From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 14 Oct 2022 16:02:31 +0000 (+0200)
Subject: seccomp: drop per arch conditionalization in filter groups
X-Git-Tag: v252-rc2~33
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c8428d2d0612176c6db730dee17e9ef92582bb0f;p=thirdparty%2Fsystemd.git

seccomp: drop per arch conditionalization in filter groups

We list plenty of arch-specific syscalls in our filter groups, treat the
s390 syscalls the same.

We handle gracefully anyway if some syscall doesn't exist locally on the
kernel or arch, let's rely on it. This has the benefit that
"systemd-analyze" will comprehensively tell you the syscalls filtered on
any arch for any arch.

And less conditionalization is good anyway.
---

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 52ee315dda7..1247da535d0 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -447,9 +447,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "pidfd_getfd\0"
                 "ptrace\0"
                 "rtas\0"
-#if defined __s390__ || defined __s390x__
                 "s390_runtime_instr\0"
-#endif
                 "sys_debug_setcontext\0"
         },
         [SYSCALL_FILTER_SET_FILE_SYSTEM] = {
@@ -773,10 +771,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "pciconfig_iobase\0"
                 "pciconfig_read\0"
                 "pciconfig_write\0"
-#if defined __s390__ || defined __s390x__
                 "s390_pci_mmio_read\0"
                 "s390_pci_mmio_write\0"
-#endif
         },
         [SYSCALL_FILTER_SET_REBOOT] = {
                 .name = "@reboot",