[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
emacs-28 b497add: Fix Seccomp filter for newer GNU/Linux systems (Bug#51
|
From: |
Philipp Stephani |
|
Subject: |
emacs-28 b497add: Fix Seccomp filter for newer GNU/Linux systems (Bug#51073). |
|
Date: |
Sat, 9 Oct 2021 13:42:32 -0400 (EDT) |
branch: emacs-28
commit b497add9719dac16696f64d5a551d2b813f0c825
Author: Philipp Stephani <phst@google.com>
Commit: Philipp Stephani <phst@google.com>
Fix Seccomp filter for newer GNU/Linux systems (Bug#51073).
On some systems, process startup calls prctl(PR_CAPBSET_READ) via
'cap_get_bound'. We can just return EINVAL.
* lib-src/seccomp-filter.c (main): Add a rule for
prctl(PR_CAPBSET_READ, ...).
---
lib-src/seccomp-filter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c
index d378e0b..e749605 100644
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -351,6 +351,8 @@ main (int argc, char **argv)
calls at startup time to set up thread-local storage. */
RULE (SCMP_ACT_ALLOW, SCMP_SYS (execve));
RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address));
+ RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (prctl),
+ SCMP_A0_32 (SCMP_CMP_EQ, PR_CAPBSET_READ));
RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl),
SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS));
RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl),
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- emacs-28 b497add: Fix Seccomp filter for newer GNU/Linux systems (Bug#51073).,
Philipp Stephani <=