From 009f80b428213847ea277259a3113e9b3e0c3ae5 Mon Sep 17 00:00:00 2001
From: "Nicholas J. Kain" <nicholas@kain.us>
Date: Sat, 22 Mar 2014 01:32:55 -0400
Subject: [PATCH] x86 has a slightly different syscall interface, so some
 changes are necessary for the seccomp filters to work.

Specifically, x86 has the old catch-all socketcall and the non-legacy
fnctl64 system calls.
---
 ndhc/seccomp.c | 41 ++++++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/ndhc/seccomp.c b/ndhc/seccomp.c
index e748cfc..fb871d3 100644
--- a/ndhc/seccomp.c
+++ b/ndhc/seccomp.c
@@ -40,20 +40,30 @@ int enforce_seccomp_ndhc(void)
     struct sock_filter filter[] = {
         VALIDATE_ARCHITECTURE,
         EXAMINE_SYSCALL,
-        ALLOW_SYSCALL(sendto), // used for glibc syslog routines
         ALLOW_SYSCALL(epoll_wait),
         ALLOW_SYSCALL(epoll_ctl),
         ALLOW_SYSCALL(read),
         ALLOW_SYSCALL(write),
         ALLOW_SYSCALL(close),
+
+#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
+        ALLOW_SYSCALL(sendto), // used for glibc syslog routines
         ALLOW_SYSCALL(recvmsg),
         ALLOW_SYSCALL(socket),
         ALLOW_SYSCALL(setsockopt),
-        ALLOW_SYSCALL(fcntl),
-        ALLOW_SYSCALL(bind),
-        ALLOW_SYSCALL(open),
-        ALLOW_SYSCALL(connect),
         ALLOW_SYSCALL(getsockname),
+        ALLOW_SYSCALL(connect),
+        ALLOW_SYSCALL(bind),
+        ALLOW_SYSCALL(socketpair),
+#elif defined(__i386__)
+        ALLOW_SYSCALL(socketcall),
+        ALLOW_SYSCALL(fcntl64),
+#else
+#error Target platform does not support seccomp-filter.
+#endif
+
+        ALLOW_SYSCALL(fcntl),
+        ALLOW_SYSCALL(open),
 
         // Allowed by vDSO
         ALLOW_SYSCALL(getcpu),
@@ -67,7 +77,6 @@ int enforce_seccomp_ndhc(void)
         ALLOW_SYSCALL(fsync),
 
         // These are for 'background()'
-        ALLOW_SYSCALL(socketpair),
         ALLOW_SYSCALL(clone),
         ALLOW_SYSCALL(set_robust_list),
         ALLOW_SYSCALL(setsid),
@@ -110,23 +119,33 @@ int enforce_seccomp_ifch(void)
         EXAMINE_SYSCALL,
         ALLOW_SYSCALL(read),
         ALLOW_SYSCALL(write),
-        ALLOW_SYSCALL(sendto),
         ALLOW_SYSCALL(epoll_wait),
         ALLOW_SYSCALL(epoll_ctl),
         ALLOW_SYSCALL(close),
+
+#if defined(__x86_64__) || (defined(__arm__) && defined(__ARM_EABI__))
+        ALLOW_SYSCALL(sendto), // used for glibc syslog routines
+        ALLOW_SYSCALL(recvmsg),
         ALLOW_SYSCALL(socket),
-        ALLOW_SYSCALL(ioctl),
+        ALLOW_SYSCALL(setsockopt),
         ALLOW_SYSCALL(getsockname),
+        ALLOW_SYSCALL(connect),
+        ALLOW_SYSCALL(bind),
+        ALLOW_SYSCALL(socketpair),
+#elif defined(__i386__)
+        ALLOW_SYSCALL(socketcall),
+        ALLOW_SYSCALL(fcntl64),
+#else
+#error Target platform does not support seccomp-filter.
+#endif
+
         ALLOW_SYSCALL(open),
         ALLOW_SYSCALL(fstat),
-        ALLOW_SYSCALL(connect),
-        ALLOW_SYSCALL(recvmsg),
         ALLOW_SYSCALL(fsync),
         ALLOW_SYSCALL(lseek),
         ALLOW_SYSCALL(truncate),
         ALLOW_SYSCALL(fcntl),
         ALLOW_SYSCALL(unlink),
-        ALLOW_SYSCALL(bind),
         ALLOW_SYSCALL(chmod),
 
         ALLOW_SYSCALL(rt_sigreturn),