seccomp: RestrictAddressFamilies= is not supported on i386/s390/s390x, make it a NOP

See: #5215

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index bd9c0aa..609e061 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -873,6 +873,8 @@ int seccomp_protect_sysctl(void) {
 }
 
 int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
+
+#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
         uint32_t arch;
         int r;
 
@@ -1001,6 +1003,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) {
                 if (r < 0)
                         log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
         }
+#endif
 
         return 0;
 }

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 4438e87..2563fcd 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -76,6 +76,14 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist);
 int seccomp_restrict_realtime(void);
 int seccomp_memory_deny_write_execute(void);
 
+#if defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__) || defined (__mips__)
+/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, and we can't restrict it hence via
+ * seccomp */
+#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
+#else
+#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0
+#endif
+
 extern const uint32_t seccomp_local_archs[];
 
 #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \

diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index 6f15879..54e7947 100644 (file)
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -283,8 +283,14 @@ static void test_restrict_address_families(void) {
                 assert_se(fd >= 0);
                 safe_close(fd);
 
+#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
+                fd = socket(AF_UNIX, SOCK_DGRAM, 0);
+                assert_se(fd >= 0);
+                safe_close(fd);
+#else
                 assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0);
                 assert_se(errno == EAFNOSUPPORT);
+#endif
 
                 fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
                 assert_se(fd >= 0);
@@ -300,11 +306,21 @@ static void test_restrict_address_families(void) {
                 assert_se(fd >= 0);
                 safe_close(fd);
 
+#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
+                fd = socket(AF_UNIX, SOCK_DGRAM, 0);
+                assert_se(fd >= 0);
+                safe_close(fd);
+
+                fd = socket(AF_NETLINK, SOCK_DGRAM, 0);
+                assert_se(fd >= 0);
+                safe_close(fd);
+#else
                 assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0);
                 assert_se(errno == EAFNOSUPPORT);
 
                 assert_se(socket(AF_NETLINK, SOCK_DGRAM, 0) < 0);
                 assert_se(errno == EAFNOSUPPORT);
+#endif
 
                 _exit(EXIT_SUCCESS);
         }