diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index e3ade92371..60a59096fb 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -1695,6 +1695,9 @@ static int oci_seccomp_arch_from_string(const char *name, uint32_t *ret) { { "SCMP_ARCH_PPC", SCMP_ARCH_PPC }, { "SCMP_ARCH_PPC64", SCMP_ARCH_PPC64 }, { "SCMP_ARCH_PPC64LE", SCMP_ARCH_PPC64LE }, +#ifdef SCMP_ARCH_RISCV64 + { "SCMP_ARCH_RISCV64", SCMP_ARCH_RISCV64 }, +#endif { "SCMP_ARCH_S390", SCMP_ARCH_S390 }, { "SCMP_ARCH_S390X", SCMP_ARCH_S390X }, { "SCMP_ARCH_X32", SCMP_ARCH_X32 }, diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 4dee044810..2b5ec593a1 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -85,6 +85,8 @@ const uint32_t seccomp_local_archs[] = { SCMP_ARCH_PPC64LE, /* native */ #elif defined(__powerpc__) SCMP_ARCH_PPC, +#elif defined(__riscv) && __riscv_xlen == 64 && defined(SCMP_ARCH_RISCV64) + SCMP_ARCH_RISCV64, #elif defined(__s390x__) SCMP_ARCH_S390, SCMP_ARCH_S390X, /* native */ @@ -131,6 +133,10 @@ const char* seccomp_arch_to_string(uint32_t c) { return "ppc64"; case SCMP_ARCH_PPC64LE: return "ppc64-le"; +#ifdef SCMP_ARCH_RISCV64 + case SCMP_ARCH_RISCV64: + return "riscv64"; +#endif case SCMP_ARCH_S390: return "s390"; case SCMP_ARCH_S390X: @@ -176,6 +182,10 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) { *ret = SCMP_ARCH_PPC64; else if (streq(n, "ppc64-le")) *ret = SCMP_ARCH_PPC64LE; +#ifdef SCMP_ARCH_RISCV64 + else if (streq(n, "riscv64")) + *ret = SCMP_ARCH_RISCV64; +#endif else if (streq(n, "s390")) *ret = SCMP_ARCH_S390; else if (streq(n, "s390x")) @@ -1248,7 +1258,13 @@ int seccomp_protect_sysctl(void) { log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); - if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64)) + if (IN_SET(arch, + SCMP_ARCH_AARCH64, +#ifdef SCMP_ARCH_RISCV64 + SCMP_ARCH_RISCV64, +#endif + SCMP_ARCH_X32 + )) /* No _sysctl syscall */ continue; @@ -1332,6 +1348,9 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) { case SCMP_ARCH_MIPS64N32: case SCMP_ARCH_MIPSEL64: case SCMP_ARCH_MIPS64: +#ifdef SCMP_ARCH_RISCV64 + case SCMP_ARCH_RISCV64: +#endif /* These we know we support (i.e. are the ones that do not use socketcall()) */ supported = true; break; @@ -1569,7 +1588,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp, } /* For known architectures, check that syscalls are indeed defined or not. */ -#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) +#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || (defined(__riscv) && __riscv_xlen == 64) assert_cc(SCMP_SYS(shmget) > 0); assert_cc(SCMP_SYS(shmat) > 0); assert_cc(SCMP_SYS(shmdt) > 0); @@ -1614,13 +1633,16 @@ int seccomp_memory_deny_write_execute(void) { case SCMP_ARCH_X86_64: case SCMP_ARCH_X32: case SCMP_ARCH_AARCH64: - filter_syscall = SCMP_SYS(mmap); /* amd64, x32 and arm64 have only mmap */ +#ifdef SCMP_ARCH_RISCV64 + case SCMP_ARCH_RISCV64: +#endif + filter_syscall = SCMP_SYS(mmap); /* amd64, x32, arm64 and riscv64 have only mmap */ shmat_syscall = SCMP_SYS(shmat); break; /* Please add more definitions here, if you port systemd to other architectures! */ -#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__s390__) && !defined(__s390x__) +#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__s390__) && !defined(__s390x__) && !(defined(__riscv) && __riscv_xlen == 64) #warning "Consider adding the right mmap() syscall definitions here!" #endif } diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index cebf5a1080..a39e40cf01 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -73,6 +73,9 @@ static void test_architecture_table(void) { "ppc\0" "ppc64\0" "ppc64-le\0" +#ifdef SCMP_ARCH_RISCV64 + "riscv64\0" +#endif "s390\0" "s390x\0") { uint32_t c;