summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2017-02-12 21:25:40 +0100
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2017-02-12 15:25:40 -0500
commit9606bc4b4b09a4d1bff3f047d5ca5ac4cf3fe073 (patch)
treefba53ec77408e5a404263acd6982bbf038cad693 /src
parentec7924fa21cd9725cd8279f6381d3d05efa70a3e (diff)
seccomp: disable RestrictAddressFamilies= for the ABI we shall block, not the one we are compiled for (#5272)
It's a difference. Not a big one, but let's be correct here.
Diffstat (limited to 'src')
-rw-r--r--src/shared/seccomp-util.c30
1 files changed, 27 insertions, 3 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 451669d9d5..84964f750f 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -948,17 +948,42 @@ int seccomp_protect_sysctl(void) {
}
int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
-
-#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
uint32_t arch;
int r;
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
+ bool supported;
Iterator i;
log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
+ switch (arch) {
+
+ case SCMP_ARCH_X86_64:
+ case SCMP_ARCH_X32:
+ case SCMP_ARCH_ARM:
+ case SCMP_ARCH_AARCH64:
+ /* These we know we support (i.e. are the ones that do not use socketcall()) */
+ supported = true;
+ break;
+
+ case SCMP_ARCH_X86:
+ case SCMP_ARCH_S390:
+ case SCMP_ARCH_S390X:
+ case SCMP_ARCH_PPC:
+ case SCMP_ARCH_PPC64:
+ case SCMP_ARCH_PPC64LE:
+ default:
+ /* These we either know we don't support (i.e. are the ones that do use socketcall()), or we
+ * don't know */
+ supported = false;
+ break;
+ }
+
+ if (!supported)
+ continue;
+
r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
if (r < 0)
return r;
@@ -1078,7 +1103,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
if (r < 0)
log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
-#endif
return 0;
}