core: add SystemCallArchitectures= unit setting to allow disabling of non-native

architecture support for system calls

Also, turn system call filter bus properties into complex types instead
of concatenated strings.

1 files changed, 50 insertions, 0 deletions

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 86ad7e223d..01356e4c45 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1050,6 +1050,14 @@
                                 <function>write</function> will be
                                 removed from the set).
                                 </para></listitem>
+
+                                <para>Note that setting
+                                <varname>SystemCallFilter=</varname>
+                                implies a
+                                <varname>SystemCallArchitectures=</varname>
+                                setting of <literal>native</literal>
+                                (see below), unless that option is
+                                configured otherwise.</para>
                         </varlistentry>
 
                         <varlistentry>
@@ -1072,6 +1080,48 @@
                                 is triggered.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><varname>SystemCallArchitectures=</varname></term>
+
+                                <listitem><para>Takes a space
+                                separated list of architecture
+                                identifiers to include in the system
+                                call filter. The known architecture
+                                identifiers are
+                                <literal>x86</literal>,
+                                <literal>x86-64</literal>,
+                                <literal>x32</literal>,
+                                <literal>arm</literal> as well as the
+                                special identifier
+                                <literal>native</literal>. Only system
+                                calls of the specified architectures
+                                will be permitted to processes of this
+                                unit. This is an effective way to
+                                disable compatibility with non-native
+                                architectures for processes, for
+                                example to prohibit execution of 32bit
+                                x86 binaries on 64bit x86-64
+                                systems. The special
+                                <literal>native</literal> identifier
+                                implicitly maps to the native
+                                architecture of the system (or more
+                                strictly: to the architecture the
+                                system manager is compiled for). Note
+                                that setting this option to a
+                                non-empty list implies that
+                                <literal>native</literal> is included
+                                too. By default this option is set to
+                                the empty list, i.e. no architecture
+                                system call filtering is applied. Note
+                                that configuring a system call filter
+                                with
+                                <varname>SystemCallFilter=</varname>
+                                (above) implies a
+                                <literal>native</literal> architecture
+                                list, unless configured
+                                otherwise.</para></listitem>
+                        </varlistentry>
+
                 </variablelist>
         </refsect1>