seccomp: add clone syscall definitions for mips (systemd#5880)

jcowgill · martinpitt · commit a3645cc6dd84 · 2017-05-03T18:35:45.000+02:00
Also updates the documentation and adds a mention of ppc64 support which was enabled by systemd#5325. Tested on Debian mipsel and mips64el. The other 4 mips architectures should have an identical user <-> kernel ABI to one of the 2 tested systems.
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
@@ -1597,7 +1597,8 @@
         the specified flags parameters into account. Note that — if this option is used — in addition to restricting
         creation and switching of the specified types of namespaces (or all of them, if true) access to the
         <function>setns()</function> system call with a zero flags parameter is prohibited.  This setting is only
-        supported on x86, x86-64, s390 and s390x, and enforces no restrictions on other architectures. If running in user
+        supported on x86, x86-64, mips, mips-le, mips64, mips64-le, mips64-n32, mips64-le-n32, ppc64, ppc64-le,
+        s390 and s390x, and enforces no restrictions on other architectures. If running in user
         mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability (e.g. setting
         <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is implied.  </para></listitem>
       </varlistentry>
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
@@ -804,6 +804,12 @@ int seccomp_restrict_namespaces(unsigned long retain) {
                 case SCMP_ARCH_X32:
                 case SCMP_ARCH_PPC64:
                 case SCMP_ARCH_PPC64LE:
+                case SCMP_ARCH_MIPS:
+                case SCMP_ARCH_MIPSEL:
+                case SCMP_ARCH_MIPS64:
+                case SCMP_ARCH_MIPSEL64:
+                case SCMP_ARCH_MIPS64N32:
+                case SCMP_ARCH_MIPSEL64N32:
                         clone_reversed_order = 0;
                         break;
 
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
@@ -92,7 +92,7 @@ int seccomp_memory_deny_write_execute(void);
 #endif
 
 /* we don't know the right order of the clone() parameters except for these archs, for now */
-#if defined(__x86_64__) || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__)
+#if defined(__x86_64__) || defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__mips__)
 #define SECCOMP_RESTRICT_NAMESPACES_BROKEN 0
 #else
 #define SECCOMP_RESTRICT_NAMESPACES_BROKEN 1
