From d470afb80f7bf921eda86804fee4e5f5f12de015 Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Mon, 18 May 2026 16:32:27 +0200
Subject: [PATCH 1/2] syscalls: check direct syscall before multiplexed
 pseudo-syscall

Docker 29.4.2 removed socketcall(2) from the default seccomp profile.
On s390x, this broke socket operations:

  # strace curl icanhazip.com
  socket(AF_UNIX, SOCK_STREAM, 0) = -1 ENOSYS (Function not implemented)

  # scmp_sys_resolver -a s390x socket
  -101

  # ausyscall s390x socket
  socket             359

The abi_syscall_resolve_name_munge() function was returning __PNR_socket
(-101) instead of checking if arch implements socket(2) directly (359).

Fix by checking arch->syscall_resolve_name_raw() first, only falling back
to multiplexed pseudo-syscalls if the direct implementation doesn't exist.

Affects socket and IPC syscalls on architectures with direct implementations
(s390x, aarch64, etc).

Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
---
 src/syscalls.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/syscalls.c b/src/syscalls.c
index 5b2cd92a..c5ebe64a 100644
--- a/src/syscalls.c
+++ b/src/syscalls.c
@@ -42,6 +42,13 @@
 int abi_syscall_resolve_name_munge(const struct arch_def *arch,
 				   const char *name)
 {
+	int sys = __NR_SCMP_ERROR;
+
+	/* Check if arch implements syscall directly and return its number */
+	sys = arch->syscall_resolve_name_raw(name);
+	if (sys != __NR_SCMP_ERROR) {
+		return sys;
+	}
 
 #define _ABI_SYSCALL_RES_NAME_CHK(NAME) \
 	if (!strcmp(name, #NAME)) return __PNR_##NAME;
@@ -79,7 +86,7 @@ int abi_syscall_resolve_name_munge(const struct arch_def *arch,
 	_ABI_SYSCALL_RES_NAME_CHK(shmget)
 	_ABI_SYSCALL_RES_NAME_CHK(shmctl)
 
-	return arch->syscall_resolve_name_raw(name);
+	return __NR_SCMP_ERROR;
 }
 
 /**

From 4d2fc3d11e87eda9d48f201c119a63ecb01af93a Mon Sep 17 00:00:00 2001
From: Nikita Dubrovskii <nikita@linux.ibm.com>
Date: Tue, 19 May 2026 10:24:51 +0200
Subject: [PATCH 2/2] tests: adjust socket syscall tests for direct syscall
 resolution

After switching to direct syscall resolution, SCMP_SYS(accept) resolves to
the direct syscall number instead of the pseudo-syscall. This creates rules
for both socketcall and the direct syscall without argument restrictions.

Change expected result from KILL to ALLOW for accept/accept4 with arbitrary
arguments, since they now match the direct syscall rule.

Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
---
 tests/30-sim-socket_syscalls.tests    | 5 +++--
 tests/33-sim-socket_syscalls_be.tests | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/tests/30-sim-socket_syscalls.tests b/tests/30-sim-socket_syscalls.tests
index be499a58..8662c798 100644
--- a/tests/30-sim-socket_syscalls.tests
+++ b/tests/30-sim-socket_syscalls.tests
@@ -44,9 +44,10 @@ test type: bpf-sim
 30-sim-socket_syscalls	+sh				352		0		1		2	N	N	N	ALLOW
 # direct syscalls
 30-sim-socket_syscalls	+x86,+ppc64le,+mipsel,+sh	accept		5		N		N	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86,+ppc64le,+mipsel,+sh	accept		0		1		2	N	N	N	KILL
+30-sim-socket_syscalls	+x86				accept		0		1		2	N	N	N	KILL
+30-sim-socket_syscalls	+ppc64le,+mipsel,+sh		accept		0		1		2	N	N	N	ALLOW
 30-sim-socket_syscalls	+x86,+ppc64le,+mipsel,+sh	accept4		18		1		2	N	N	N	ALLOW
-30-sim-socket_syscalls	+x86,+ppc64le,+mipsel,+sh	accept4		0		1		2	N	N	N	KILL
+30-sim-socket_syscalls	+x86,+ppc64le,+mipsel,+sh	accept4		0		1		2	N	N	N	ALLOW
 30-sim-socket_syscalls	+x86_64				socket		0		1		2	N	N	N	ALLOW
 30-sim-socket_syscalls	+x86_64				connect		0		1		2	N	N	N	ALLOW
 30-sim-socket_syscalls	+x86_64				accept4		0		1		2	N	N	N	ALLOW
diff --git a/tests/33-sim-socket_syscalls_be.tests b/tests/33-sim-socket_syscalls_be.tests
index 11e25526..f5a10a4c 100644
--- a/tests/33-sim-socket_syscalls_be.tests
+++ b/tests/33-sim-socket_syscalls_be.tests
@@ -21,9 +21,10 @@ test type: bpf-sim
 33-sim-socket_syscalls_be	+s390,+s390x		373		0		1		2	N	N	N	ALLOW
 33-sim-socket_syscalls_be	+ppc			338		0		1		2	N	N	N	ALLOW
 33-sim-socket_syscalls_be	+s390,+s390x,+ppc	accept		5		N		N	N	N	N	ALLOW
-33-sim-socket_syscalls_be	+s390,+s390x,+ppc	accept		0		1		2	N	N	N	KILL
+33-sim-socket_syscalls_be	+s390,+s390x		accept		0		1		2	N	N	N	KILL
+33-sim-socket_syscalls_be	+ppc			accept		0		1		2	N	N	N	ALLOW
 33-sim-socket_syscalls_be	+s390,+s390x,+ppc	accept4		18		1		2	N	N	N	ALLOW
-33-sim-socket_syscalls_be	+s390,+s390x,+ppc	accept4		0		1		2	N	N	N	KILL
+33-sim-socket_syscalls_be	+s390,+s390x,+ppc	accept4		0		1		2	N	N	N	ALLOW
 
 test type: bpf-valgrind