procyberian/emacs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix Seccomp filter for newer GNU/Linux systems (Bug#51073).

Browse source 
On some systems, process startup calls prctl(PR_CAPBSET_READ) via
'cap_get_bound'.  We can just return EINVAL.

* lib-src/seccomp-filter.c (main): Add a rule for
prctl(PR_CAPBSET_READ, ...).
This commit is contained in:
Philipp Stephani 2021-10-09 19:39:31 +02:00
parent 75d9fbec88
commit b497add971
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib-src/seccomp-filter.c
View file

@ -351,6 +351,8 @@ main (int argc, char **argv)
calls at startup time to set up thread-local storage. */ calls at startup time to set up thread-local storage. */
RULE (SCMP_ACT_ALLOW, SCMP_SYS (execve)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (execve));
RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address));
RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (prctl),
SCMP_A0_32 (SCMP_CMP_EQ, PR_CAPBSET_READ));
RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl), RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl),
SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS)); SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS));
RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl), RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl),