From 72eafe71597edfef84ec4a9822cb11e166c0c07f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 9 Aug 2017 20:43:35 +0200 Subject: [PATCH] seccomp: rework seccomp_lock_personality() to apply filter to all archs --- src/shared/seccomp-util.c | 37 ++++++++++++++++++++++++++----------- src/test/test-seccomp.c | 1 - 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index bf2db28a82..29eb2b17d4 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1405,19 +1405,34 @@ int seccomp_filter_set_add(Set *filter, bool add, const SyscallFilterSet *set) { } int seccomp_lock_personality(unsigned long personality) { - _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; + uint32_t arch; int r; - seccomp = seccomp_init(SCMP_ACT_ALLOW); - if (!seccomp) - return -ENOMEM; + if (personality >= PERSONALITY_INVALID) + return -EINVAL; - r = seccomp_rule_add_exact(seccomp, SCMP_ACT_ERRNO(EPERM), - SCMP_SYS(personality), - 1, - SCMP_A0(SCMP_CMP_NE, personality)); - if (r < 0) - return r; + SECCOMP_FOREACH_LOCAL_ARCH(arch) { + _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; - return seccomp_load(seccomp); + r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); + if (r < 0) + return r; + + r = seccomp_rule_add_exact( + seccomp, + SCMP_ACT_ERRNO(EPERM), + SCMP_SYS(personality), + 1, + SCMP_A0(SCMP_CMP_NE, personality)); + if (r < 0) + return r; + + r = seccomp_load(seccomp); + if (IN_SET(r, -EPERM, -EACCES)) + return r; + if (r < 0) + log_debug_errno(r, "Failed to enable personality lock for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); + } + + return 0; } diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 262d0b712b..0632361d45 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -48,7 +48,6 @@ # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0 #endif - static void test_seccomp_arch_to_string(void) { uint32_t a, b; const char *name;