diff options
Diffstat (limited to 'lib-src/seccomp-filter.c')
| -rw-r--r-- | lib-src/seccomp-filter.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c index 8f8a990661c..31d0809f8f0 100644 --- a/lib-src/seccomp-filter.c +++ b/lib-src/seccomp-filter.c @@ -60,6 +60,10 @@ variants of those files that can be used to sandbox Emacs before #include "verify.h" +#ifndef ARCH_CET_STATUS +#define ARCH_CET_STATUS 0x3001 +#endif + static ATTRIBUTE_FORMAT_PRINTF (2, 3) _Noreturn void fail (int error, const char *format, ...) { @@ -345,6 +349,8 @@ main (int argc, char **argv) RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_tid_address)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (arch_prctl), SCMP_A0_32 (SCMP_CMP_EQ, ARCH_SET_FS)); + RULE (SCMP_ACT_ERRNO (EINVAL), SCMP_SYS (arch_prctl), + SCMP_A0_32 (SCMP_CMP_EQ, ARCH_CET_STATUS)); RULE (SCMP_ACT_ALLOW, SCMP_SYS (statfs)); /* We want to allow starting the Emacs binary itself with the |