1 files changed, 44 insertions, 0 deletions

diff --git a/sys-apps/man-db/files/man-db-2.9.3-clock_gettime64.patch b/sys-apps/man-db/files/man-db-2.9.3-clock_gettime64.patch
new file mode 100644
index 000000000000..0da1b2c5b2b7
--- /dev/null
+++ b/sys-apps/man-db/files/man-db-2.9.3-clock_gettime64.patch
@@ -0,0 +1,44 @@
+From 7315a9475d8fa37af49e9e7ed11e1534f23ef70b Mon Sep 17 00:00:00 2001
+From: "S. Gilles" <sgilles@umd.edu>
+Date: Wed, 12 Aug 2020 16:40:07 -0400
+Subject: Allow clock_gettime64; return ENOSYS so libcs can engage fallbacks
+
+libcs such as musl expect ENOSYS to be returned (not EPERM) in their
+fallback code, so change the seccomp filter to be more agreeable to
+them.
+
+At the same time, clock_gettime is permitted in the filter, so permit
+clock_gettime64 as well -- it will be needed by 2038 in any case.
+
+* lib/sandbox.c (make_seccomp_filter): Set default action to
+SCMP_ACT_ERRNO (ENOSYS).  Allow clock_gettime64.
+* NEWS: Document this.
+---
+ NEWS          | 9 +++++++++
+ lib/sandbox.c | 3 ++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/lib/sandbox.c b/lib/sandbox.c
+index 21ec28aa..d934a0f9 100644
+--- a/lib/sandbox.c
++++ b/lib/sandbox.c
+@@ -232,7 +232,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
+ 		;
+ 
+ 	debug ("initialising seccomp filter (permissive: %d)\n", permissive);
+-	ctx = seccomp_init (SCMP_ACT_ERRNO (EPERM));
++	ctx = seccomp_init (SCMP_ACT_ERRNO (ENOSYS));
+ 	if (!ctx)
+ 		error (FATAL, errno, "can't initialise seccomp filter");
+ 
+@@ -271,6 +271,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive)
+ 	/* systemd: SystemCallFilter=@default */
+ 	SC_ALLOW ("clock_getres");
+ 	SC_ALLOW ("clock_gettime");
++	SC_ALLOW ("clock_gettime64");
+ 	SC_ALLOW ("clock_nanosleep");
+ 	SC_ALLOW ("execve");
+ 	SC_ALLOW ("exit");
+-- 
+cgit v1.2.1
+