From: Philipp Stephani <phst@google.com>
Date: Sat, 22 Jan 2022 16:11:37 +0000 (+0100)
Subject: Seccomp: improve support for newer versions of glibc (Bug#51073)
X-Git-Tag: emacs-28.0.92~87
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=6d3608be88e1b30d2d10ee81f14dd485275c20ff;p=emacs.git

Seccomp: improve support for newer versions of glibc (Bug#51073)

* lib-src/seccomp-filter.c (main): Allow 'pread64' and 'faccessat2'
system calls.  Newer versions of glibc use these system call (starting
with commits 95c1056962a3f2297c94ce47f0eaf0c5b6563231 and
3d3ab573a5f3071992cbc4f57d50d1d29d55bde2, respectively).
---

diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c
index 552a9862391..d368cbb46c8 100644
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -228,6 +228,7 @@ main (int argc, char **argv)
      capabilities, and operating on them shouldn't cause security
      issues.  */
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (read));
+  RULE (SCMP_ACT_ALLOW, SCMP_SYS (pread64));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (write));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (close));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (lseek));
@@ -239,6 +240,7 @@ main (int argc, char **argv)
      should be further restricted using mount namespaces.  */
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (access));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (faccessat));
+  RULE (SCMP_ACT_ALLOW, SCMP_SYS (faccessat2));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (stat));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (stat64));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (lstat));