From ef223b6a46b2426e0cafa4f58e6346f63856e873 Mon Sep 17 00:00:00 2001
From: Dan Nicholson <nicholson@endlessm.com>
Date: Tue, 30 Jun 2015 14:05:37 -0700
Subject: [PATCH] helper: Add all possible architectures to seccomp filter

Ensure that the seccomp filters will be applied if someone tries to run
a non-native architecture program. This currently only covers the
various x86 architectures and was borrowed from systemd LGPL code.

https://bugs.freedesktop.org/show_bug.cgi?id=91165
---
 xdg-app-helper.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/xdg-app-helper.c b/xdg-app-helper.c
index 0dff3a6c..c6ead06d 100644
--- a/xdg-app-helper.c
+++ b/xdg-app-helper.c
@@ -348,6 +348,22 @@ setup_seccomp (void)
   if (!seccomp)
     return die_oom ();
 
+  /* Add in all possible secondary archs we are aware of that
+   * this kernel might support. */
+#if defined(__i386__) || defined(__x86_64__)
+  r = seccomp_arch_add (seccomp, SCMP_ARCH_X86);
+  if (r < 0 && r != -EEXIST)
+    die_with_error ("Failed to add x86 architecture to seccomp filter");
+
+  r = seccomp_arch_add (seccomp, SCMP_ARCH_X86_64);
+  if (r < 0 && r != -EEXIST)
+    die_with_error ("Failed to add x86_64 architecture to seccomp filter");
+
+  r = seccomp_arch_add (seccomp, SCMP_ARCH_X32);
+  if (r < 0 && r != -EEXIST)
+    die_with_error ("Failed to add x32 architecture to seccomp filter");
+#endif
+
   /* TODO: Should we filter the kernel keyring syscalls in some way?
    * We do want them to be used by desktop apps, but they could also perhaps
    * leak system stuff or secrets from other apps.