[gnome-desktop/wip/smcv/s390x-seccomp-clone: 2/2] Fix argument order of clone() for s390x in seccomp filter

[Bastien Nocera <hadess src gnome org>]

commit 9b649cacb6f64735e5a65b898cbbbfb0caad0745
Author: Julian Andres Klode <julian klode canonical com>
Date:   Wed Aug 5 16:28:50 2020 +0200

    Fix argument order of clone() for s390x in seccomp filter
    
    From https://github.com/flatpak/flatpak/pull/3777
    
    clone() is a mad syscall with about 4 different argument orders. While
    most of them agree that argument 0 is flags, s390 and s390x have the
    flags argument second - A0 is the child stack pointer there.
    
    [smcv: Add an explanatory comment; also test __CRIS__, for completeness;
    apply change from Flatpak to the copy of this code in gnome-desktop]
    
    Bug-Debian: https://bugs.debian.org/964541
    Bug-Ubuntu: https://launchpad.net/bugs/1886814
    Signed-off-by: Simon McVittie <smcv collabora com>

 libgnome-desktop/gnome-desktop-thumbnail-script.c | 7 +++++++
 1 file changed, 7 insertions(+)
---
diff --git a/libgnome-desktop/gnome-desktop-thumbnail-script.c 
b/libgnome-desktop/gnome-desktop-thumbnail-script.c
index 5a72e8b12..02776cd27 100644
--- a/libgnome-desktop/gnome-desktop-thumbnail-script.c
+++ b/libgnome-desktop/gnome-desktop-thumbnail-script.c
@@ -327,7 +327,14 @@ setup_seccomp (GPtrArray  *argv_array,
     {SCMP_SYS (unshare)},
     {SCMP_SYS (mount)},
     {SCMP_SYS (pivot_root)},
+#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
+    /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
+     * and flags arguments are reversed so the flags come second */
+    {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+#else
+    /* Normally the flags come first */
     {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+#endif
 
     /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
     {SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},