diff options
| -rw-r--r-- | man/systemd.exec.xml | 3 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 6 | ||||
| -rw-r--r-- | src/shared/seccomp-util.h | 2 |
3 files changed, 9 insertions, 2 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 8c4988abe7..3ed8dd8f0b 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1597,7 +1597,8 @@ the specified flags parameters into account. Note that — if this option is used — in addition to restricting creation and switching of the specified types of namespaces (or all of them, if true) access to the <function>setns()</function> system call with a zero flags parameter is prohibited. This setting is only - supported on x86, x86-64, s390 and s390x, and enforces no restrictions on other architectures. If running in user + supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, + s390 and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied. </para></listitem> </varlistentry> diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 2631856563..bc8eaabab2 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -804,6 +804,12 @@ int seccomp_restrict_namespaces(unsigned long retain) { case SCMP_ARCH_X32: case SCMP_ARCH_PPC64: case SCMP_ARCH_PPC64LE: + case SCMP_ARCH_MIPS: + case SCMP_ARCH_MIPSEL: + case SCMP_ARCH_MIPS64: + case SCMP_ARCH_MIPSEL64: + case SCMP_ARCH_MIPS64N32: + case SCMP_ARCH_MIPSEL64N32: clone_reversed_order = 0; break; diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index b56ac3f763..468be19f05 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -92,7 +92,7 @@ int seccomp_memory_deny_write_execute(void); #endif /* we don't know the right order of the clone() parameters except for these archs, for now */ -#if defined(__x86_64__) || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) +#if defined(__x86_64__) || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__mips__) #define SECCOMP_RESTRICT_NAMESPACES_BROKEN 0 #else #define SECCOMP_RESTRICT_NAMESPACES_BROKEN 1 |