From da1921a5c396547261c8c7fcd94173346eb3b718 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 9 May 2017 18:57:10 -0400 Subject: [PATCH] seccomp: enable RestrictAddressFamilies on ppc64, autodetect SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We expect that if socket() syscall is available, seccomp works for that architecture. So instead of explicitly listing all architectures where we know it is not available, just assume it is broken if the number is not defined. This should have the same effect, except that other architectures where it is also broken will pass tests without further changes. (Architectures where the filter should work, but does not work because of missing entries in seccomp-util.c, will still fail.) i386, s390, s390x are the exception — setting the filter fails, even though socket() is available, so it needs to be special-cased (https://github.com/systemd/systemd/issues/5215#issuecomment-277241488). This remove the last define in seccomp-util.h that was only used in test-seccomp.c. Porting the seccomp filter to new architectures should be simpler because now only two places need to be modified. RestrictAddressFamilies seems to work on ppc64[bl]e, so enable it (the tests pass). --- src/shared/seccomp-util.c | 6 +++--- src/shared/seccomp-util.h | 8 -------- src/test/test-seccomp.c | 9 +++++++++ 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 64f57799b7..36843d4bf5 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -940,16 +940,16 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { case SCMP_ARCH_X32: case SCMP_ARCH_ARM: case SCMP_ARCH_AARCH64: + case SCMP_ARCH_PPC64: + case SCMP_ARCH_PPC64LE: /* These we know we support (i.e. are the ones that do not use socketcall()) */ supported = true; break; - case SCMP_ARCH_X86: case SCMP_ARCH_S390: case SCMP_ARCH_S390X: case SCMP_ARCH_PPC: - case SCMP_ARCH_PPC64: - case SCMP_ARCH_PPC64LE: + case SCMP_ARCH_X86: default: /* These we either know we don't support (i.e. are the ones that do use socketcall()), or we * don't know */ diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 2563fcd38a..4438e87fa6 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -76,14 +76,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist); int seccomp_restrict_realtime(void); int seccomp_memory_deny_write_execute(void); -#if defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__) || defined (__mips__) -/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, and we can't restrict it hence via - * seccomp */ -#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 -#else -#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0 -#endif - extern const uint32_t seccomp_local_archs[]; #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \ diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 09b5814b2e..efd145e063 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -39,6 +39,15 @@ #include "util.h" #include "virt.h" +#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) +/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, + * and we can't restrict it hence via seccomp. */ +# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 +#else +# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0 +#endif + + static void test_seccomp_arch_to_string(void) { uint32_t a, b; const char *name;