From: James Cowgill Date: Wed, 3 May 2017 16:35:45 +0000 (+0100) Subject: seccomp: add clone syscall definitions for mips (#5880) X-Git-Tag: v234~246 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a3645cc6dd84ea2bde71ff23c1bed1c38315ce0a;p=platform%2Fupstream%2Fsystemd.git seccomp: add clone syscall definitions for mips (#5880) Also updates the documentation and adds a mention of ppc64 support which was enabled by #5325. Tested on Debian mipsel and mips64el. The other 4 mips architectures should have an identical user <-> kernel ABI to one of the 2 tested systems. --- diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 8c4988a..3ed8dd8 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1597,7 +1597,8 @@ the specified flags parameters into account. Note that — if this option is used — in addition to restricting creation and switching of the specified types of namespaces (or all of them, if true) access to the setns() system call with a zero flags parameter is prohibited. This setting is only - supported on x86, x86-64, s390 and s390x, and enforces no restrictions on other architectures. If running in user + supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le, + s390 and s390x, and enforces no restrictions on other architectures. If running in user mode, or in system mode, but without the CAP_SYS_ADMIN capability (e.g. setting User=), NoNewPrivileges=yes is implied. diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 2631856..bc8eaab 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -804,6 +804,12 @@ int seccomp_restrict_namespaces(unsigned long retain) { case SCMP_ARCH_X32: case SCMP_ARCH_PPC64: case SCMP_ARCH_PPC64LE: + case SCMP_ARCH_MIPS: + case SCMP_ARCH_MIPSEL: + case SCMP_ARCH_MIPS64: + case SCMP_ARCH_MIPSEL64: + case SCMP_ARCH_MIPS64N32: + case SCMP_ARCH_MIPSEL64N32: clone_reversed_order = 0; break; diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index b56ac3f..468be19 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -92,7 +92,7 @@ int seccomp_memory_deny_write_execute(void); #endif /* we don't know the right order of the clone() parameters except for these archs, for now */ -#if defined(__x86_64__) || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) +#if defined(__x86_64__) || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__mips__) #define SECCOMP_RESTRICT_NAMESPACES_BROKEN 0 #else #define SECCOMP_RESTRICT_NAMESPACES_BROKEN 1