From: Lennart Poettering Date: Sun, 12 Feb 2017 20:25:40 +0000 (+0100) Subject: seccomp: disable RestrictAddressFamilies= for the ABI we shall block, not the one... X-Git-Tag: v233~109 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9606bc4b4b09a4d1bff3f047d5ca5ac4cf3fe073;p=thirdparty%2Fsystemd.git seccomp: disable RestrictAddressFamilies= for the ABI we shall block, not the one we are compiled for (#5272) It's a difference. Not a big one, but let's be correct here. --- diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 451669d9d50..84964f750f6 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -948,17 +948,42 @@ int seccomp_protect_sysctl(void) { } int seccomp_restrict_address_families(Set *address_families, bool whitelist) { - -#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN uint32_t arch; int r; SECCOMP_FOREACH_LOCAL_ARCH(arch) { _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; + bool supported; Iterator i; log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); + switch (arch) { + + case SCMP_ARCH_X86_64: + case SCMP_ARCH_X32: + case SCMP_ARCH_ARM: + case SCMP_ARCH_AARCH64: + /* These we know we support (i.e. are the ones that do not use socketcall()) */ + supported = true; + break; + + case SCMP_ARCH_X86: + case SCMP_ARCH_S390: + case SCMP_ARCH_S390X: + case SCMP_ARCH_PPC: + case SCMP_ARCH_PPC64: + case SCMP_ARCH_PPC64LE: + default: + /* These we either know we don't support (i.e. are the ones that do use socketcall()), or we + * don't know */ + supported = false; + break; + } + + if (!supported) + continue; + r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); if (r < 0) return r; @@ -1078,7 +1103,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { if (r < 0) log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); } -#endif return 0; }