1
0
mirror of https://git.savannah.gnu.org/git/emacs.git synced 2024-11-27 07:37:33 +00:00

Fix Seccomp filter for newer GNU/Linux systems (Bug#51073).

On some systems, process startup calls prctl(PR_CAPBSET_READ) via
'cap_get_bound'.  We can just return EINVAL.

* lib-src/seccomp-filter.c (main): Add a rule for
prctl(PR_CAPBSET_READ, ...).
This commit is contained in:
Philipp Stephani 2021-10-09 19:39:31 +02:00
parent 75d9fbec88
commit b497add971

View File

@ -351,6 +351,8 @@ main (int argc, char **argv)
calls at startup time to set up thread-local storage. */
RULE (SCMP_ACT_ALLOW, SCMP_SYS (execve));
RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address));
RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (prctl),
SCMP_A0_32 (SCMP_CMP_EQ, PR_CAPBSET_READ));
RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl),
SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS));
RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl),