Split arch-specific syscalls from the base whitelist

debian/sdwdate.postinst

@@ -77,6 +77,31 @@ timedatectl set-ntp false >/dev/null 2>&1 || true
 ## Make sure it gets really deleted even if timedatectl does not work.
 rm --force /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service
 
+## Add arch-specific syscalls to the seccomp filter.
+if ! [ -d /lib/systemd/system/sdwdate.service.d/ ]; then
+  mkdir --parents /lib/systemd/system/sdwdate.service.d/
+fi
+
+arch="$(uname -m)"
+if [[ "${arch}" =~ "arm" ]] || [ "${arch}" =~ "aarch" ]]; then
+  ## ARM-specific syscalls.
+  echo "## Architecture: ${arch}
+[Service]
+SystemCallFilter=faccessat readlinkat newfstatat mkdirat dup3 ppoll pselect6" > /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf
+elif [[ "${arch}" =~ "ppc" ]]; then
+  ## PowerPC-specific syscalls.
+  echo "## Architecture: ${arch}
+[Service]
+SystemCallFilter=_llseek send waitpid recv prctl _newselect" > /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf
+elif ! [[ "${arch}" =~ "x86" ]]; then
+  echo "You are currently using an unsupported CPU architecture: '${arch}'. The seccomp
+filter used by sdwdate may not function correctly. Currently, the only architectures
+supported by the seccomp filter are: x86, ARM and PowerPC. Arch-specific syscalls can
+be added to /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf"
+fi
+
+systemctl daemon-reload
+
 true "INFO: debhelper beginning here."
 
 #DEBHELPER#

lib/systemd/system/sdwdate.service

@@ -60,9 +60,10 @@ RestrictRealtime=true
 RestrictSUIDSGID=true
 RestrictAddressFamilies=AF_UNIX AF_INET
 RestrictNamespaces=true
-## powerpc64 / ppc64el: _llseek send waitpid recv prctl _newselect
-## arm64: faccessat readlinkat newfstatat mkdirat dup3 ppoll pselect6
-SystemCallFilter=wait4 select futex read stat close openat fstat lseek mmap rt_sigaction getdents64 mprotect ioctl recvfrom munmap brk rt_sigprocmask fcntl getpid write access socket sendto dup2 clone execve getrandom geteuid getgid madvise getuid getegid readlink pipe rt_sigreturn connect pipe2 prlimit64 set_robust_list dup arch_prctl lstat set_tid_address sysinfo sigaltstack rt_sigsuspend shutdown timer_settime mkdir timer_create statfs getcwd setpgid setsockopt uname bind getpgrp getppid getpeername chdir poll getsockname fadvise64 clock_settime kill getsockopt unlink _llseek send waitpid recv prctl _newselect faccessat readlinkat newfstatat mkdirat dup3 ppoll pselect6
+## Base syscall whitelist suitable for x86. Other arch-specific syscalls will be included
+## in /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf during package
+## installation.
+SystemCallFilter=wait4 select futex read stat close openat fstat lseek mmap rt_sigaction getdents64 mprotect ioctl recvfrom munmap brk rt_sigprocmask fcntl getpid write access socket sendto dup2 clone execve getrandom geteuid getgid madvise getuid getegid readlink pipe rt_sigreturn connect pipe2 prlimit64 set_robust_list dup arch_prctl lstat set_tid_address sysinfo sigaltstack rt_sigsuspend shutdown timer_settime mkdir timer_create statfs getcwd setpgid setsockopt uname bind getpgrp getppid getpeername chdir poll getsockname fadvise64 clock_settime kill getsockopt unlink
 SystemCallArchitectures=native
 
 [Install]