Add a seccomp rule for the rseq syscall

otargowski · otargowski · commit 717181eaf8f6 · 2023-04-09T13:08:58.000+02:00
Executables built with a recent glibc will always try this syscall on
startup. ENOSYS will inform them that it is unavailable.
diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc
@@ -86,6 +86,10 @@ void DefaultPolicy::addExecutionControlRules(bool allowFork) {
         rules_.emplace_back(SeccompRule(syscall, action::ActionTrace()));
     }
 
+    for (const auto& syscall: {"rseq"}) {
+        rules_.emplace_back(SeccompRule(syscall, action::ActionErrno(ENOSYS)));
+    }
+
     if (allowFork) {
         allowSyscalls({"fork"});
     }

Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,10 @@ void DefaultPolicy::addExecutionControlRules(bool allowFork) {`
`86`	`86`	`rules_.emplace_back(SeccompRule(syscall, action::ActionTrace()));`
`87`	`87`	`}`
`88`	`88`
	`89`	`+ for (const auto& syscall: {"rseq"}) {`
	`90`	`+ rules_.emplace_back(SeccompRule(syscall, action::ActionErrno(ENOSYS)));`
	`91`	`+ }`
	`92`	`+`
`89`	`93`	`if (allowFork) {`
`90`	`94`	`allowSyscalls({"fork"});`
`91`	`95`	`}`