From 303d6b4ca6ebadca2f6faf63a76743e22efba242 Mon Sep 17 00:00:00 2001
From: James Cowgill <jcowgill@users.noreply.github.com>
Date: Fri, 23 Mar 2018 15:04:16 +0000
Subject: [PATCH] Partially revert "seccomp: add mmap and address family
 restrictions for MIPS" (#8563)

This reverts the mmap parts of f5aeac1439d64905c7b1b57042c39589dd31e3a6,
but keeps the part which restricts address families which works
correctly.

Unfortunately the MIPS toolchains still do not implement PT_GNU_STACK.
This means that while the commit to restrict mmap on MIPS was "correct",
it had the side effect of causing pthread_create to fail because glibc tries
to allocate an executable stack for new threads in the absense of
PT_GNU_STACK. We should wait until PT_GNU_STACK is implemented in all
the relevant parts of the toolchain (at least gcc and glibc) before
enabling this again.
---
 src/shared/seccomp-util.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index e084802..13c8309 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1427,11 +1427,11 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp,
 }
 
 /* For known architectures, check that syscalls are indeed defined or not. */
-#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || (defined(__mips__) && defined(__mips64))
+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
 assert_cc(SCMP_SYS(shmget) > 0);
 assert_cc(SCMP_SYS(shmat) > 0);
 assert_cc(SCMP_SYS(shmdt) > 0);
-#elif defined(__i386__) || defined(__powerpc64__) || (defined(__mips__) && !defined(__mips64))
+#elif defined(__i386__) || defined(__powerpc64__)
 assert_cc(SCMP_SYS(shmget) < 0);
 assert_cc(SCMP_SYS(shmat) < 0);
 assert_cc(SCMP_SYS(shmdt) < 0);
@@ -1451,8 +1451,6 @@ int seccomp_memory_deny_write_execute(void) {
                 switch (arch) {
 
                 case SCMP_ARCH_X86:
-                case SCMP_ARCH_MIPSEL:
-                case SCMP_ARCH_MIPS:
                         filter_syscall = SCMP_SYS(mmap2);
                         block_syscall = SCMP_SYS(mmap);
                         break;
@@ -1476,17 +1474,13 @@ int seccomp_memory_deny_write_execute(void) {
                 case SCMP_ARCH_X86_64:
                 case SCMP_ARCH_X32:
                 case SCMP_ARCH_AARCH64:
-                case SCMP_ARCH_MIPSEL64N32:
-                case SCMP_ARCH_MIPS64N32:
-                case SCMP_ARCH_MIPSEL64:
-                case SCMP_ARCH_MIPS64:
-                        filter_syscall = SCMP_SYS(mmap); /* amd64, x32, arm64 and mips64 have only mmap */
+                        filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */
                         shmat_syscall = SCMP_SYS(shmat);
                         break;
 
                 /* Please add more definitions here, if you port systemd to other architectures! */
 
-#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__mips__)
+#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__)
 #warning "Consider adding the right mmap() syscall definitions here!"
 #endif
                 }
-- 
2.7.4