From 0310c733d5be61f577808627310571471fa824d0 Mon Sep 17 00:00:00 2001
From: Norman Feske <norman.feske@genode-labs.com>
Date: Fri, 3 Jul 2020 11:56:19 +0200
Subject: [PATCH] base-linux: let seccomp permit 'read'

This is needed for using the 'wait_for_continue' debug mechanism.

Fixes #3798
---
 .../lib/seccomp/spec/arm/seccomp_bpf_policy.bin | Bin 304 -> 312 bytes
 .../seccomp/spec/x86_32/seccomp_bpf_policy.bin  | Bin 344 -> 352 bytes
 .../seccomp/spec/x86_64/seccomp_bpf_policy.bin  | Bin 360 -> 368 bytes
 tool/seccomp/seccomp_bpf_compiler.h             |   3 +++
 4 files changed, 3 insertions(+)

diff --git a/repos/base-linux/src/lib/seccomp/spec/arm/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/arm/seccomp_bpf_policy.bin
index 2303a9af394ffe2256753226c1a52ae4f5693cb5..a282275bec20bce71b81b2f5e9818641886eb77d 100644
GIT binary patch
delta 46
rcmdnMw1Y`ifq{X61&Bo%7*sSE7#u)+5D;ZhWMBl-3JlB}WrZ05X-EUe

delta 38
ncmdnNw1G)hfq{X61&Bo%7?d>_7#u)+5D;ZhU|`&+D$ED~Q6~eA

diff --git a/repos/base-linux/src/lib/seccomp/spec/x86_32/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/x86_32/seccomp_bpf_policy.bin
index 7f70cd945ec437fd0af58486555282b0bc45d292..a50b51e7f8853c859b00696fad9c86b63eccdde6 100644
GIT binary patch
delta 46
rcmcb?^ngiKfq{X61&Bo%7&Ms~7#u)+5D;ZhV_*c+stn8<Wvv+jbbACU

delta 38
ncmaFBbc0D&fq{X61&Bo%7&Mp}7#u)+5D;ZhWnkQ>YRw1$T8{(k

diff --git a/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin b/repos/base-linux/src/lib/seccomp/spec/x86_64/seccomp_bpf_policy.bin
index 5bb506b9346cf5581b3e90bd96a9b793ad322806..d35e2475dec2e2a605a33fa371fb661ecd5637ea 100644
GIT binary patch
delta 57
zcmaFC^nuAhfq{X61&Bo%7_{ve7!H8=AYjVCzzC!qfZ`hefk2c&4J^J<!+{Y1{a6W;

delta 49
ucmeys^nyu4fq{X61&Bo%7_{sd7!H8=AYjVCzzC!qfa2=^fncM710w*ph6z>x

diff --git a/tool/seccomp/seccomp_bpf_compiler.h b/tool/seccomp/seccomp_bpf_compiler.h
index 0f9e06c39e..514c8578a9 100644
--- a/tool/seccomp/seccomp_bpf_compiler.h
+++ b/tool/seccomp/seccomp_bpf_compiler.h
@@ -99,6 +99,9 @@ class Filter
 			_add_allow_rule(SCMP_SYS(fstat));
 			_add_allow_rule(SCMP_SYS(fstat64));
 
+			/* This syscall is used by the 'wait_for_continue' debug mechanism. */
+			_add_allow_rule(SCMP_SYS(read));
+
 			/* This syscall is used to wait for a condition. This should be safe. */
 			_add_allow_rule(SCMP_SYS(futex));