summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorEvgeny Vereshchagin <evvers@ya.ru>2017-02-07 05:06:54 +0300
committerGitHub <noreply@github.com>2017-02-07 05:06:54 +0300
commitd52fbaa58c6b0c928d1d9a2d015edcc63acb0df6 (patch)
treea47f04c35e2b3b67bfa153e25bb09d977e74f318 /src
parent1fb85797493dde55c9db9725970343a064e9e062 (diff)
parent142bd808a1a1a4a7dc4e75b7a9d1bda6c1530dfd (diff)
Merge pull request #5225 from poettering/seccomp-socket
make RestrictAddressFamilies= officially a NOP on i386
Diffstat (limited to 'src')
-rw-r--r--src/shared/seccomp-util.c3
-rw-r--r--src/shared/seccomp-util.h8
-rw-r--r--src/test/test-seccomp.c16
3 files changed, 27 insertions, 0 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index bd9c0aac60..609e0619af 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -873,6 +873,8 @@ int seccomp_protect_sysctl(void) {
}
int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
+
+#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
uint32_t arch;
int r;
@@ -1001,6 +1003,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
if (r < 0)
log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
+#endif
return 0;
}
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 4438e87fa6..2563fcd38a 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -76,6 +76,14 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist);
int seccomp_restrict_realtime(void);
int seccomp_memory_deny_write_execute(void);
+#if defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__) || defined (__mips__)
+/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, and we can't restrict it hence via
+ * seccomp */
+#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
+#else
+#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
+#endif
+
extern const uint32_t seccomp_local_archs[];
#define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index 6f15879c45..54e7947c2f 100644
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -283,8 +283,14 @@ static void test_restrict_address_families(void) {
assert_se(fd >= 0);
safe_close(fd);
+#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
+ fd = socket(AF_UNIX, SOCK_DGRAM, 0);
+ assert_se(fd >= 0);
+ safe_close(fd);
+#else
assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0);
assert_se(errno == EAFNOSUPPORT);
+#endif
fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
assert_se(fd >= 0);
@@ -300,11 +306,21 @@ static void test_restrict_address_families(void) {
assert_se(fd >= 0);
safe_close(fd);
+#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
+ fd = socket(AF_UNIX, SOCK_DGRAM, 0);
+ assert_se(fd >= 0);
+ safe_close(fd);
+
+ fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
+ assert_se(fd >= 0);
+ safe_close(fd);
+#else
assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0);
assert_se(errno == EAFNOSUPPORT);
assert_se(socket(AF_NETLINK, SOCK_DGRAM, 0) < 0);
assert_se(errno == EAFNOSUPPORT);
+#endif
_exit(EXIT_SUCCESS);
}