commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d Author: Michael Hudson-Doyle Date: Wed Feb 9 09:06:13 2022 +0100 sys_linux: allow rseq in seccomp filter Libc 2.35 will use rseq syscalls [1][2] by default and thereby break chrony in seccomp isolation. [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/ [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html Tested-by: Christian Ehrhardt Reviewed-by: Christian Ehrhardt Signed-off-by: Michael Hudson-Doyle Signed-off-by: Christian Ehrhardt diff --git a/sys_linux.c b/sys_linux.c index 9cab2efa..cc3c9311 100644 --- a/sys_linux.c +++ b/sys_linux.c @@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context) SCMP_SYS(getrlimit), SCMP_SYS(getuid), SCMP_SYS(getuid32), +#ifdef __NR_rseq + SCMP_SYS(rseq), +#endif SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),