Fix Seccomp filter for newer GNU/Linux systems (Bug#51073).

On some systems, process startup calls prctl(PR_CAPBSET_READ) via 'cap_get_bound'. We can just return EINVAL. * lib-src/seccomp-filter.c (main): Add a rule for prctl(PR_CAPBSET_READ, ...).
author: Philipp Stephani <phst@google.com> 2021-10-09 19:39:31 +0200
committer: Philipp Stephani <phst@google.com> 2021-10-09 19:39:31 +0200
commit: b497add9719dac16696f64d5a551d2b813f0c825 (patch)
tree: 2f1318216462ae7b660ed12b802320fbeecf1c37 /lib-src
parent: 75d9fbec8853c2040bbb0d5a447894cca86b9df9 (diff)
download: emacs-b497add9719dac16696f64d5a551d2b813f0c825.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c
index d378e0b0278..e7496053a86 100644
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -351,6 +351,8 @@ main (int argc, char **argv)
      calls at startup time to set up thread-local storage.  */
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (execve));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address));
+  RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (prctl),
+	SCMP_A0_32 (SCMP_CMP_EQ, PR_CAPBSET_READ));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl),
         SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS));
   RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl),
author	Philipp Stephani <phst@google.com>	2021-10-09 19:39:31 +0200
committer	Philipp Stephani <phst@google.com>	2021-10-09 19:39:31 +0200
commit	b497add9719dac16696f64d5a551d2b813f0c825 (patch)
tree	2f1318216462ae7b660ed12b802320fbeecf1c37 /lib-src
parent	75d9fbec8853c2040bbb0d5a447894cca86b9df9 (diff)
download	emacs-b497add9719dac16696f64d5a551d2b813f0c825.tar.gz