On some systems, process startup calls prctl(PR_CAPBSET_READ) via
'cap_get_bound'. We can just return EINVAL.
* lib-src/seccomp-filter.c (main): Add a rule for
prctl(PR_CAPBSET_READ, ...).
Casting NULL is not a constant expression (Bug#47951).
* lib-src/seccomp-filter.c (main): Turn check for null pointer
representation into a runtime assertion.
This is useful when starting Emacs with a Seccomp filter enabled,
e.g. using 'bwrap'.
* lib-src/seccomp-filter.c (main): Generate new Seccomp files.
* lib-src/Makefile.in (all)
(seccomp-filter.bpf seccomp-filter.pfc seccomp-filter-exec.bpf
seccomp-filter-exec.pfc): Generate new Seccomp files.
* .gitignore: Ignore new Seccomp files.
* test/src/emacs-tests.el (emacs-tests/bwrap/allows-stdout): New unit
test.
The binary uses the 'seccomp' helper library. The library isn't
needed to load the generated Secure Computing filter.
* configure.ac: Check for 'seccomp' header and library.
* lib-src/seccomp-filter.c: New helper binary to generate a generic
Secure Computing filter for GNU/Linux.
* lib-src/Makefile.in (DONT_INSTALL): Add 'seccomp-filter' helper
binary if possible.
(all): Add Secure Computing filter file if possible.
(seccomp-filter$(EXEEXT)): Compile helper binary.
(seccomp-filter.bpf seccomp-filter.pfc): Generate filter files.
* test/src/emacs-tests.el (emacs-tests/seccomp/allows-stdout)
(emacs-tests/seccomp/forbids-subprocess): New unit tests.
* test/Makefile.in (src/emacs-tests.log): Add dependency on the helper
binary.
