Fix seccomp-filter for newer Linux kernels

* lib-src/seccomp-filter.c (MAP_DROPPABLE): Define if undefined.
(main): Use MAP_DROPPABLE flag.  Allow `tcgetattr' call of glibc
on physical terminal devices.  (Bug#77232)

lib-src/seccomp-filter.c

@@ -42,6 +42,7 @@ variants of those files that can be used to sandbox Emacs before
 #include <stdlib.h>
 #include <stdint.h>
 #include <stdio.h>
+#include <asm/termbits.h>  /* mandatory accordingly to latest ioctl_tty(2) */
 #include <time.h>
 
 #include <asm/prctl.h>
@@ -64,6 +65,11 @@ variants of those files that can be used to sandbox Emacs before
 #define ARCH_CET_STATUS 0x3001
 #endif
 
+/* https://github.com/torvalds/linux/commit/9651fcedf7b92d3f7f1ab179e8ab55b85ee10fc1 */
+#ifndef MAP_DROPPABLE
+#define MAP_DROPPABLE 0x08
+#endif
+
 static ATTRIBUTE_FORMAT_PRINTF (2, 3) _Noreturn void
 fail (int error, const char *format, ...)
 {
@@ -187,7 +193,7 @@ main (int argc, char **argv)
            some versions of the dynamic loader still use it.  Also
            allow allocating thread stacks.  */
         SCMP_A3_32 (SCMP_CMP_MASKED_EQ,
-                    ~(MAP_SHARED | MAP_PRIVATE | MAP_FILE
+                    ~(MAP_SHARED | MAP_PRIVATE | MAP_FILE | MAP_DROPPABLE
                       | MAP_ANONYMOUS | MAP_FIXED | MAP_DENYWRITE
                       | MAP_STACK | MAP_NORESERVE),
                     0));
@@ -274,6 +280,11 @@ main (int argc, char **argv)
         SCMP_A0_32 (SCMP_CMP_EQ, STDIN_FILENO),
         SCMP_A1_32 (SCMP_CMP_EQ, TIOCGPGRP));
 
+  /* Allow `tcgetattr' call of glibc on physical terminal devices. */
+  RULE (SCMP_ACT_ALLOW, SCMP_SYS (ioctl),
+        SCMP_A0_32 (SCMP_CMP_EQ, STDERR_FILENO),
+        SCMP_A1_32 (SCMP_CMP_EQ, TCGETS));
+
   /* Allow reading (but not setting) file flags.  */
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (fcntl),
         SCMP_A1_32 (SCMP_CMP_EQ, F_GETFL));