diff --git a/README b/README
index fb6fd6381be..d610baaf760 100644
--- a/README
+++ b/README
@@ -120,7 +120,7 @@ REQUIREMENTS:
libcap
libmount >= 2.27.1 (from util-linux)
(util-linux *must* be built with --enable-libmount-force-mountinfo)
- libseccomp >= 1.0.0 (optional)
+ libseccomp >= 2.3.1 (optional)
libblkid >= 2.24 (from util-linux) (optional)
libkmod >= 15 (optional)
PAM >= 1.1.2 (optional)
diff --git a/configure.ac b/configure.ac
index 4181483798b..ccd212ef138 100644
--- a/configure.ac
+++ b/configure.ac
@@ -459,7 +459,7 @@ AM_CONDITIONAL(HAVE_LIBMOUNT, [test "$have_libmount" = "yes"])
have_seccomp=no
AC_ARG_ENABLE(seccomp, AS_HELP_STRING([--disable-seccomp], [Disable optional SECCOMP support]))
if test "x$enable_seccomp" != "xno"; then
- PKG_CHECK_MODULES(SECCOMP, [libseccomp >= 1.0.0],
+ PKG_CHECK_MODULES(SECCOMP, [libseccomp >= 2.3.1],
[AC_DEFINE(HAVE_SECCOMP, 1, [Define if seccomp is available])
have_seccomp=yes
M4_DEFINES="$M4_DEFINES -DHAVE_SECCOMP"],
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 2054267b909..5e6787338df 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1334,7 +1334,8 @@
identifiers to include in the system call filter. The known
architecture identifiers are x86,
x86-64, x32,
- arm as well as the special identifier
+ arm, s390,
+ s390x as well as the special identifier
native. Only system calls of the
specified architectures will be permitted to processes of this
unit. This is an effective way to disable compatibility with
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 2f42381fc1f..8116c7671f0 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -39,6 +39,10 @@ const char* seccomp_arch_to_string(uint32_t c) {
return "x32";
if (c == SCMP_ARCH_ARM)
return "arm";
+ if (c == SCMP_ARCH_S390)
+ return "s390";
+ if (c == SCMP_ARCH_S390X)
+ return "s390x";
return NULL;
}
@@ -59,6 +63,10 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
*ret = SCMP_ARCH_X32;
else if (streq(n, "arm"))
*ret = SCMP_ARCH_ARM;
+ else if (streq(n, "s390"))
+ *ret = SCMP_ARCH_S390;
+ else if (streq(n, "s390x"))
+ *ret = SCMP_ARCH_S390X;
else
return -EINVAL;
@@ -85,6 +93,20 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
if (r < 0 && r != -EEXIST)
return r;
+#elif defined(__s390__) || defined(__s390x__)
+ int r;
+
+ /* Add in all possible secondary archs we are aware of that
+ * this kernel might support. */
+
+ r = seccomp_arch_add(c, SCMP_ARCH_S390);
+ if (r < 0 && r != -EEXIST)
+ return r;
+
+ r = seccomp_arch_add(c, SCMP_ARCH_S390X);
+ if (r < 0 && r != -EEXIST)
+ return r;
+
#endif
return 0;