From 4278d1f5310f5acb4c6a6788233625234edb5145 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 4 May 2017 23:10:31 -0400 Subject: [PATCH] seccomp: add mmap/shmat defines for arm and arm64 --- src/shared/seccomp-util.c | 15 ++++++++++++--- src/test/test-seccomp.c | 4 ++-- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 0d57e63..d12098e 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1213,7 +1213,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp, } /* For known architectures, check that syscalls are indeed defined or not. */ -#if defined(__x86_64__) +#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) assert_cc(SCMP_SYS(shmget) > 0); assert_cc(SCMP_SYS(shmat) > 0); assert_cc(SCMP_SYS(shmdt) > 0); @@ -1251,15 +1251,24 @@ int seccomp_memory_deny_write_execute(void) { break; + case SCMP_ARCH_AARCH64: + block_syscall = SCMP_SYS(mmap); + /* fall through */ + + case SCMP_ARCH_ARM: + filter_syscall = SCMP_SYS(mmap2); /* arm has only mmap2 */ + shmat_syscall = SCMP_SYS(shmat); + break; + case SCMP_ARCH_X86_64: case SCMP_ARCH_X32: - filter_syscall = SCMP_SYS(mmap); + filter_syscall = SCMP_SYS(mmap); /* amd64 and x32 have only mmap */ shmat_syscall = SCMP_SYS(shmat); break; /* Please add more definitions here, if you port systemd to other architectures! */ -#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc64__) +#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) #warning "Consider adding the right mmap() syscall definitions here!" #endif } diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 62deb05..ce7a570 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -398,7 +398,7 @@ static void test_memory_deny_write_execute_mmap(void) { assert_se(seccomp_memory_deny_write_execute() >= 0); p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0); -#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) +#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__) assert_se(p == MAP_FAILED); assert_se(errno == EPERM); #else /* unknown architectures */ @@ -445,7 +445,7 @@ static void test_memory_deny_write_execute_shmat(void) { assert_se(seccomp_memory_deny_write_execute() >= 0); p = shmat(shmid, NULL, SHM_EXEC); -#if defined(__x86_64__) +#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) assert_se(p == MAP_FAILED); assert_se(errno == EPERM); #else /* __i386__, __powerpc64__, and "unknown" architectures */ -- 2.7.4