From 93ab972ddc5ff423f3042c254eff39a5c90d42bf Mon Sep 17 00:00:00 2001
From: Christian Helmuth <christian.helmuth@genode-labs.com>
Date: Thu, 2 Jul 2020 09:03:33 +0200
Subject: [PATCH] tool/seccomp: allow sigreturn on x86

Fixes #3799
---
 .../seccomp/spec/x86_32/seccomp_bpf_policy.bin  | Bin 336 -> 344 bytes
 .../seccomp/spec/x86_64/seccomp_bpf_policy.bin  | Bin 352 -> 360 bytes
 tool/seccomp/.gitignore                         |   3 +++
 tool/seccomp/Makefile                           |   4 +++-
 tool/seccomp/seccomp_bpf_compiler.h             |  10 ++++++++--
 5 files changed, 14 insertions(+), 3 deletions(-)
 create mode 100644 tool/seccomp/.gitignore

diff --git a/repos/base-linux/src/lib/seccomp/spec/x86_32/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/x86_32/seccomp_bpf_policy.bin
index 38a12d4e00db95a3dd042e55a7eeba47d34a9450..7f70cd945ec437fd0af58486555282b0bc45d292 100644
GIT binary patch
delta 101
zcmcb>bb~2Yfq{X6g@J)Vlz~BmnSsFp#Ag8WRT&t;v<g&SnSl+=S7HzW(~1n5U|NB}
W4@}E5M1yHLh8!?0%TPWs^fv%~2MB2Z

delta 93
zcmcb?bb%>Ufq{X6g@J)Vlz~B=nSsFp#Ag8WRTvn-v@%p)iGdBwS7Z<Y(+UilU|OER
R4@}E3M1yHrhMbA9zX3+r2e$wK

diff --git a/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin
index 0264978c1dcb8482cd1a0ca9444c6b66e87c17bc..5bb506b9346cf5581b3e90bd96a9b793ad322806 100644
GIT binary patch
delta 110
zcmaFB^nxi>fq{X6g@J)Vlz~CZj)CC-h|j>lz+lS2z{tSB;2_Gtp#J~=|No*4s$c<8
o1{DTouzF<%Rxqu^zz(Jr892eT0s}XgmS^Av({c>_8)KOn0RmzRX8-^I

delta 102
zcmaFC^nfW=fq{X6g@J)Vlz~Chj)CC-h|j>lz+lS2z{tSB;2_Gtp!Wa&|No*4DqsOo
k24x0juzDp1Rxqu|zz(Jr7&yVSJOekFmSf=En99ru0IQ4(8~^|S

diff --git a/tool/seccomp/.gitignore b/tool/seccomp/.gitignore
new file mode 100644
index 000000000..b9659241a
--- /dev/null
+++ b/tool/seccomp/.gitignore
@@ -0,0 +1,3 @@
+/seccomp_bpf_policy_arm.bin
+/seccomp_bpf_policy_x86_32.bin
+/seccomp_bpf_policy_x86_64.bin
diff --git a/tool/seccomp/Makefile b/tool/seccomp/Makefile
index f996bc236..15f213cb2 100644
--- a/tool/seccomp/Makefile
+++ b/tool/seccomp/Makefile
@@ -5,9 +5,11 @@ seccomp_bpf_filters: seccomp_bpf_policy_x86_32.bin seccomp_bpf_policy_x86_64.bin
 seccomp_bpf_policy_%.bin: seccomp_bpf_compiler_%.prg
 	./$< > $@
 
-seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc
+seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc seccomp_bpf_compiler.h
 	@g++ $< -o $@ -lseccomp
 
 clean:
 	@rm seccomp_bpf_policy_*.bin 2> /dev/null; true
 	@rm seccomp_bpf_compiler_*.prg 2> /dev/null; true
+
+.PHONY: seccomp_bpf_filters
diff --git a/tool/seccomp/seccomp_bpf_compiler.h b/tool/seccomp/seccomp_bpf_compiler.h
index c666547c1..0f9e06c39 100644
--- a/tool/seccomp/seccomp_bpf_compiler.h
+++ b/tool/seccomp/seccomp_bpf_compiler.h
@@ -140,6 +140,9 @@ class Filter
 						/* The nmap syscall has a different name on different architectures
 						 * but it slould be save as it only uses an already open socket. */
 						_add_allow_rule(SCMP_SYS(mmap2));
+
+						/* returning from signal handlers is safe */
+						_add_allow_rule(SCMP_SYS(sigreturn));
 					}
 					break;
 				case SCMP_ARCH_X86_64:
@@ -158,6 +161,9 @@ class Filter
 						/* The nmap syscall has a different name on different architectures
 						 * but it slould be save as it only uses an already open socket. */
 						_add_allow_rule(SCMP_SYS(mmap));
+
+						/* returning from signal handlers is safe */
+						_add_allow_rule(SCMP_SYS(rt_sigreturn));
 					}
 					break;
 				case SCMP_ARCH_ARM:
@@ -180,7 +186,7 @@ class Filter
 						/* This syscall is only used on ARM. */
 						_add_allow_rule(SCMP_SYS(cacheflush));
 
-						/* This syscall is only used on ARM. */
+						/* returning from signal handlers is safe */
 						_add_allow_rule(SCMP_SYS(sigreturn));
 					}
 					break;
@@ -189,7 +195,7 @@ class Filter
 					throw -104;
 			}
 
-			// build and export
+			/* build and export */
 			seccomp_export_bpf(_ctx, 1);
 
 			return 0;