seccomp: fix multiplexed system calls

Since libseccomp 2.4.2 more architectures have shmat handled as multiplexed call. Those will fail to be added due to seccomp_rule_add_exact failing on them since they'd need to add multiple rules [1]. See the discussion at https://github.com/seccomp/libseccomp/issues/193 After discussions about the options rejected [2][3] the initial thought of a fallback to the non '_exact' version of the seccomp rule adding the next option is to handle those now affected (i386, s390, s390x) the same way as ppc which ignores and does not block shmat. [1]: https://github.com/seccomp/libseccomp/issues/193 [2]: https://github.com/systemd/systemd/pull/14167#issuecomment-559136906 [3]: https://github.com/systemd/systemd/commit/469830d1
2019-11-27 09:52:07 +01:00 · 2019-11-27 09:52:07 +01:00 · bed4668d1d
parent da4dd97405
commit bed4668d1d
1 changed files with 8 additions and 8 deletions
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -1593,22 +1593,23 @@ int seccomp_memory_deny_write_execute(void) {

                switch (arch) {

+                /* Note that on some architectures shmat() isn't available, and the call is multiplexed through ipc().
+                 * We ignore that here, which means there's still a way to get writable/executable
+                 * memory, if an IPC key is mapped like this. That's a pity, but no total loss. */
+
                case SCMP_ARCH_X86:
                case SCMP_ARCH_S390:
                        filter_syscall = SCMP_SYS(mmap2);
                        block_syscall = SCMP_SYS(mmap);
-                        shmat_syscall = SCMP_SYS(shmat);
+                        /* shmat multiplexed, see above */
                        break;

                case SCMP_ARCH_PPC:
                case SCMP_ARCH_PPC64:
                case SCMP_ARCH_PPC64LE:
+                case SCMP_ARCH_S390X:
                        filter_syscall = SCMP_SYS(mmap);
-
-                        /* Note that shmat() isn't available, and the call is multiplexed through ipc().
-                         * We ignore that here, which means there's still a way to get writable/executable
-                         * memory, if an IPC key is mapped like this. That's a pity, but no total loss. */
-
+                        /* shmat multiplexed, see above */
                        break;

                case SCMP_ARCH_ARM:
@ -1619,8 +1620,7 @@ int seccomp_memory_deny_write_execute(void) {
                case SCMP_ARCH_X86_64:
                case SCMP_ARCH_X32:
                case SCMP_ARCH_AARCH64:
-                case SCMP_ARCH_S390X:
-                        filter_syscall = SCMP_SYS(mmap); /* amd64, x32, s390x, and arm64 have only mmap */
+                        filter_syscall = SCMP_SYS(mmap); /* amd64, x32 and arm64 have only mmap */
                        shmat_syscall = SCMP_SYS(shmat);
                        break;