seccomp: RestrictAddressFamilies= is not supported on i386/s390/s390x, make it a NOP

See: #5215
author: Lennart Poettering <lennart@poettering.net> 2017-02-03 18:31:05 +0100
committer: Lennart Poettering <lennart@poettering.net> 2017-02-06 14:17:12 +0100
commit: ad8f1479b46c72d103b7f4f7b8ff4f59f7455285 (patch)
tree: 6209085533eda460591d509f4e2fdee8b1aefb75 /src/shared/seccomp-util.h
parent: 9194199c9894c5fd4f497fbbf5fc0449686c8fe5 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 4438e87fa6..2563fcd38a 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -76,6 +76,14 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist);
 int seccomp_restrict_realtime(void);
 int seccomp_memory_deny_write_execute(void);
 
+#if defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__) || defined (__mips__)
+/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, and we can't restrict it hence via
+ * seccomp */
+#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
+#else
+#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
+#endif
+
 extern const uint32_t seccomp_local_archs[];
 
 #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
author	Lennart Poettering <lennart@poettering.net>	2017-02-03 18:31:05 +0100
committer	Lennart Poettering <lennart@poettering.net>	2017-02-06 14:17:12 +0100
commit	ad8f1479b46c72d103b7f4f7b8ff4f59f7455285 (patch)
tree	6209085533eda460591d509f4e2fdee8b1aefb75 /src/shared/seccomp-util.h
parent	9194199c9894c5fd4f497fbbf5fc0449686c8fe5 (diff)