Feature: switch/config option to block secondary architectures

Add a feature for a new (opt-in) command line switch and config file
option to block secondary architectures entirely. Also block changing
Linux execution domain with personality() system call for the primary
architecture.

Closes #1479

1 files changed, 3 insertions, 0 deletions

diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 3bf7de0fa..ae0ae64ef 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -28,6 +28,7 @@ static void usage(void) {
         printf("\tfseccomp protocol build list file\n");
         printf("\tfseccomp secondary 64 file\n");
         printf("\tfseccomp secondary 32 file\n");
+        printf("\tfseccomp secondary block file\n");
         printf("\tfseccomp default file\n");
         printf("\tfseccomp default file allow-debuggers\n");
         printf("\tfseccomp drop file1 file2 list\n");
@@ -74,6 +75,8 @@ printf("\n");
                 seccomp_secondary_64(argv[3]);
         else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0)
                 seccomp_secondary_32(argv[3]);
+        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "block") == 0)
+                seccomp_secondary_block(argv[3]);
         else if (argc == 3 && strcmp(argv[1], "default") == 0)
                 seccomp_default(argv[2], 0);
         else if (argc == 4 && strcmp(argv[1], "default") == 0 && strcmp(argv[3], "allow-debuggers") == 0)