Seccomp filter: deal with arch_prctl(ARCH_CET_STATUS, ...).

The dynamic loader of GNU libc 2.28 uses this system call to initialize CPU information, see https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/x86/cpu-features.c;hb=glibc-2.28#l28. Simulating an older kernel by returning EINVAL should be the most harmless rule here. The ARCH_CET_STATUS symbol isn't yet exposed by the kernel headers; see the FIXME at the top of https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/x86/include/asm/prctl.h;hb=glibc-2.28. * lib-src/seccomp-filter.c (ARCH_CET_STATUS): Define if not already present. Inline the value because there doesn't seem to be a header file exporting this constant yet. (main): Make ARCH_CET_STATUS subfunction of arch_prctl return EINVAL.
2024-11-26 07:33:47 +00:00 · 2021-04-19 21:10:20 +02:00 · 2021-04-19 21:10:20 +02:00 · 27af0a3dc8
commit 27af0a3dc8
parent ab287a148f
1 changed files with 6 additions and 0 deletions
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@ -60,6 +60,10 @@ variants of those files that can be used to sandbox Emacs before

 #include "verify.h"

+#ifndef ARCH_CET_STATUS
+#define ARCH_CET_STATUS 0x3001
+#endif
+
 static ATTRIBUTE_FORMAT_PRINTF (2, 3) _Noreturn void
 fail (int error, const char *format, ...)
 {
@ -345,6 +349,8 @@ main (int argc, char **argv)
  RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address));
  RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl),
        SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS));
+  RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl),
+        SCMP_A0_32 (SCMP_CMP_EQ, ARCH_CET_STATUS));
  RULE (SCMP_ACT_ALLOW, SCMP_SYS (statfs));

  /* We want to allow starting the Emacs binary itself with the