seccomp: disable RestrictAddressFamilies= for the ABI we shall block, not the one we are compiled for (#5272)

It's a difference. Not a big one, but let's be correct here.
author: Lennart Poettering <lennart@poettering.net> 2017-02-12 21:25:40 +0100
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2017-02-12 15:25:40 -0500
commit: 9606bc4b4b09a4d1bff3f047d5ca5ac4cf3fe073 (patch)
tree: fba53ec77408e5a404263acd6982bbf038cad693 /src
parent: ec7924fa21cd9725cd8279f6381d3d05efa70a3e (diff)
1 files changed, 27 insertions, 3 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 451669d9d5..84964f750f 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -948,17 +948,42 @@ int seccomp_protect_sysctl(void) {
 }
 
 int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
-
-#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
         uint32_t arch;
         int r;
 
         SECCOMP_FOREACH_LOCAL_ARCH(arch) {
                 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
+                bool supported;
                 Iterator i;
 
                 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
 
+                switch (arch) {
+
+                case SCMP_ARCH_X86_64:
+                case SCMP_ARCH_X32:
+                case SCMP_ARCH_ARM:
+                case SCMP_ARCH_AARCH64:
+                        /* These we know we support (i.e. are the ones that do not use socketcall()) */
+                        supported = true;
+                        break;
+
+                case SCMP_ARCH_X86:
+                case SCMP_ARCH_S390:
+                case SCMP_ARCH_S390X:
+                case SCMP_ARCH_PPC:
+                case SCMP_ARCH_PPC64:
+                case SCMP_ARCH_PPC64LE:
+                default:
+                        /* These we either know we don't support (i.e. are the ones that do use socketcall()), or we
+                         * don't know */
+                        supported = false;
+                        break;
+                }
+
+                if (!supported)
+                        continue;
+
                 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
                 if (r < 0)
                         return r;
@@ -1078,7 +1103,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
                 if (r < 0)
                         log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
         }
-#endif
 
         return 0;
 }
author	Lennart Poettering <lennart@poettering.net>	2017-02-12 21:25:40 +0100
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2017-02-12 15:25:40 -0500
commit	9606bc4b4b09a4d1bff3f047d5ca5ac4cf3fe073 (patch)
tree	fba53ec77408e5a404263acd6982bbf038cad693 /src
parent	ec7924fa21cd9725cd8279f6381d3d05efa70a3e (diff)