From b1eea6d4fef3f2ebda5b9fbb466df3af99324a24 Mon Sep 17 00:00:00 2001
From: dongresource <dongresource@protonmail.com>
Date: Tue, 15 Nov 2022 02:30:20 +0100
Subject: [PATCH] [seccomp] Whitelist rseq syscall

Used by glibc 2.35 and later.
---
 src/sandbox/seccomp.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/sandbox/seccomp.cpp b/src/sandbox/seccomp.cpp
index 80f13ba..6d930fd 100644
--- a/src/sandbox/seccomp.cpp
+++ b/src/sandbox/seccomp.cpp
@@ -195,6 +195,9 @@ static sock_filter filter[] = {
     ALLOW_SYSCALL(exit_group),
     ALLOW_SYSCALL(rt_sigprocmask), // musl-libc
     ALLOW_SYSCALL(clock_nanosleep), // gets called very rarely
+#ifdef __NR_rseq
+    ALLOW_SYSCALL(rseq),
+#endif
 
     // to crash properly on SIGSEGV
     DENY_SYSCALL_ERRNO(tgkill, EPERM),