seccomp: don't ever try to add an ABI before removing the default native ABI (#5230)

https://github.com/systemd/systemd/issues/5215#issuecomment-277156262

libseccomp does not allow you to add architectures to a filter that
doesn't match the byte ordering of the architectures already added to
the filter (it would be a mess, not to mention largely pointless) and
since systemd attempts to add an ABI before removing the default native
ABI, you will always fail on Power (either due to ppc or ppc64le). The
fix is to remove the native ABI before adding a new ABI so you don't run
into problems with byte ordering.

You would likely see the same failure on a MIPS system.

Thanks @pcmoore!

1 files changed, 2 insertions, 2 deletions

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 2c73cb8fa4..bd9c0aac60 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -171,11 +171,11 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
         if (arch != SCMP_ARCH_NATIVE &&
             arch != seccomp_arch_native()) {
 
-                r = seccomp_arch_add(seccomp, arch);
+                r = seccomp_arch_remove(seccomp, seccomp_arch_native());
                 if (r < 0)
                         goto finish;
 
-                r = seccomp_arch_remove(seccomp, seccomp_arch_native());
+                r = seccomp_arch_add(seccomp, arch);
                 if (r < 0)
                         goto finish;