mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-24 21:34:08 +03:00
seccomp: RestrictAddressFamilies= is not supported on i386/s390/s390x, make it a NOP
See: #5215
This commit is contained in:
parent
9194199c98
commit
ad8f1479b4
@ -873,6 +873,8 @@ int seccomp_protect_sysctl(void) {
|
||||
}
|
||||
|
||||
int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
|
||||
|
||||
#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
|
||||
uint32_t arch;
|
||||
int r;
|
||||
|
||||
@ -1001,6 +1003,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
|
||||
if (r < 0)
|
||||
log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
|
||||
}
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -76,6 +76,14 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist);
|
||||
int seccomp_restrict_realtime(void);
|
||||
int seccomp_memory_deny_write_execute(void);
|
||||
|
||||
#if defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__) || defined (__mips__)
|
||||
/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, and we can't restrict it hence via
|
||||
* seccomp */
|
||||
#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
|
||||
#else
|
||||
#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
|
||||
#endif
|
||||
|
||||
extern const uint32_t seccomp_local_archs[];
|
||||
|
||||
#define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
|
||||
|
@ -283,8 +283,14 @@ static void test_restrict_address_families(void) {
|
||||
assert_se(fd >= 0);
|
||||
safe_close(fd);
|
||||
|
||||
#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
|
||||
fd = socket(AF_UNIX, SOCK_DGRAM, 0);
|
||||
assert_se(fd >= 0);
|
||||
safe_close(fd);
|
||||
#else
|
||||
assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0);
|
||||
assert_se(errno == EAFNOSUPPORT);
|
||||
#endif
|
||||
|
||||
fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
|
||||
assert_se(fd >= 0);
|
||||
@ -300,11 +306,21 @@ static void test_restrict_address_families(void) {
|
||||
assert_se(fd >= 0);
|
||||
safe_close(fd);
|
||||
|
||||
#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
|
||||
fd = socket(AF_UNIX, SOCK_DGRAM, 0);
|
||||
assert_se(fd >= 0);
|
||||
safe_close(fd);
|
||||
|
||||
fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
|
||||
assert_se(fd >= 0);
|
||||
safe_close(fd);
|
||||
#else
|
||||
assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0);
|
||||
assert_se(errno == EAFNOSUPPORT);
|
||||
|
||||
assert_se(socket(AF_NETLINK, SOCK_DGRAM, 0) < 0);
|
||||
assert_se(errno == EAFNOSUPPORT);
|
||||
#endif
|
||||
|
||||
_exit(EXIT_SUCCESS);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user