From c3acf2d222589bf9d94cacfe180ab38fa46c9cb1 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sun, 10 Sep 2017 10:34:42 +0300
Subject: [PATCH] Improve seccomp architecture support

---
 src/fseccomp/syscall.c |  6 ++++++
 src/include/seccomp.h  | 26 ++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index d0692b2ef..69b6e5271 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -274,6 +274,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_vserver
 	  "vserver"
 #endif
+#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver)
+	  "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed
+#endif
 	},
 	{ .name = "@privileged", .list =
 	  "@clock,"
@@ -334,6 +337,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_s390_mmio_write
 	  "s390_mmio_write"
 #endif
+#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
+	  "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
+#endif
 	},
 	{ .name = "@reboot", .list =
 #ifdef SYS_kexec_load
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 133b6ce72..b8bfce96b 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -149,9 +149,35 @@ struct seccomp_data {
 # define ARCH_NR	AUDIT_ARCH_S390
 # define ARCH_32	AUDIT_ARCH_S390
 # define ARCH_64	AUDIT_ARCH_S390X
+#elif defined(__sh64__) && __BYTE_ORDER == __BIG_ENDIAN
+# define ARCH_NR	AUDIT_ARCH_SH64
+# define ARCH_32	AUDIT_ARCH_SH
+# define ARCH_64	AUDIT_ARCH_SH64
+#elif defined(__sh64__) && __BYTE_ORDER == __LITTLE_ENDIAN
+# define ARCH_NR	AUDIT_ARCH_SHEL64
+# define ARCH_32	AUDIT_ARCH_SHEL
+# define ARCH_64	AUDIT_ARCH_SHEL64
+#elif defined(__sh__) && __BYTE_ORDER == __BIG_ENDIAN
+# define ARCH_NR	AUDIT_ARCH_SH
+# define ARCH_32	AUDIT_ARCH_SH
+# define ARCH_64	AUDIT_ARCH_SH64
+#elif defined(__sh__) && __BYTE_ORDER == __LITTLE_ENDIAN
+# define ARCH_NR	AUDIT_ARCH_SHEL
+# define ARCH_32	AUDIT_ARCH_SHEL
+# define ARCH_64	AUDIT_ARCH_SHEL64
+#elif defined(__sparc64__)
+# define ARCH_NR	AUDIT_ARCH_SPARC64
+# define ARCH_32	AUDIT_ARCH_SPARC
+# define ARCH_64	AUDIT_ARCH_SPARC64
+#elif defined(__sparc__)
+# define ARCH_NR	AUDIT_ARCH_SPARC
+# define ARCH_32	AUDIT_ARCH_SPARC
+# define ARCH_64	AUDIT_ARCH_SPARC64
 #else
 # warning "Platform does not support seccomp filter yet"
 # define ARCH_NR	0
+# define ARCH_32	0
+# define ARCH_64	0
 #endif
 
 #define VALIDATE_ARCHITECTURE \