Improve seccomp architecture support

author: Topi Miettinen <toiwoton@gmail.com> 2017-09-10 10:34:42 +0300
committer: Topi Miettinen <toiwoton@gmail.com> 2017-09-10 10:34:42 +0300
commit: c3acf2d222589bf9d94cacfe180ab38fa46c9cb1 (patch)
tree: 6b073d1b72e7c378c78a6f063c78facbd8831bcb /src/fseccomp
parent: Merge pull request #1542 from hawkeye116477/master (diff)
download: firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.tar.gz
firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.tar.zst
firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index d0692b2ef..69b6e5271 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -274,6 +274,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_vserver
          "vserver"
 #endif
+#if !defined(SYS__sysctl) && !defined(SYS_afs_syscall) && !defined(SYS_bdflush) && !defined(SYS_break) && !defined(SYS_create_module) && !defined(SYS_ftime) && !defined(SYS_get_kernel_syms) && !defined(SYS_getpmsg) && !defined(SYS_gtty) && !defined(SYS_lock) && !defined(SYS_mpx) && !defined(SYS_prof) && !defined(SYS_profil) && !defined(SYS_putpmsg) && !defined(SYS_query_module) && !defined(SYS_security) && !defined(SYS_sgetmask) && !defined(SYS_ssetmask) && !defined(SYS_stty) && !defined(SYS_sysfs) && !defined(SYS_tuxcall) && !defined(SYS_ulimit) && !defined(SYS_uselib) && !defined(SYS_ustat) && !defined(SYS_vserver)
+          "__dummy_syscall__" // workaround for arm64 which doesn't have any of above defined and empty syscall lists are not allowed
+#endif
        },
        { .name = "@privileged", .list =
          "@clock,"
@@ -334,6 +337,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_s390_mmio_write
          "s390_mmio_write"
 #endif
+#if !defined(SYS_ioperm) && !defined(SYS_iopl) && !defined(SYS_pciconfig_iobase) && !defined(SYS_pciconfig_read) && !defined(SYS_pciconfig_write) && !defined(SYS_s390_mmio_read) && !defined(SYS_s390_mmio_write)
+          "__dummy_syscall__" // workaround for s390x which doesn't have any of above defined and empty syscall lists are not allowed
+#endif
        },
        { .name = "@reboot", .list =
 #ifdef SYS_kexec_load
author	Topi Miettinen <toiwoton@gmail.com>	2017-09-10 10:34:42 +0300
committer	Topi Miettinen <toiwoton@gmail.com>	2017-09-10 10:34:42 +0300
commit	c3acf2d222589bf9d94cacfe180ab38fa46c9cb1 (patch)
tree	6b073d1b72e7c378c78a6f063c78facbd8831bcb /src/fseccomp
parent	Merge pull request #1542 from hawkeye116477/master (diff)
download	firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.tar.gz firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.tar.zst firejail-c3acf2d222589bf9d94cacfe180ab38fa46c9cb1.zip