diff options
author | Evgeny Vereshchagin <evvers@ya.ru> | 2017-02-07 05:06:54 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-02-07 05:06:54 +0300 |
commit | d52fbaa58c6b0c928d1d9a2d015edcc63acb0df6 (patch) | |
tree | a47f04c35e2b3b67bfa153e25bb09d977e74f318 /src | |
parent | 1fb85797493dde55c9db9725970343a064e9e062 (diff) | |
parent | 142bd808a1a1a4a7dc4e75b7a9d1bda6c1530dfd (diff) |
Merge pull request #5225 from poettering/seccomp-socket
make RestrictAddressFamilies= officially a NOP on i386
Diffstat (limited to 'src')
-rw-r--r-- | src/shared/seccomp-util.c | 3 | ||||
-rw-r--r-- | src/shared/seccomp-util.h | 8 | ||||
-rw-r--r-- | src/test/test-seccomp.c | 16 |
3 files changed, 27 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index bd9c0aac60..609e0619af 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -873,6 +873,8 @@ int seccomp_protect_sysctl(void) { } int seccomp_restrict_address_families(Set *address_families, bool whitelist) { + +#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN uint32_t arch; int r; @@ -1001,6 +1003,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { if (r < 0) log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); } +#endif return 0; } diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 4438e87fa6..2563fcd38a 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -76,6 +76,14 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist); int seccomp_restrict_realtime(void); int seccomp_memory_deny_write_execute(void); +#if defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__) || defined (__mips__) +/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, and we can't restrict it hence via + * seccomp */ +#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 +#else +#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0 +#endif + extern const uint32_t seccomp_local_archs[]; #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \ diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 6f15879c45..54e7947c2f 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -283,8 +283,14 @@ static void test_restrict_address_families(void) { assert_se(fd >= 0); safe_close(fd); +#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN + fd = socket(AF_UNIX, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); +#else assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0); assert_se(errno == EAFNOSUPPORT); +#endif fd = socket(AF_NETLINK, SOCK_DGRAM, 0); assert_se(fd >= 0); @@ -300,11 +306,21 @@ static void test_restrict_address_families(void) { assert_se(fd >= 0); safe_close(fd); +#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN + fd = socket(AF_UNIX, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); + + fd = socket(AF_NETLINK, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); +#else assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0); assert_se(errno == EAFNOSUPPORT); assert_se(socket(AF_NETLINK, SOCK_DGRAM, 0) < 0); assert_se(errno == EAFNOSUPPORT); +#endif _exit(EXIT_SUCCESS); } |