Partially revert "seccomp: add mmap and address family restrictions for MIPS" (#8563)

This reverts the mmap parts of f5aeac1439d64905c7b1b57042c39589dd31e3a6, but keeps the part which restricts address families which works correctly. Unfortunately the MIPS toolchains still do not implement PT_GNU_STACK. This means that while the commit to restrict mmap on MIPS was "correct", it had the side effect of causing pthread_create to fail because glibc tries to allocate an executable stack for new threads in the absense of PT_GNU_STACK. We should wait until PT_GNU_STACK is implemented in all the relevant parts of the toolchain (at least gcc and glibc) before enabling this again.
2025-03-24 14:50:17 +03:00 · 2018-03-23 15:04:16 +00:00 · 2018-03-23 15:04:16 +00:00 · 303d6b4ca6
commit 303d6b4ca6
parent 19496554e2
1 changed files with 4 additions and 10 deletions
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -1427,11 +1427,11 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
 }

 /* For known architectures, check that syscalls are indeed defined or not. */
-#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || (defined(__mips__) && defined(__mips64))
+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
 assert_cc(SCMP_SYS(shmget) > 0);
 assert_cc(SCMP_SYS(shmat) > 0);
 assert_cc(SCMP_SYS(shmdt) > 0);
-#elif defined(__i386__) || defined(__powerpc64__) || (defined(__mips__) && !defined(__mips64))
+#elif defined(__i386__) || defined(__powerpc64__)
 assert_cc(SCMP_SYS(shmget) < 0);
 assert_cc(SCMP_SYS(shmat) < 0);
 assert_cc(SCMP_SYS(shmdt) < 0);
@ -1451,8 +1451,6 @@ int seccomp_memory_deny_write_execute(void) {
                switch (arch) {

                case SCMP_ARCH_X86:
-                case SCMP_ARCH_MIPSEL:
-                case SCMP_ARCH_MIPS:
                        filter_syscall = SCMP_SYS(mmap2);
                        block_syscall = SCMP_SYS(mmap);
                        break;
@ -1476,17 +1474,13 @@ int seccomp_memory_deny_write_execute(void) {
                case SCMP_ARCH_X86_64:
                case SCMP_ARCH_X32:
                case SCMP_ARCH_AARCH64:
-                case SCMP_ARCH_MIPSEL64N32:
-                case SCMP_ARCH_MIPS64N32:
-                case SCMP_ARCH_MIPSEL64:
-                case SCMP_ARCH_MIPS64:
-                        filter_syscall = SCMP_SYS(mmap); /* amd64, x32, arm64 and mips64 have only mmap */
+                        filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */
                        shmat_syscall = SCMP_SYS(shmat);
                        break;

                /* Please add more definitions here, if you port systemd to other architectures! */

-#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__mips__)
+#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__)
 #warning "Consider adding the right mmap() syscall definitions here!"
 #endif
                }