seccomp filter should allow 'clone3' syscall for glibc 2.34
Hi,
As usual, with new glibc releases, it looks like we need to adapt various seccomp filter lists again.
In this case, we need clone3 (note that ntpsec already allows 'clone').
strace output:
$ sudo strace ntpd -n
.[..]
sendto(3, "<30>Nov 14 08:43:28 ntpd[2041115"..., 95, MSG_NOSIGNAL, NULL, 0) = 95
getpid() = 2041115
write(1, "2021-11-14T08:43:28 ntpd[2041115"..., 962021-11-14T08:43:28 ntpd[2041115]: DNS: dns_probe: 0.gentoo.pool.ntp.org, cast_flags:8, flags:1
) = 96
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f0f88aff130, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f0f88ab5fa0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f0f88272000
mprotect(0x7f0f88273000, 8388608, PROT_READ|PROT_WRITE) = 0
rt_sigprocmask(SIG_BLOCK, ~[], ~[KILL STOP RTMIN RT_1], 8) = 0
clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f0f88a72910, parent_tid=0x7f0f88a72910, exit_signal=0, stack=0x7f0f88272000, stack_size=0x7fff00, tls=0x7f0f88a72640} => {parent_tid=[0]}, 88) = 435
--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0x7f0f88b86a59, si_syscall=__NR_clone3, si_arch=AUDIT_ARCH_X86_64} ---
+++ killed by SIGSYS (core dumped) +++
Bad system callOriginally reported downstream in Gentoo here.