tool/seccomp: allow sigreturn on x86

Fixes #3799

tool/seccomp/.gitignore

@@ -0,0 +1,3 @@
+/seccomp_bpf_policy_arm.bin
+/seccomp_bpf_policy_x86_32.bin
+/seccomp_bpf_policy_x86_64.bin

tool/seccomp/Makefile

@@ -5,9 +5,11 @@ seccomp_bpf_filters: seccomp_bpf_policy_x86_32.bin seccomp_bpf_policy_x86_64.bin
 seccomp_bpf_policy_%.bin: seccomp_bpf_compiler_%.prg
 	./$< > $@
 
-seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc
+seccomp_bpf_compiler_%.prg: seccomp_bpf_compiler_%.cc seccomp_bpf_compiler.h
 	@g++ $< -o $@ -lseccomp
 
 clean:
 	@rm seccomp_bpf_policy_*.bin 2> /dev/null; true
 	@rm seccomp_bpf_compiler_*.prg 2> /dev/null; true
+
+.PHONY: seccomp_bpf_filters

tool/seccomp/seccomp_bpf_compiler.h

@@ -140,6 +140,9 @@ class Filter
 						/* The nmap syscall has a different name on different architectures
 						 * but it slould be save as it only uses an already open socket. */
 						_add_allow_rule(SCMP_SYS(mmap2));
+
+						/* returning from signal handlers is safe */
+						_add_allow_rule(SCMP_SYS(sigreturn));
 					}
 					break;
 				case SCMP_ARCH_X86_64:
@@ -158,6 +161,9 @@ class Filter
 						/* The nmap syscall has a different name on different architectures
 						 * but it slould be save as it only uses an already open socket. */
 						_add_allow_rule(SCMP_SYS(mmap));
+
+						/* returning from signal handlers is safe */
+						_add_allow_rule(SCMP_SYS(rt_sigreturn));
 					}
 					break;
 				case SCMP_ARCH_ARM:
@@ -180,7 +186,7 @@ class Filter
 						/* This syscall is only used on ARM. */
 						_add_allow_rule(SCMP_SYS(cacheflush));
 
-						/* This syscall is only used on ARM. */
+						/* returning from signal handlers is safe */
 						_add_allow_rule(SCMP_SYS(sigreturn));
 					}
 					break;
@@ -189,7 +195,7 @@ class Filter
 					throw -104;
 			}
 
-			// build and export
+			/* build and export */
 			seccomp_export_bpf(_ctx, 1);
 
 			return 0;