seccomp: add helper call to add all secondary archs to a seccomp filter

And make use of it where appropriate for executing services and for
nspawn.

4 files changed, 52 insertions, 12 deletions

diff --git a/src/core/execute.c b/src/core/execute.c
index be15fb95ee..4b1177a7e5 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -957,10 +957,20 @@ static int apply_seccomp(ExecContext *c) {
         if (!seccomp)
                 return -ENOMEM;
 
-        SET_FOREACH(id, c->syscall_archs, i) {
-                r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
-                if (r == -EEXIST)
-                        continue;
+        if (c->syscall_archs) {
+
+                SET_FOREACH(id, c->syscall_archs, i) {
+                        r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
+                        if (r == -EEXIST)
+                                continue;
+                        if (r < 0) {
+                                seccomp_release(seccomp);
+                                return r;
+                        }
+                }
+        } else {
+
+                r = seccomp_add_secondary_archs(seccomp);
                 if (r < 0) {
                         seccomp_release(seccomp);
                         return r;
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 5a2467d6e2..54f7187754 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -79,6 +79,10 @@
 #include "rtnl-util.h"
 #include "udev-util.h"
 
+#ifdef HAVE_SECCOMP
+#include "seccomp-util.h"
+#endif
+
 typedef enum LinkJournal {
         LINK_NO,
         LINK_AUTO,
@@ -1521,6 +1525,12 @@ static int audit_still_doesnt_work_in_containers(void) {
         if (!seccomp)
                 return log_oom();
 
+        r = seccomp_add_secondary_archs(seccomp);
+        if (r < 0 && r != -EEXIST) {
+                log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
+                goto finish;
+        }
+
         r = seccomp_rule_add_exact(
                         seccomp,
                         SCMP_ACT_ERRNO(EAFNOSUPPORT),
@@ -1539,14 +1549,6 @@ static int audit_still_doesnt_work_in_containers(void) {
                 goto finish;
         }
 
-#ifdef __x86_64__
-        r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
-        if (r < 0 && r != -EEXIST) {
-                log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
-                goto finish;
-        }
-#endif
-
         r = seccomp_load(seccomp);
         if (r < 0)
                 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index ee39cc7c1d..d73a74912e 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -61,3 +61,29 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
 
         return 0;
 }
+
+int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
+
+#if defined(__i386__) || defined(__x86_64__)
+        int r;
+
+        /* Add in all possible secondary archs we are aware of that
+         * this kernel might support. */
+
+        r = seccomp_arch_add(c, SCMP_ARCH_X86);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+        r = seccomp_arch_add(c, SCMP_ARCH_X86_64);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+        r = seccomp_arch_add(c, SCMP_ARCH_X32);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+#endif
+
+        return 0;
+
+}
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 6b63902f5d..9a51a85b49 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -24,3 +24,5 @@
 
 const char* seccomp_arch_to_string(uint32_t c);
 int seccomp_arch_from_string(const char *n, uint32_t *ret);
+
+int seccomp_add_secondary_archs(scmp_filter_ctx *c);