1 files changed, 81 insertions, 16 deletions

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index b6b44e7f56..84964f750f 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -36,31 +36,72 @@
 
 const uint32_t seccomp_local_archs[] = {
 
-#if defined(__i386__) || defined(__x86_64__)
+        /* Note: always list the native arch we are compiled as last, so that users can blacklist seccomp(), but our own calls to it still succeed */
+
+#if defined(__x86_64__) && defined(__ILP32__)
                 SCMP_ARCH_X86,
                 SCMP_ARCH_X86_64,
+                SCMP_ARCH_X32,         /* native */
+#elif defined(__x86_64__) && !defined(__ILP32__)
+                SCMP_ARCH_X86,
                 SCMP_ARCH_X32,
-
-#elif defined(__arm__) || defined(__aarch64__)
+                SCMP_ARCH_X86_64,      /* native */
+#elif defined(__i386__)
+                SCMP_ARCH_X86,
+#elif defined(__aarch64__)
                 SCMP_ARCH_ARM,
-                SCMP_ARCH_AARCH64,
-
-#elif defined(__mips__) || defined(__mips64__)
+                SCMP_ARCH_AARCH64,     /* native */
+#elif defined(__arm__)
+                SCMP_ARCH_ARM,
+#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
+                SCMP_ARCH_MIPSEL,
+                SCMP_ARCH_MIPS,        /* native */
+#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32
                 SCMP_ARCH_MIPS,
-                SCMP_ARCH_MIPS64,
+                SCMP_ARCH_MIPSEL,      /* native */
+#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
+                SCMP_ARCH_MIPSEL,
+                SCMP_ARCH_MIPS,
+                SCMP_ARCH_MIPSEL64N32,
+                SCMP_ARCH_MIPS64N32,
+                SCMP_ARCH_MIPSEL64,
+                SCMP_ARCH_MIPS64,      /* native */
+#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI64
+                SCMP_ARCH_MIPS,
+                SCMP_ARCH_MIPSEL,
                 SCMP_ARCH_MIPS64N32,
+                SCMP_ARCH_MIPSEL64N32,
+                SCMP_ARCH_MIPS64,
+                SCMP_ARCH_MIPSEL64,    /* native */
+#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
                 SCMP_ARCH_MIPSEL,
+                SCMP_ARCH_MIPS,
                 SCMP_ARCH_MIPSEL64,
+                SCMP_ARCH_MIPS64,
                 SCMP_ARCH_MIPSEL64N32,
-
-#elif defined(__powerpc__) || defined(__powerpc64__)
+                SCMP_ARCH_MIPS64N32,   /* native */
+#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && _MIPS_SIM == _MIPS_SIM_NABI32
+                SCMP_ARCH_MIPS,
+                SCMP_ARCH_MIPSEL,
+                SCMP_ARCH_MIPS64,
+                SCMP_ARCH_MIPSEL64,
+                SCMP_ARCH_MIPS64N32,
+                SCMP_ARCH_MIPSEL64N32, /* native */
+#elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN
                 SCMP_ARCH_PPC,
-                SCMP_ARCH_PPC64,
                 SCMP_ARCH_PPC64LE,
-
-#elif defined(__s390__) || defined(__s390x__)
+                SCMP_ARCH_PPC64,       /* native */
+#elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN
+                SCMP_ARCH_PPC,
+                SCMP_ARCH_PPC64,
+                SCMP_ARCH_PPC64LE,     /* native */
+#elif defined(__powerpc__)
+                SCMP_ARCH_PPC,
+#elif defined(__s390x__)
+                SCMP_ARCH_S390,
+                SCMP_ARCH_S390X,      /* native */
+#elif defined(__s390__)
                 SCMP_ARCH_S390,
-                SCMP_ARCH_S390X,
 #endif
                 (uint32_t) -1
         };
@@ -907,17 +948,42 @@ int seccomp_protect_sysctl(void) {
 }
 
 int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
-
-#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
         uint32_t arch;
         int r;
 
         SECCOMP_FOREACH_LOCAL_ARCH(arch) {
                 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
+                bool supported;
                 Iterator i;
 
                 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
 
+                switch (arch) {
+
+                case SCMP_ARCH_X86_64:
+                case SCMP_ARCH_X32:
+                case SCMP_ARCH_ARM:
+                case SCMP_ARCH_AARCH64:
+                        /* These we know we support (i.e. are the ones that do not use socketcall()) */
+                        supported = true;
+                        break;
+
+                case SCMP_ARCH_X86:
+                case SCMP_ARCH_S390:
+                case SCMP_ARCH_S390X:
+                case SCMP_ARCH_PPC:
+                case SCMP_ARCH_PPC64:
+                case SCMP_ARCH_PPC64LE:
+                default:
+                        /* These we either know we don't support (i.e. are the ones that do use socketcall()), or we
+                         * don't know */
+                        supported = false;
+                        break;
+                }
+
+                if (!supported)
+                        continue;
+
                 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
                 if (r < 0)
                         return r;
@@ -1037,7 +1103,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
                 if (r < 0)
                         log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
         }
-#endif
 
         return 0;
 }