From b497add9719dac16696f64d5a551d2b813f0c825 Mon Sep 17 00:00:00 2001
From: Philipp Stephani <phst@google.com>
Date: Sat, 9 Oct 2021 19:39:31 +0200
Subject: [PATCH] Fix Seccomp filter for newer GNU/Linux systems (Bug#51073).

On some systems, process startup calls prctl(PR_CAPBSET_READ) via
'cap_get_bound'.  We can just return EINVAL.

* lib-src/seccomp-filter.c (main): Add a rule for
prctl(PR_CAPBSET_READ, ...).
---
 lib-src/seccomp-filter.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c
index d378e0b0278..e7496053a86 100644
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -351,6 +351,8 @@ main (int argc, char **argv)
      calls at startup time to set up thread-local storage.  */
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (execve));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address));
+  RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (prctl),
+	SCMP_A0_32 (SCMP_CMP_EQ, PR_CAPBSET_READ));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl),
         SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS));
   RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl),
-- 
2.39.5