diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2017-05-09 18:57:10 -0400 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2017-05-10 09:21:16 -0400 |
commit | da1921a5c396547261c8c7fcd94173346eb3b718 (patch) | |
tree | 16375383285134a8b01c4f16481dc1a30666fd1a /src/shared/seccomp-util.h | |
parent | 9631518895aa8f1c8fe2dc5d48e778c66f392fc1 (diff) | |
download | systemd-da1921a5c396547261c8c7fcd94173346eb3b718.tar.gz |
seccomp: enable RestrictAddressFamilies on ppc64, autodetect SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
We expect that if socket() syscall is available, seccomp works for that
architecture. So instead of explicitly listing all architectures where we know
it is not available, just assume it is broken if the number is not defined.
This should have the same effect, except that other architectures where it is
also broken will pass tests without further changes. (Architectures where the
filter should work, but does not work because of missing entries in
seccomp-util.c, will still fail.)
i386, s390, s390x are the exception — setting the filter fails, even though
socket() is available, so it needs to be special-cased
(https://github.com/systemd/systemd/issues/5215#issuecomment-277241488).
This remove the last define in seccomp-util.h that was only used in test-seccomp.c. Porting
the seccomp filter to new architectures should be simpler because now only two places need
to be modified.
RestrictAddressFamilies seems to work on ppc64[bl]e, so enable it (the tests pass).
Diffstat (limited to 'src/shared/seccomp-util.h')
-rw-r--r-- | src/shared/seccomp-util.h | 8 |
1 files changed, 0 insertions, 8 deletions
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 2563fcd38a..4438e87fa6 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -76,14 +76,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist); int seccomp_restrict_realtime(void); int seccomp_memory_deny_write_execute(void); -#if defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__) || defined (__mips__) -/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, and we can't restrict it hence via - * seccomp */ -#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 -#else -#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0 -#endif - extern const uint32_t seccomp_local_archs[]; #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \ |