shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 17:51:22 +03:00
Code

seccomp: disable RestrictAddressFamilies= for the ABI we shall block, not the one we are compiled for (#5272)

Browse Source 
It's a difference. Not a big one, but let's be correct here.
This commit is contained in:
Lennart Poettering 2017-02-12 21:25:40 +01:00 committed by Zbigniew Jędrzejewski-Szmek
parent ec7924fa21
commit 9606bc4b4b
1 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/shared/seccomp-util.c
View File

@ -948,17 +948,42 @@ int seccomp_protect_sysctl(void) {
} }
int seccomp_restrict_address_families(Set *address_families, bool whitelist) { int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
uint32_t arch; uint32_t arch;
int r; int r;
SECCOMP_FOREACH_LOCAL_ARCH(arch) { SECCOMP_FOREACH_LOCAL_ARCH(arch) {
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
bool supported;
Iterator i; Iterator i;
log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
switch (arch) {
case SCMP_ARCH_X86_64:
case SCMP_ARCH_X32:
case SCMP_ARCH_ARM:
case SCMP_ARCH_AARCH64:
/* These we know we support (i.e. are the ones that do not use socketcall()) */
supported = true;
break;
case SCMP_ARCH_X86:
case SCMP_ARCH_S390:
case SCMP_ARCH_S390X:
case SCMP_ARCH_PPC:
case SCMP_ARCH_PPC64:
case SCMP_ARCH_PPC64LE:
default:
/* These we either know we don't support (i.e. are the ones that do use socketcall()), or we
* don't know */
supported = false;
break;
}
if (!supported)
continue;
r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
if (r < 0) if (r < 0)
return r; return r;
@ -1078,7 +1103,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
if (r < 0) if (r < 0)
log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
} }
#endif
return 0; return 0;
} }