core: enforce seccomp for secondary archs too, for all rules

Let's make sure that all our rules apply to all archs the local kernel supports.
author: Lennart Poettering <lennart@poettering.net> 2016-08-22 19:01:14 +0200
committer: Djalal Harouni <tixxdz@opendz.org> 2016-09-25 10:18:44 +0200
commit: 72246c2a654ead7f7ee6e7799161e2e46dc0b84b (patch)
tree: 2025639d29d32bf6d022300ae5e98fd76e8ca0b8
parent: 6c1e2427df86b11076dffefbcdfd031429f5b256 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index 2026137721..ee734e8445 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1273,6 +1273,10 @@ static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c)
         if (!seccomp)
                 return -ENOMEM;
 
+        r = seccomp_add_secondary_archs(seccomp);
+        if (r < 0)
+                goto finish;
+
         r = seccomp_rule_add(
                         seccomp,
                         SCMP_ACT_ERRNO(EPERM),
@@ -1322,6 +1326,10 @@ static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
         if (!seccomp)
                 return -ENOMEM;
 
+        r = seccomp_add_secondary_archs(seccomp);
+        if (r < 0)
+                goto finish;
+
         /* Determine the highest policy constant we want to allow */
         for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
                 if (permitted_policies[i] > max_policy)
author	Lennart Poettering <lennart@poettering.net>	2016-08-22 19:01:14 +0200
committer	Djalal Harouni <tixxdz@opendz.org>	2016-09-25 10:18:44 +0200
commit	72246c2a654ead7f7ee6e7799161e2e46dc0b84b (patch)
tree	2025639d29d32bf6d022300ae5e98fd76e8ca0b8
parent	6c1e2427df86b11076dffefbcdfd031429f5b256 (diff)