seccomp: add helper call to add all secondary archs to a seccomp filter

And make use of it where appropriate for executing services and for
nspawn.

2 files changed, 28 insertions, 0 deletions

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index ee39cc7c1d..d73a74912e 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -61,3 +61,29 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
 
         return 0;
 }
+
+int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
+
+#if defined(__i386__) || defined(__x86_64__)
+        int r;
+
+        /* Add in all possible secondary archs we are aware of that
+         * this kernel might support. */
+
+        r = seccomp_arch_add(c, SCMP_ARCH_X86);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+        r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+        r = seccomp_arch_add(c, SCMP_ARCH_X32);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+#endif
+
+        return 0;
+
+}
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 6b63902f5d..9a51a85b49 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -24,3 +24,5 @@
 
 const char* seccomp_arch_to_string(uint32_t c);
 int seccomp_arch_from_string(const char *n, uint32_t *ret);
+
+int seccomp_add_secondary_archs(scmp_filter_ctx *c);