Fix Seccomp filter for newer GNU/Linux systems (Bug#51073).

On some systems, process startup calls prctl(PR_CAPBSET_READ) via
'cap_get_bound'.  We can just return EINVAL.

* lib-src/seccomp-filter.c (main): Add a rule for
prctl(PR_CAPBSET_READ, ...).

diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c
index d378e0b0278969caa496a952088636384feaad96..e7496053a86bec43f3f06dd162b568e1f24b35fc 100644 (file)
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -351,6 +351,8 @@ main (int argc, char **argv)
      calls at startup time to set up thread-local storage.  */
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (execve));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address));
+  RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (prctl),
+       SCMP_A0_32 (SCMP_CMP_EQ, PR_CAPBSET_READ));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl),
         SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS));
   RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl),