Skip to content

Commit

Permalink
seccomp: move arch_prctl to @default
Browse files Browse the repository at this point in the history
It was reported as used by the linker:

> [It is] called in the setup of ld-linux-x86-64.so.2 from _dl_sysdep_start.
> My local call stack (with LTO):
>
> #0 init_cpu_features.constprop.0 (/usr/lib64/ld-linux-x86-64.so.2)
> #1 _dl_sysdep_start (/usr/lib64/ld-linux-x86-64.so.2)
> #2 _dl_start (/usr/lib64/ld-linux-x86-64.so.2)
> #3 _start (/usr/lib64/ld-linux-x86-64.so.2)
>
> Looking through the source, I think it's this (links for glibc 2.34):
> - First dl_platform_init calls _dl_x86_init_cpu_features, a wrapper for init_cpu_features.
> - Then init_cpu_features calls get_cet_status.
> - At last, get_cet_status invokes arch_prctl.

Fixes #22033.
  • Loading branch information
keszybz committed Jan 7, 2022
1 parent 921e1ba commit 5f02870
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/shared/seccomp-util.c
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.name = "@default",
.help = "System calls that are always permitted",
.value =
"arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */
"brk\0"
"cacheflush\0"
"clock_getres\0"
Expand Down Expand Up @@ -715,7 +716,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
.name = "@process",
.help = "Process control, execution, namespacing operations",
.value =
"arch_prctl\0"
"capget\0" /* Able to query arbitrary processes */
"clone\0"
"clone3\0"
Expand Down

0 comments on commit 5f02870

Please sign in to comment.