diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-02-18 22:14:00 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-02-18 22:14:00 +0100 |
commit | e9642be2cce7f5e90406980092a6f71f504a16af (patch) | |
tree | 261c0a274329240ef9c79f618f28fcb51f0a6a07 /src/nspawn/nspawn.c | |
parent | f3d5485b805de60ee71810eeb58e82d44ce24fe1 (diff) |
seccomp: add helper call to add all secondary archs to a seccomp filter
And make use of it where appropriate for executing services and for
nspawn.
Diffstat (limited to 'src/nspawn/nspawn.c')
-rw-r--r-- | src/nspawn/nspawn.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 5a2467d6e2..54f7187754 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -79,6 +79,10 @@ #include "rtnl-util.h" #include "udev-util.h" +#ifdef HAVE_SECCOMP +#include "seccomp-util.h" +#endif + typedef enum LinkJournal { LINK_NO, LINK_AUTO, @@ -1521,6 +1525,12 @@ static int audit_still_doesnt_work_in_containers(void) { if (!seccomp) return log_oom(); + r = seccomp_add_secondary_archs(seccomp); + if (r < 0 && r != -EEXIST) { + log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r)); + goto finish; + } + r = seccomp_rule_add_exact( seccomp, SCMP_ACT_ERRNO(EAFNOSUPPORT), @@ -1539,14 +1549,6 @@ static int audit_still_doesnt_work_in_containers(void) { goto finish; } -#ifdef __x86_64__ - r = seccomp_arch_add(seccomp, SCMP_ARCH_X86); - if (r < 0 && r != -EEXIST) { - log_error("Failed to add x86 to seccomp filter: %s", strerror(-r)); - goto finish; - } -#endif - r = seccomp_load(seccomp); if (r < 0) log_error("Failed to install seccomp audit filter: %s", strerror(-r)); |