mirror of
https://git.savannah.gnu.org/git/emacs.git
synced 2024-11-27 07:37:33 +00:00
Fix Seccomp filter for newer GNU/Linux systems (Bug#51073).
On some systems, process startup calls prctl(PR_CAPBSET_READ) via 'cap_get_bound'. We can just return EINVAL. * lib-src/seccomp-filter.c (main): Add a rule for prctl(PR_CAPBSET_READ, ...).
This commit is contained in:
parent
75d9fbec88
commit
b497add971
@ -351,6 +351,8 @@ main (int argc, char **argv)
|
||||
calls at startup time to set up thread-local storage. */
|
||||
RULE (SCMP_ACT_ALLOW, SCMP_SYS (execve));
|
||||
RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address));
|
||||
RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (prctl),
|
||||
SCMP_A0_32 (SCMP_CMP_EQ, PR_CAPBSET_READ));
|
||||
RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl),
|
||||
SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS));
|
||||
RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl),
|
||||
|
Loading…
Reference in New Issue
Block a user