant>. Only system calls of the
         specified architectures will be permitted to processes of this
         unit. This is an effective way to disable compatibility with

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 2f42381fc1f0d2785b1147e0d4a26626c869470b..8116c7671f06541cef4a537eb89eba40e645d820 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -39,6 +39,10 @@ const char* seccomp_arch_to_string(uint32_t c) {
                 return "x32";
         if (c == SCMP_ARCH_ARM)
                 return "arm";
+        if (c == SCMP_ARCH_S390)
+                return "s390";
+        if (c == SCMP_ARCH_S390X)
+                return "s390x";
 
         return NULL;
 }
@@ -59,6 +63,10 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
                 *ret = SCMP_ARCH_X32;
         else if (streq(n, "arm"))
                 *ret = SCMP_ARCH_ARM;
+        else if (streq(n, "s390"))
+                *ret = SCMP_ARCH_S390;
+        else if (streq(n, "s390x"))
+                *ret = SCMP_ARCH_S390X;
         else
                 return -EINVAL;
 
@@ -85,6 +93,20 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
         if (r < 0 && r != -EEXIST)
                 return r;
 
+#elif defined(__s390__) || defined(__s390x__)
+        int r;
+
+        /* Add in all possible secondary archs we are aware of that
+         * this kernel might support. */
+
+        r = seccomp_arch_add(c, SCMP_ARCH_S390);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+        r = seccomp_arch_add(c, SCMP_ARCH_S390X);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
 #endif
 
         return 0;