master 27af0a3: Seccomp filter: deal with arch_prctl(ARCH_CET_STATUS, ...).

[Philipp Stephani]

branch: master
commit 27af0a3dc8b6b45879904bbc5d54b0677f84a5ff
Author: Philipp Stephani <phst@google.com>
Commit: Philipp Stephani <phst@google.com>

    Seccomp filter: deal with arch_prctl(ARCH_CET_STATUS, ...).
    
    The dynamic loader of GNU libc 2.28 uses this system call to
    initialize CPU information, see
    
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/x86/cpu-features.c;hb=glibc-2.28#l28.
    Simulating an older kernel by returning EINVAL should be the most
    harmless rule here.
    
    The ARCH_CET_STATUS symbol isn't yet exposed by the kernel headers;
    see the FIXME at the top of
    
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/x86/include/asm/prctl.h;hb=glibc-2.28.
    
    * lib-src/seccomp-filter.c (ARCH_CET_STATUS): Define if not
    already present.  Inline the value because there doesn't seem to
    be a header file exporting this constant yet.
    (main): Make ARCH_CET_STATUS subfunction of arch_prctl return EINVAL.
---
 lib-src/seccomp-filter.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c
index 8f8a990..31d0809 100644
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -60,6 +60,10 @@ variants of those files that can be used to sandbox Emacs 
before
 
 #include "verify.h"
 
+#ifndef ARCH_CET_STATUS
+#define ARCH_CET_STATUS 0x3001
+#endif
+
 static ATTRIBUTE_FORMAT_PRINTF (2, 3) _Noreturn void
 fail (int error, const char *format, ...)
 {
@@ -345,6 +349,8 @@ main (int argc, char **argv)
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl),
         SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS));
+  RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl),
+        SCMP_A0_32 (SCMP_CMP_EQ, ARCH_CET_STATUS));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (statfs));
 
   /* We want to allow starting the Emacs binary itself with the