diff options
| -rw-r--r-- | src/shared/seccomp-util.c | 3 | ||||
| -rw-r--r-- | src/test/test-seccomp.c | 9 |
2 files changed, 8 insertions, 4 deletions
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 714734ad61..905be0f6a9 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -1519,6 +1519,7 @@ int seccomp_memory_deny_write_execute(void) { case SCMP_ARCH_X86: filter_syscall = SCMP_SYS(mmap2); block_syscall = SCMP_SYS(mmap); + shmat_syscall = SCMP_SYS(shmat); break; case SCMP_ARCH_PPC: @@ -1585,7 +1586,7 @@ int seccomp_memory_deny_write_execute(void) { continue; #endif - if (shmat_syscall != 0) { + if (shmat_syscall > 0) { r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(shmat), 1, SCMP_A2(SCMP_CMP_MASKED_EQ, SHM_EXEC, SHM_EXEC)); diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 937d414c0c..14b37eed2c 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -548,15 +548,18 @@ static void test_memory_deny_write_execute_shmat(void) { assert_se(seccomp_memory_deny_write_execute() >= 0); p = shmat(shmid, NULL, SHM_EXEC); + log_debug_errno(p == MAP_FAILED ? errno : 0, "shmat(SHM_EXEC): %m"); #if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) assert_se(p == MAP_FAILED); assert_se(errno == EPERM); -#else /* __i386__, __powerpc64__, and "unknown" architectures */ - assert_se(p != MAP_FAILED); - assert_se(shmdt(p) == 0); #endif + /* Depending on kernel, libseccomp, and glibc versions, other architectures + * might fail or not. Let's not assert success. */ + if (p != MAP_FAILED) + assert_se(shmdt(p) == 0); p = shmat(shmid, NULL, 0); + log_debug_errno(p == MAP_FAILED ? errno : 0, "shmat(0): %m"); assert_se(p != MAP_FAILED); assert_se(shmdt(p) == 0); |