From ae9d60ce4eb116eefb7c4102074ae1cc13fd3216 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 8 Feb 2017 16:21:11 +0100 Subject: seccomp: on s390 the clone() parameters are reversed Add a bit of code that tries to get the right parameter order in place for some of the better known architectures, and skips restrict_namespaces for other archs. This also bypasses the test on archs where we don't know the right order. In this case I didn't bother with testing the case where no filter is applied, since that is hopefully just an issue for now, as there's nothing stopping us from supporting more archs, we just need to know which order is right. Fixes: #5241 --- man/systemd.exec.xml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'man') diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index fd47b0a20a..e7e5d6b0c7 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1554,11 +1554,10 @@ setns2 system calls, taking the specified flags parameters into account. Note that — if this option is used — in addition to restricting creation and switching of the specified types of namespaces (or all of them, if true) access to the - setns() system call with a zero flags parameter is prohibited. - If running in user mode, or in system mode, but without the CAP_SYS_ADMIN - capability (e.g. setting User=), NoNewPrivileges=yes - is implied. - + setns() system call with a zero flags parameter is prohibited. This setting is only + supported on x86, x86-64, s390 and s390x, and enforces no restrictions on other architectures. If running in user + mode, or in system mode, but without the CAP_SYS_ADMIN capability (e.g. setting + User=), NoNewPrivileges=yes is implied. -- cgit v1.2.3-54-g00ecf