From 1b52793d5d597e62c8e35009baca165f1408687e Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin Date: Sun, 5 Feb 2017 19:58:19 +0300 Subject: [PATCH] seccomp: don't ever try to add an ABI before removing the default native ABI (#5230) https://github.com/systemd/systemd/issues/5215#issuecomment-277156262 libseccomp does not allow you to add architectures to a filter that doesn't match the byte ordering of the architectures already added to the filter (it would be a mess, not to mention largely pointless) and since systemd attempts to add an ABI before removing the default native ABI, you will always fail on Power (either due to ppc or ppc64le). The fix is to remove the native ABI before adding a new ABI so you don't run into problems with byte ordering. You would likely see the same failure on a MIPS system. Thanks @pcmoore! --- src/shared/seccomp-util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 2c73cb8fa43..bd9c0aac604 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -171,11 +171,11 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_ if (arch != SCMP_ARCH_NATIVE && arch != seccomp_arch_native()) { - r = seccomp_arch_add(seccomp, arch); + r = seccomp_arch_remove(seccomp, seccomp_arch_native()); if (r < 0) goto finish; - r = seccomp_arch_remove(seccomp, seccomp_arch_native()); + r = seccomp_arch_add(seccomp, arch); if (r < 0) goto finish;