seccomp: assume clone() arg order is known on all architectures

While adding the defines for arm, I realized that we have pretty much all
known architectures covered, so SECCOMP_RESTRICT_NAMESPACES_BROKEN is not
necessary anymore. clone(2) is adamant that the order of the first two
arguments is only reversed on s390/s390x. So let's simplify things and remove
the #if.

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index d12098e..64f5779 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -792,43 +792,10 @@ int seccomp_restrict_namespaces(unsigned long retain) {
 
         SECCOMP_FOREACH_LOCAL_ARCH(arch) {
                 _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
-                int clone_reversed_order = -1;
                 unsigned i;
 
                 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
 
-                switch (arch) {
-
-                case SCMP_ARCH_X86_64:
-                case SCMP_ARCH_X86:
-                case SCMP_ARCH_X32:
-                case SCMP_ARCH_PPC64:
-                case SCMP_ARCH_PPC64LE:
-                case SCMP_ARCH_MIPS:
-                case SCMP_ARCH_MIPSEL:
-                case SCMP_ARCH_MIPS64:
-                case SCMP_ARCH_MIPSEL64:
-                case SCMP_ARCH_MIPS64N32:
-                case SCMP_ARCH_MIPSEL64N32:
-                        clone_reversed_order = 0;
-                        break;
-
-                case SCMP_ARCH_S390:
-                case SCMP_ARCH_S390X:
-                        /* On s390/s390x the first two parameters to clone are switched */
-                        clone_reversed_order = 1;
-                        break;
-
-                /* Please add more definitions here, if you port systemd to other architectures! */
-
-#if SECCOMP_RESTRICT_NAMESPACES_BROKEN
-#  warning "Consider adding the right clone() syscall definitions here!"
-#endif
-                }
-
-                if (clone_reversed_order < 0) /* we don't know the right order, let's ignore this arch... */
-                        continue;
-
                 r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
                 if (r < 0)
                         return r;
@@ -877,7 +844,8 @@ int seccomp_restrict_namespaces(unsigned long retain) {
                                 break;
                         }
 
-                        if (clone_reversed_order == 0)
+                        /* On s390/s390x the first two parameters to clone are switched */
+                        if (!IN_SET(arch, SCMP_ARCH_S390, SCMP_ARCH_S390X))
                                 r = seccomp_rule_add_exact(
                                                 seccomp,
                                                 SCMP_ACT_ERRNO(EPERM),

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 7eeab29..2563fcd 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -84,13 +84,6 @@ int seccomp_memory_deny_write_execute(void);
 #define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
 #endif
 
-/* we don't know the right order of the clone() parameters except for these archs, for now */
-#if defined(__x86_64__) || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__mips__)
-#define SECCOMP_RESTRICT_NAMESPACES_BROKEN 0
-#else
-#define SECCOMP_RESTRICT_NAMESPACES_BROKEN 1
-#endif
-
 extern const uint32_t seccomp_local_archs[];
 
 #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \

diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index ce7a570..09b5814 100644 (file)
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -160,8 +160,6 @@ static void test_restrict_namespace(void) {
         assert_se(streq(s, "cgroup ipc net mnt pid user uts"));
         assert_se(namespace_flag_from_string_many(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL);
 
-#if SECCOMP_RESTRICT_NAMESPACES_BROKEN == 0
-
         if (!is_seccomp_available())
                 return;
         if (geteuid() != 0)
@@ -220,7 +218,6 @@ static void test_restrict_namespace(void) {
         }
 
         assert_se(wait_for_terminate_and_warn("nsseccomp", pid, true) == EXIT_SUCCESS);
-#endif
 }
 
 static void test_protect_sysctl(void) {