Disable rseq properly instead of allowing it

otargowski · otargowski · commit 54be7754252c · 2023-04-02T23:45:08.000+02:00
diff --git a/src/seccomp/policy/DefaultPolicy.cc b/src/seccomp/policy/DefaultPolicy.cc
@@ -44,8 +44,7 @@ void DefaultPolicy::addExecutionControlRules(bool allowFork) {
              "clock_nanosleep",
              "open",
              "epoll_create1",
-             "openat",
-             "rseq"});
+             "openat"});
 
     rules_.emplace_back(SeccompRule(
             "set_thread_area", action::ActionTrace([](auto& /* tracee */) {
@@ -87,6 +86,10 @@ void DefaultPolicy::addExecutionControlRules(bool allowFork) {
         rules_.emplace_back(SeccompRule(syscall, action::ActionTrace()));
     }
 
+    for (const auto& syscall: {"rseq"}) {
+        rules_.emplace_back(SeccompRule(syscall, action::ActionErrno(ENOSYS)));
+    }
+
     if (allowFork) {
         allowSyscalls({"fork"});
     }
