summaryrefslogtreecommitdiff
path: root/src/nspawn/nspawn.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-18 22:14:00 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-18 22:14:00 +0100
commite9642be2cce7f5e90406980092a6f71f504a16af (patch)
tree261c0a274329240ef9c79f618f28fcb51f0a6a07 /src/nspawn/nspawn.c
parentf3d5485b805de60ee71810eeb58e82d44ce24fe1 (diff)
seccomp: add helper call to add all secondary archs to a seccomp filter
And make use of it where appropriate for executing services and for nspawn.
Diffstat (limited to 'src/nspawn/nspawn.c')
-rw-r--r--src/nspawn/nspawn.c18
1 files changed, 10 insertions, 8 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 5a2467d6e2..54f7187754 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -79,6 +79,10 @@
#include "rtnl-util.h"
#include "udev-util.h"
+#ifdef HAVE_SECCOMP
+#include "seccomp-util.h"
+#endif
+
typedef enum LinkJournal {
LINK_NO,
LINK_AUTO,
@@ -1521,6 +1525,12 @@ static int audit_still_doesnt_work_in_containers(void) {
if (!seccomp)
return log_oom();
+ r = seccomp_add_secondary_archs(seccomp);
+ if (r < 0 && r != -EEXIST) {
+ log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
+ goto finish;
+ }
+
r = seccomp_rule_add_exact(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
@@ -1539,14 +1549,6 @@ static int audit_still_doesnt_work_in_containers(void) {
goto finish;
}
-#ifdef __x86_64__
- r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
- if (r < 0 && r != -EEXIST) {
- log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
- goto finish;
- }
-#endif
-
r = seccomp_load(seccomp);
if (r < 0)
log_error("Failed to install seccomp audit filter: %s", strerror(-r));