1 files changed, 37 insertions, 4 deletions

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 6c489284d1..8116c7671f 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -20,9 +20,9 @@
 #include <errno.h>
 #include <seccomp.h>
 #include <stddef.h>
+#include <sys/prctl.h>
+#include <linux/seccomp.h>
 
-#include "alloc-util.h"
-#include "fileio.h"
 #include "macro.h"
 #include "seccomp-util.h"
 #include "string-util.h"
@@ -39,6 +39,10 @@ const char* seccomp_arch_to_string(uint32_t c) {
                 return "x32";
         if (c == SCMP_ARCH_ARM)
                 return "arm";
+        if (c == SCMP_ARCH_S390)
+                return "s390";
+        if (c == SCMP_ARCH_S390X)
+                return "s390x";
 
         return NULL;
 }
@@ -59,6 +63,10 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
                 *ret = SCMP_ARCH_X32;
         else if (streq(n, "arm"))
                 *ret = SCMP_ARCH_ARM;
+        else if (streq(n, "s390"))
+                *ret = SCMP_ARCH_S390;
+        else if (streq(n, "s390x"))
+                *ret = SCMP_ARCH_S390X;
         else
                 return -EINVAL;
 
@@ -85,17 +93,42 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
         if (r < 0 && r != -EEXIST)
                 return r;
 
+#elif defined(__s390__) || defined(__s390x__)
+        int r;
+
+        /* Add in all possible secondary archs we are aware of that
+         * this kernel might support. */
+
+        r = seccomp_arch_add(c, SCMP_ARCH_S390);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
+        r = seccomp_arch_add(c, SCMP_ARCH_S390X);
+        if (r < 0 && r != -EEXIST)
+                return r;
+
 #endif
 
         return 0;
 
 }
 
+static bool is_basic_seccomp_available(void) {
+        int r;
+        r = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
+        return r >= 0;
+}
+
+static bool is_seccomp_filter_available(void) {
+        int r;
+        r = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
+        return r < 0 && errno == EFAULT;
+}
+
 bool is_seccomp_available(void) {
-        _cleanup_free_ char* field = NULL;
         static int cached_enabled = -1;
         if (cached_enabled < 0)
-                cached_enabled = get_proc_field("/proc/self/status", "Seccomp", "\n", &field) == 0;
+                cached_enabled = is_basic_seccomp_available() && is_seccomp_filter_available();
         return cached_enabled;
 }