diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-08-22 19:01:14 +0200 |
---|---|---|
committer | Djalal Harouni <tixxdz@opendz.org> | 2016-09-25 10:18:44 +0200 |
commit | 72246c2a654ead7f7ee6e7799161e2e46dc0b84b (patch) | |
tree | 2025639d29d32bf6d022300ae5e98fd76e8ca0b8 /src/core/execute.c | |
parent | 6c1e2427df86b11076dffefbcdfd031429f5b256 (diff) |
core: enforce seccomp for secondary archs too, for all rules
Let's make sure that all our rules apply to all archs the local kernel
supports.
Diffstat (limited to 'src/core/execute.c')
-rw-r--r-- | src/core/execute.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 2026137721..ee734e8445 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1273,6 +1273,10 @@ static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) if (!seccomp) return -ENOMEM; + r = seccomp_add_secondary_archs(seccomp); + if (r < 0) + goto finish; + r = seccomp_rule_add( seccomp, SCMP_ACT_ERRNO(EPERM), @@ -1322,6 +1326,10 @@ static int apply_restrict_realtime(const Unit* u, const ExecContext *c) { if (!seccomp) return -ENOMEM; + r = seccomp_add_secondary_archs(seccomp); + if (r < 0) + goto finish; + /* Determine the highest policy constant we want to allow */ for (i = 0; i < ELEMENTSOF(permitted_policies); i++) if (permitted_policies[i] > max_policy) |