picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

seccomp: add support for the s390 architecture (#4287) 

Add seccomp support for the s390 architecture (31-bit and 64-bit)
to systemd.

This requires libseccomp >= 2.3.1.
This commit is contained in:
hbrueckner 2016-10-05 13:58:55 +02:00 committed by Lennart Poettering
parent 41eb436265
commit 6abfd30372
4 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README
View File

@ -120,7 +120,7 @@ REQUIREMENTS:
libcap libcap
libmount >= 2.27.1 (from util-linux) libmount >= 2.27.1 (from util-linux)
(util-linux *must* be built with --enable-libmount-force-mountinfo) (util-linux *must* be built with --enable-libmount-force-mountinfo)
libseccomp >= 1.0.0 (optional) libseccomp >= 2.3.1 (optional)
libblkid >= 2.24 (from util-linux) (optional) libblkid >= 2.24 (from util-linux) (optional)
libkmod >= 15 (optional) libkmod >= 15 (optional)
PAM >= 1.1.2 (optional) PAM >= 1.1.2 (optional)

2
configure.ac
View File

@ -459,7 +459,7 @@ AM_CONDITIONAL(HAVE_LIBMOUNT, [test "$have_libmount" = "yes"])
have_seccomp=no have_seccomp=no
AC_ARG_ENABLE(seccomp, AS_HELP_STRING([--disable-seccomp], [Disable optional SECCOMP support])) AC_ARG_ENABLE(seccomp, AS_HELP_STRING([--disable-seccomp], [Disable optional SECCOMP support]))
if test "x$enable_seccomp" != "xno"; then if test "x$enable_seccomp" != "xno"; then
PKG_CHECK_MODULES(SECCOMP, [libseccomp >= 1.0.0], PKG_CHECK_MODULES(SECCOMP, [libseccomp >= 2.3.1],
[AC_DEFINE(HAVE_SECCOMP, 1, [Define if seccomp is available]) [AC_DEFINE(HAVE_SECCOMP, 1, [Define if seccomp is available])
have_seccomp=yes have_seccomp=yes
M4_DEFINES="$M4_DEFINES -DHAVE_SECCOMP"], M4_DEFINES="$M4_DEFINES -DHAVE_SECCOMP"],

3
man/systemd.exec.xml
View File

@ -1334,7 +1334,8 @@
identifiers to include in the system call filter. The known identifiers to include in the system call filter. The known
architecture identifiers are <constant>x86</constant>, architecture identifiers are <constant>x86</constant>,
<constant>x86-64</constant>, <constant>x32</constant>, <constant>x86-64</constant>, <constant>x32</constant>,
<constant>arm</constant> as well as the special identifier <constant>arm</constant>, <constant>s390</constant>,
<constant>s390x</constant> as well as the special identifier
<constant>native</constant>. Only system calls of the <constant>native</constant>. Only system calls of the
specified architectures will be permitted to processes of this specified architectures will be permitted to processes of this
unit. This is an effective way to disable compatibility with unit. This is an effective way to disable compatibility with

22
src/shared/seccomp-util.c
View File

@ -39,6 +39,10 @@ const char* seccomp_arch_to_string(uint32_t c) {
return "x32"; return "x32";
if (c == SCMP_ARCH_ARM) if (c == SCMP_ARCH_ARM)
return "arm"; return "arm";
if (c == SCMP_ARCH_S390)
return "s390";
if (c == SCMP_ARCH_S390X)
return "s390x";
return NULL; return NULL;
} }
@ -59,6 +63,10 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
*ret = SCMP_ARCH_X32; *ret = SCMP_ARCH_X32;
else if (streq(n, "arm")) else if (streq(n, "arm"))
*ret = SCMP_ARCH_ARM; *ret = SCMP_ARCH_ARM;
else if (streq(n, "s390"))
*ret = SCMP_ARCH_S390;
else if (streq(n, "s390x"))
*ret = SCMP_ARCH_S390X;
else else
return -EINVAL; return -EINVAL;
@ -85,6 +93,20 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
if (r < 0 && r != -EEXIST) if (r < 0 && r != -EEXIST)
return r; return r;
#elif defined(__s390__) || defined(__s390x__)
int r;
/* Add in all possible secondary archs we are aware of that
* this kernel might support. */
r = seccomp_arch_add(c, SCMP_ARCH_S390);
if (r < 0 && r != -EEXIST)
return r;
r = seccomp_arch_add(c, SCMP_ARCH_S390X);
if (r < 0 && r != -EEXIST)
return r;
#endif #endif
return 0; return 0;