seccomp: add mmap/shmat defines for ppc64

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 5a6c15d..0d57e63 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1212,6 +1212,16 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
         return r;
 }
 
+/* For known architectures, check that syscalls are indeed defined or not. */
+#if defined(__x86_64__)
+assert_cc(SCMP_SYS(shmget) > 0);
+assert_cc(SCMP_SYS(shmat) > 0);
+assert_cc(SCMP_SYS(shmdt) > 0);
+#elif defined(__i386__) || defined(__powerpc64__)
+assert_cc(SCMP_SYS(shmget) < 0);
+assert_cc(SCMP_SYS(shmat) < 0);
+assert_cc(SCMP_SYS(shmdt) < 0);
+#endif
 
 int seccomp_memory_deny_write_execute(void) {
 
@@ -1229,10 +1239,16 @@ int seccomp_memory_deny_write_execute(void) {
                 case SCMP_ARCH_X86:
                         filter_syscall = SCMP_SYS(mmap2);
                         block_syscall = SCMP_SYS(mmap);
+                        break;
+
+                case SCMP_ARCH_PPC64:
+                case SCMP_ARCH_PPC64LE:
+                        filter_syscall = SCMP_SYS(mmap);
+
+                        /* Note that shmat() isn't available, and the call is multiplexed through ipc().
+                         * We ignore that here, which means there's still a way to get writable/executable
+                         * memory, if an IPC key is mapped like this. That's a pity, but no total loss. */
 
-                        /* Note that shmat() isn't available on i386, where the call is multiplexed through ipc(). We
-                         * ignore that here, which means there's still a way to get writable/executable memory, if an
-                         * IPC key is mapped like this on i386. That's a pity, but no total loss. */
                         break;
 
                 case SCMP_ARCH_X86_64:
@@ -1243,7 +1259,7 @@ int seccomp_memory_deny_write_execute(void) {
 
                 /* Please add more definitions here, if you port systemd to other architectures! */
 
-#if !defined(__i386__) && !defined(__x86_64__)
+#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc64__)
 #warning "Consider adding the right mmap() syscall definitions here!"
 #endif
                 }

diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index 0efb712..62deb05 100644 (file)
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -398,7 +398,7 @@ static void test_memory_deny_write_execute_mmap(void) {
                 assert_se(seccomp_memory_deny_write_execute() >= 0);
 
                 p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
-#if defined(__x86_64__) || defined(__i386__)
+#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__)
                 assert_se(p == MAP_FAILED);
                 assert_se(errno == EPERM);
 #else /* unknown architectures */
@@ -448,7 +448,7 @@ static void test_memory_deny_write_execute_shmat(void) {
 #if defined(__x86_64__)
                 assert_se(p == MAP_FAILED);
                 assert_se(errno == EPERM);
-#else /* __i386__ and "unknown" architectures */
+#else /* __i386__, __powerpc64__, and "unknown" architectures */
                 assert_se(p != MAP_FAILED);
                 assert_se(shmdt(p) == 0);
 #endif