diff options
| -rw-r--r-- | src/shared/seccomp-util.c | 36 | ||||
| -rw-r--r-- | src/shared/seccomp-util.h | 7 | ||||
| -rw-r--r-- | src/test/test-seccomp.c | 3 |
3 files changed, 2 insertions, 44 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index d12098e15e..64f57799b7 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -792,43 +792,10 @@ int seccomp_restrict_namespaces(unsigned long retain) { SECCOMP_FOREACH_LOCAL_ARCH(arch) { _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; - int clone_reversed_order = -1; unsigned i; log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); - switch (arch) { - - case SCMP_ARCH_X86_64: - case SCMP_ARCH_X86: - case SCMP_ARCH_X32: - case SCMP_ARCH_PPC64: - case SCMP_ARCH_PPC64LE: - case SCMP_ARCH_MIPS: - case SCMP_ARCH_MIPSEL: - case SCMP_ARCH_MIPS64: - case SCMP_ARCH_MIPSEL64: - case SCMP_ARCH_MIPS64N32: - case SCMP_ARCH_MIPSEL64N32: - clone_reversed_order = 0; - break; - - case SCMP_ARCH_S390: - case SCMP_ARCH_S390X: - /* On s390/s390x the first two parameters to clone are switched */ - clone_reversed_order = 1; - break; - - /* Please add more definitions here, if you port systemd to other architectures! */ - -#if SECCOMP_RESTRICT_NAMESPACES_BROKEN -# warning "Consider adding the right clone() syscall definitions here!" -#endif - } - - if (clone_reversed_order < 0) /* we don't know the right order, let's ignore this arch... */ - continue; - r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); if (r < 0) return r; @@ -877,7 +844,8 @@ int seccomp_restrict_namespaces(unsigned long retain) { break; } - if (clone_reversed_order == 0) + /* On s390/s390x the first two parameters to clone are switched */ + if (!IN_SET(arch, SCMP_ARCH_S390, SCMP_ARCH_S390X)) r = seccomp_rule_add_exact( seccomp, SCMP_ACT_ERRNO(EPERM), diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 7eeab29c3b..2563fcd38a 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -84,13 +84,6 @@ int seccomp_memory_deny_write_execute(void); #define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0 #endif -/* we don't know the right order of the clone() parameters except for these archs, for now */ -#if defined(__x86_64__) || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__mips__) -#define SECCOMP_RESTRICT_NAMESPACES_BROKEN 0 -#else -#define SECCOMP_RESTRICT_NAMESPACES_BROKEN 1 -#endif - extern const uint32_t seccomp_local_archs[]; #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \ diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index ce7a570a5a..09b5814b2e 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -160,8 +160,6 @@ static void test_restrict_namespace(void) { assert_se(streq(s, "cgroup ipc net mnt pid user uts")); assert_se(namespace_flag_from_string_many(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL); -#if SECCOMP_RESTRICT_NAMESPACES_BROKEN == 0 - if (!is_seccomp_available()) return; if (geteuid() != 0) @@ -220,7 +218,6 @@ static void test_restrict_namespace(void) { } assert_se(wait_for_terminate_and_warn("nsseccomp", pid, true) == EXIT_SUCCESS); -#endif } static void test_protect_sysctl(void) { |