From e41b0f42a88cbc5733f994cd3de408f33d9ada89 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 13 Sep 2017 19:27:51 +0200
Subject: [PATCH] seccomp: update "@default" seccomp group a bit

Let's add more of the most basic operations to "@default" as absolute
baseline needed by glibc and such to operate. Specifically:

futex, get_robust_list, get_thread_area, membarrier, set_robust_list,
set_thread_area, set_tid_address are all required to properly implement
mutexes and other thread synchronization logic. Given that a ton of
datastructures are protected by mutexes (such as stdio and such), let's
just whitelist this by default, so that things can just work.

restart_syscall is used to implement EAGAIN SA_RESTART stuff in some
archs, and synthesized by the kernel without any explicit user logic,
hence let's make this work out of the box.
---
 src/shared/seccomp-util.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 643dde6..88e21f6 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -278,11 +278,19 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                 "execve\0"
                 "exit\0"
                 "exit_group\0"
+                "futex\0"
+                "get_robust_list\0"
+                "get_thread_area\0"
                 "getrlimit\0"      /* make sure processes can query stack size and such */
                 "gettimeofday\0"
+                "membarrier\0"
                 "nanosleep\0"
                 "pause\0"
+                "restart_syscall\0"
                 "rt_sigreturn\0"
+                "set_robust_list\0"
+                "set_thread_area\0"
+                "set_tid_address\0"
                 "sigreturn\0"
                 "time\0"
         },
-- 
2.7.4