forked from Mirrors/flatpak-builder
helper: Add all possible architectures to seccomp filter
Ensure that the seccomp filters will be applied if someone tries to run a non-native architecture program. This currently only covers the various x86 architectures and was borrowed from systemd LGPL code. https://bugs.freedesktop.org/show_bug.cgi?id=91165tingping/wmclass
parent
f28b1d3082
commit
ef223b6a46
|
@ -348,6 +348,22 @@ setup_seccomp (void)
|
|||
if (!seccomp)
|
||||
return die_oom ();
|
||||
|
||||
/* Add in all possible secondary archs we are aware of that
|
||||
* this kernel might support. */
|
||||
#if defined(__i386__) || defined(__x86_64__)
|
||||
r = seccomp_arch_add (seccomp, SCMP_ARCH_X86);
|
||||
if (r < 0 && r != -EEXIST)
|
||||
die_with_error ("Failed to add x86 architecture to seccomp filter");
|
||||
|
||||
r = seccomp_arch_add (seccomp, SCMP_ARCH_X86_64);
|
||||
if (r < 0 && r != -EEXIST)
|
||||
die_with_error ("Failed to add x86_64 architecture to seccomp filter");
|
||||
|
||||
r = seccomp_arch_add (seccomp, SCMP_ARCH_X32);
|
||||
if (r < 0 && r != -EEXIST)
|
||||
die_with_error ("Failed to add x32 architecture to seccomp filter");
|
||||
#endif
|
||||
|
||||
/* TODO: Should we filter the kernel keyring syscalls in some way?
|
||||
* We do want them to be used by desktop apps, but they could also perhaps
|
||||
* leak system stuff or secrets from other apps.
|
||||
|
|
Loading…
Reference in New Issue