1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00

seccomp: RestrictAddressFamilies= is not supported on i386/s390/s390x, make it a NOP

See: #5215
This commit is contained in:
Lennart Poettering 2017-02-03 18:31:05 +01:00
parent 9194199c98
commit ad8f1479b4
3 changed files with 27 additions and 0 deletions

View File

@ -873,6 +873,8 @@ int seccomp_protect_sysctl(void) {
}
int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
uint32_t arch;
int r;
@ -1001,6 +1003,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
if (r < 0)
log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
}
#endif
return 0;
}

View File

@ -76,6 +76,14 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist);
int seccomp_restrict_realtime(void);
int seccomp_memory_deny_write_execute(void);
#if defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__) || defined (__mips__)
/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, and we can't restrict it hence via
* seccomp */
#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
#else
#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
#endif
extern const uint32_t seccomp_local_archs[];
#define SECCOMP_FOREACH_LOCAL_ARCH(arch) \

View File

@ -283,8 +283,14 @@ static void test_restrict_address_families(void) {
assert_se(fd >= 0);
safe_close(fd);
#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
fd = socket(AF_UNIX, SOCK_DGRAM, 0);
assert_se(fd >= 0);
safe_close(fd);
#else
assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0);
assert_se(errno == EAFNOSUPPORT);
#endif
fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
assert_se(fd >= 0);
@ -300,11 +306,21 @@ static void test_restrict_address_families(void) {
assert_se(fd >= 0);
safe_close(fd);
#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
fd = socket(AF_UNIX, SOCK_DGRAM, 0);
assert_se(fd >= 0);
safe_close(fd);
fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
assert_se(fd >= 0);
safe_close(fd);
#else
assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0);
assert_se(errno == EAFNOSUPPORT);
assert_se(socket(AF_NETLINK, SOCK_DGRAM, 0) < 0);
assert_se(errno == EAFNOSUPPORT);
#endif
_exit(EXIT_SUCCESS);
}