core: enforce seccomp for secondary archs too, for all rules

author Lennart Poettering <lennart@poettering.net>

Mon, 22 Aug 2016 17:01:14 +0000 (19:01 +0200)

committer Djalal Harouni <tixxdz@opendz.org>

Sun, 25 Sep 2016 08:18:44 +0000 (10:18 +0200)
author Lennart Poettering <lennart@poettering.net>
Mon, 22 Aug 2016 17:01:14 +0000 (19:01 +0200)
committer Djalal Harouni <tixxdz@opendz.org>
Sun, 25 Sep 2016 08:18:44 +0000 (10:18 +0200)
diff --git a/src/core/execute.c b/src/core/execute.c

index 2026137..ee734e8 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1273,6 +1273,10 @@ static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c)
          if (!seccomp)
                  return -ENOMEM;
  
+        r = seccomp_add_secondary_archs(seccomp);
+        if (r < 0)
+                goto finish;
+
          r = seccomp_rule_add(
                          seccomp,
                          SCMP_ACT_ERRNO(EPERM),
@@ -1322,6 +1326,10 @@ static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
          if (!seccomp)
                  return -ENOMEM;
  
+        r = seccomp_add_secondary_archs(seccomp);
+        if (r < 0)
+                goto finish;
+
          /* Determine the highest policy constant we want to allow */
          for (i = 0; i < ELEMENTSOF(permitted_policies); i++)
                  if (permitted_policies[i] > max_policy)
author	Lennart Poettering <lennart@poettering.net>
	Mon, 22 Aug 2016 17:01:14 +0000 (19:01 +0200)
committer	Djalal Harouni <tixxdz@opendz.org>
	Sun, 25 Sep 2016 08:18:44 +0000 (10:18 +0200)