Seccomp: improve support for newer versions of glibc (Bug#51073)

* lib-src/seccomp-filter.c (main): Allow 'pread64' and 'faccessat2' system calls. Newer versions of glibc use these system call (starting with commits 95c1056962a3f2297c94ce47f0eaf0c5b6563231 and 3d3ab573a5f3071992cbc4f57d50d1d29d55bde2, respectively).
author: Philipp Stephani <phst@google.com> 2022-01-22 17:11:37 +0100
committer: Philipp Stephani <phst@google.com> 2022-01-22 17:18:50 +0100
commit: 6d3608be88e1b30d2d10ee81f14dd485275c20ff (patch)
tree: dadeea204ad6dad93bbd7ac684fca784635361a2 /lib-src
parent: e58ecd01d51471e7e63d20ee059a5c26251220b7 (diff)
download: emacs-6d3608be88e1b30d2d10ee81f14dd485275c20ff.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c
index 552a9862391..d368cbb46c8 100644
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -228,6 +228,7 @@ main (int argc, char **argv)
      capabilities, and operating on them shouldn't cause security
      issues.  */
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (read));
+  RULE (SCMP_ACT_ALLOW, SCMP_SYS (pread64));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (write));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (close));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (lseek));
@@ -239,6 +240,7 @@ main (int argc, char **argv)
      should be further restricted using mount namespaces.  */
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (access));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (faccessat));
+  RULE (SCMP_ACT_ALLOW, SCMP_SYS (faccessat2));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (stat));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (stat64));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (lstat));
author	Philipp Stephani <phst@google.com>	2022-01-22 17:11:37 +0100
committer	Philipp Stephani <phst@google.com>	2022-01-22 17:18:50 +0100
commit	6d3608be88e1b30d2d10ee81f14dd485275c20ff (patch)
tree	dadeea204ad6dad93bbd7ac684fca784635361a2 /lib-src
parent	e58ecd01d51471e7e63d20ee059a5c26251220b7 (diff)
download	emacs-6d3608be88e1b30d2d10ee81f14dd485275c20ff.tar.gz