1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
From c3acf2d222589bf9d94cacfe180ab38fa46c9cb1 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sun, 10 Sep 2017 10:34:42 +0300
Subject: [PATCH] Improve seccomp architecture support
---
src/fseccomp/syscall.c | 6 ++++++
src/include/seccomp.h | 26 ++++++++++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index d0692b2ef..69b6e5271 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -274,6 +274,9 @@ static const SyscallGroupList sysgroups[] = {
#ifdef SYS_vserver
"vserver"
#endif
+#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver)
+ "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed
+#endif
},
{ .name = "@privileged", .list =
"@clock,"
@@ -334,6 +337,9 @@ static const SyscallGroupList sysgroups[] = {
#ifdef SYS_s390_mmio_write
"s390_mmio_write"
#endif
+#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
+ "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
+#endif
},
{ .name = "@reboot", .list =
#ifdef SYS_kexec_load
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 133b6ce72..b8bfce96b 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -149,9 +149,35 @@ struct seccomp_data {
# define ARCH_NR AUDIT_ARCH_S390
# define ARCH_32 AUDIT_ARCH_S390
# define ARCH_64 AUDIT_ARCH_S390X
+#elif defined(__sh64__) && __BYTE_ORDER == __BIG_ENDIAN
+# define ARCH_NR AUDIT_ARCH_SH64
+# define ARCH_32 AUDIT_ARCH_SH
+# define ARCH_64 AUDIT_ARCH_SH64
+#elif defined(__sh64__) && __BYTE_ORDER == __LITTLE_ENDIAN
+# define ARCH_NR AUDIT_ARCH_SHEL64
+# define ARCH_32 AUDIT_ARCH_SHEL
+# define ARCH_64 AUDIT_ARCH_SHEL64
+#elif defined(__sh__) && __BYTE_ORDER == __BIG_ENDIAN
+# define ARCH_NR AUDIT_ARCH_SH
+# define ARCH_32 AUDIT_ARCH_SH
+# define ARCH_64 AUDIT_ARCH_SH64
+#elif defined(__sh__) && __BYTE_ORDER == __LITTLE_ENDIAN
+# define ARCH_NR AUDIT_ARCH_SHEL
+# define ARCH_32 AUDIT_ARCH_SHEL
+# define ARCH_64 AUDIT_ARCH_SHEL64
+#elif defined(__sparc64__)
+# define ARCH_NR AUDIT_ARCH_SPARC64
+# define ARCH_32 AUDIT_ARCH_SPARC
+# define ARCH_64 AUDIT_ARCH_SPARC64
+#elif defined(__sparc__)
+# define ARCH_NR AUDIT_ARCH_SPARC
+# define ARCH_32 AUDIT_ARCH_SPARC
+# define ARCH_64 AUDIT_ARCH_SPARC64
#else
# warning "Platform does not support seccomp filter yet"
# define ARCH_NR 0
+# define ARCH_32 0
+# define ARCH_64 0
#endif
#define VALIDATE_ARCHITECTURE \
|
