Seccomp filter: deal with arch_prctl(ARCH_CET_STATUS, ...).

The dynamic loader of GNU libc 2.28 uses this system call to
initialize CPU information, see
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/x86/cpu-features.c;hb=glibc-2.28#l28.
Simulating an older kernel by returning EINVAL should be the most
harmless rule here.

The ARCH_CET_STATUS symbol isn't yet exposed by the kernel headers;
see the FIXME at the top of
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/x86/include/asm/prctl.h;hb=glibc-2.28.

* lib-src/seccomp-filter.c (ARCH_CET_STATUS): Define if not
already present.  Inline the value because there doesn't seem to
be a header file exporting this constant yet.
(main): Make ARCH_CET_STATUS subfunction of arch_prctl return EINVAL.

diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c
index 8f8a990661cb01b1311f2b2ecc17e39e0c2c0b39..31d0809f8f079a6ea3d93488486e9d16cf012bb0 100644 (file)
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -60,6 +60,10 @@ variants of those files that can be used to sandbox Emacs before
 
 #include "verify.h"
 
+#ifndef ARCH_CET_STATUS
+#define ARCH_CET_STATUS 0x3001
+#endif
+
 static ATTRIBUTE_FORMAT_PRINTF (2, 3) _Noreturn void
 fail (int error, const char *format, ...)
 {
@@ -345,6 +349,8 @@ main (int argc, char **argv)
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl),
         SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS));
+  RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl),
+        SCMP_A0_32 (SCMP_CMP_EQ, ARCH_CET_STATUS));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (statfs));
 
   /* We want to allow starting the Emacs binary itself with the