mirror of
https://github.com/systemd/systemd
synced 2024-10-15 20:45:09 +00:00
shared/seccomp-util: address family filtering is broken on ppc
This reverts the gist ofda1921a5c3
and0d9fca76bb
(for ppc). Quoting #17559: > libseccomp 2.5 added socket syscall multiplexing on ppc64(el): > https://github.com/seccomp/libseccomp/pull/229 > > Like with i386, s390 and s390x this breaks socket argument filtering, so > RestrictAddressFamilies doesn't work. > > This causes the unit test to fail: > /* test_restrict_address_families */ > Operating on architecture: ppc > Failed to install socket family rules for architecture ppc, skipping: Operation canceled > Operating on architecture: ppc64 > Failed to add socket() rule for architecture ppc64, skipping: Invalid argument > Operating on architecture: ppc64-le > Failed to add socket() rule for architecture ppc64-le, skipping: Invalid argument > Assertion 'fd < 0' failed at src/test/test-seccomp.c:424, function test_restrict_address_families(). Aborting. > > The socket filters can't be added so `socket(AF_UNIX, SOCK_DGRAM, 0);` still > works, triggering the assertion. Fixes #17559.
This commit is contained in:
parent
ebc815cd1c
commit
d5923e38bc
|
@ -1394,9 +1394,6 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
||||||
case SCMP_ARCH_X32:
|
case SCMP_ARCH_X32:
|
||||||
case SCMP_ARCH_ARM:
|
case SCMP_ARCH_ARM:
|
||||||
case SCMP_ARCH_AARCH64:
|
case SCMP_ARCH_AARCH64:
|
||||||
case SCMP_ARCH_PPC:
|
|
||||||
case SCMP_ARCH_PPC64:
|
|
||||||
case SCMP_ARCH_PPC64LE:
|
|
||||||
case SCMP_ARCH_MIPSEL64N32:
|
case SCMP_ARCH_MIPSEL64N32:
|
||||||
case SCMP_ARCH_MIPS64N32:
|
case SCMP_ARCH_MIPS64N32:
|
||||||
case SCMP_ARCH_MIPSEL64:
|
case SCMP_ARCH_MIPSEL64:
|
||||||
|
@ -1413,6 +1410,9 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
|
||||||
case SCMP_ARCH_X86:
|
case SCMP_ARCH_X86:
|
||||||
case SCMP_ARCH_MIPSEL:
|
case SCMP_ARCH_MIPSEL:
|
||||||
case SCMP_ARCH_MIPS:
|
case SCMP_ARCH_MIPS:
|
||||||
|
case SCMP_ARCH_PPC:
|
||||||
|
case SCMP_ARCH_PPC64:
|
||||||
|
case SCMP_ARCH_PPC64LE:
|
||||||
default:
|
default:
|
||||||
/* These we either know we don't support (i.e. are the ones that do use socketcall()), or we
|
/* These we either know we don't support (i.e. are the ones that do use socketcall()), or we
|
||||||
* don't know */
|
* don't know */
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
#include "virt.h"
|
#include "virt.h"
|
||||||
|
|
||||||
/* __NR_socket may be invalid due to libseccomp */
|
/* __NR_socket may be invalid due to libseccomp */
|
||||||
#if !defined(__NR_socket) || __NR_socket < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
|
#if !defined(__NR_socket) || __NR_socket < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__)
|
||||||
/* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
|
/* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
|
||||||
* and we can't restrict it hence via seccomp. */
|
* and we can't restrict it hence via seccomp. */
|
||||||
# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
|
# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
|
||||||
|
|
Loading…
Reference in a new issue