We know it fails at shmat, so we most likely can focus on that one.
i386 2.4.2 /* test_memory_deny_write_execute_shmat */ arch x86: SCMP_SYS(mmap) = 90 arch x86: SCMP_SYS(mmap2) = 192 arch x86: SCMP_SYS(shmget) = 395 arch x86: SCMP_SYS(shmat) = 397 arch x86: SCMP_SYS(shmdt) = 398 Operating on architecture: x86 Failed to add shmat() rule for architecture x86, skipping: Invalid argument shmat(SHM_EXEC): Success shmat(0): Success memoryseccomp-shmat succeeded.
/* test_memory_deny_write_execute_shmat */ arch x86: SCMP_SYS(mmap) = 90 arch x86: SCMP_SYS(mmap2) = 192 arch x86: SCMP_SYS(shmget) = 395 arch x86: SCMP_SYS(shmat) = 397 arch x86: SCMP_SYS(shmdt) = 398 Operating on architecture: x86 shmat(SHM_EXEC): Success shmat(0): Success
So the IDs detected did not change, but the behavior did.
libseccomp saw the bump to kernel 5.4 to include - { "shmat", __PNR_shmat }, + { "shmat", 397 }, But as we saw the effective ID didn't change.
[1]: https://github.com/systemd/systemd/blob/master/src/shared/seccomp-util.c#L1584 [2]: https://github.com/systemd/systemd/blob/master/src/test/test-seccomp.c#L560
We know it fails at shmat, so we most likely can focus on that one.
i386 2.4.2 deny_write_ execute_ shmat */
/* test_memory_
arch x86: SCMP_SYS(mmap) = 90
arch x86: SCMP_SYS(mmap2) = 192
arch x86: SCMP_SYS(shmget) = 395
arch x86: SCMP_SYS(shmat) = 397
arch x86: SCMP_SYS(shmdt) = 398
Operating on architecture: x86
Failed to add shmat() rule for architecture x86, skipping: Invalid argument
shmat(SHM_EXEC): Success
shmat(0): Success
memoryseccomp-shmat succeeded.
/* test_memory_ deny_write_ execute_ shmat */
arch x86: SCMP_SYS(mmap) = 90
arch x86: SCMP_SYS(mmap2) = 192
arch x86: SCMP_SYS(shmget) = 395
arch x86: SCMP_SYS(shmat) = 397
arch x86: SCMP_SYS(shmdt) = 398
Operating on architecture: x86
shmat(SHM_EXEC): Success
shmat(0): Success
So the IDs detected did not change, but the behavior did.
libseccomp saw the bump to kernel 5.4 to include
- { "shmat", __PNR_shmat },
+ { "shmat", 397 },
But as we saw the effective ID didn't change.
[1]: https:/ /github. com/systemd/ systemd/ blob/master/ src/shared/ seccomp- util.c# L1584 /github. com/systemd/ systemd/ blob/master/ src/test/ test-seccomp. c#L560
[2]: https:/