nspawn: x86 is special with its socketcall() semantics, be permissive in the seccomp...

[elogind.git] / src / nspawn / nspawn.c

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 5a2467d6e2e7b302fd884b4f220ff65006929af2..379ea92355e6f512c15b06ad04fcf3b66fd63f7e 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -79,6 +79,10 @@
 #include "rtnl-util.h"
 #include "udev-util.h"
 
+#ifdef HAVE_SECCOMP
+#include "seccomp-util.h"
+#endif
+
 typedef enum LinkJournal {
         LINK_NO,
         LINK_AUTO,
@@ -1521,7 +1525,13 @@ static int audit_still_doesnt_work_in_containers(void) {
         if (!seccomp)
                 return log_oom();
 
-        r = seccomp_rule_add_exact(
+        r = seccomp_add_secondary_archs(seccomp);
+        if (r < 0 && r != -EEXIST) {
+                log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
+                goto finish;
+        }
+
+        r = seccomp_rule_add(
                         seccomp,
                         SCMP_ACT_ERRNO(EAFNOSUPPORT),
                         SCMP_SYS(socket),
@@ -1539,14 +1549,6 @@ static int audit_still_doesnt_work_in_containers(void) {
                 goto finish;
         }
 
-#ifdef __x86_64__
-        r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
-        if (r < 0 && r != -EEXIST) {
-                log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
-                goto finish;
-        }
-#endif
-
         r = seccomp_load(seccomp);
         if (r < 0)
                 log_error("Failed to install seccomp audit filter: %s", strerror(-r));