From 9a13c2bd472786472360f1a6465d8a808f6b8311 Mon Sep 17 00:00:00 2001
From: Stephen L Arnold <nerdboy@gentoo.org>
Date: Thu, 2 Dec 2021 20:16:18 -0800
Subject: [PATCH] ntpd/ntp_sandbox.c: seccomp rollup patch for arm, arm64,
 riscv, all

* add renameat2, move newfstatat and faccessat, remove arch dups
* rollup previous patches, remove cruft
* includes riscv fixes, previous bugs:
  https://bugs.gentoo.org/705128
  https://bugs.gentoo.org/786228
  https://bugs.gentoo.org/823692
  https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1247
  https://gitlab.com/NTPsec/ntpsec/-/issues/713

Signed-off-by: Stephen L Arnold <nerdboy@gentoo.org>
---
 ntpd/ntp_sandbox.c | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/ntpd/ntp_sandbox.c b/ntpd/ntp_sandbox.c
index e66faaa8c..04eaa003a 100644
--- a/ntpd/ntp_sandbox.c
+++ b/ntpd/ntp_sandbox.c
@@ -306,8 +306,8 @@ int scmp_sc[] = {
 #endif
 #endif  /* ENABLE_EARLY_DROPROOT */
 
-        SCMP_SYS(accept),
-        SCMP_SYS(access),
+	SCMP_SYS(accept),
+	SCMP_SYS(access),
 	SCMP_SYS(adjtimex),
 	SCMP_SYS(bind),
 	SCMP_SYS(brk),
@@ -319,6 +319,9 @@ int scmp_sc[] = {
 	SCMP_SYS(connect),
 	SCMP_SYS(exit),
 	SCMP_SYS(exit_group),
+#ifdef __NR_faccessat
+	SCMP_SYS(faccessat),  /* riscv and aarch64 */
+#endif
 	SCMP_SYS(fcntl),
 	SCMP_SYS(fstat),
 	SCMP_SYS(fsync),
@@ -349,11 +352,13 @@ int scmp_sc[] = {
 	SCMP_SYS(lseek),
 	SCMP_SYS(membarrier),	/* Needed on Alpine 3.11.3 */
 	SCMP_SYS(munmap),
+	SCMP_SYS(newfstatat),  /* riscv and aarch64 */
 	SCMP_SYS(open),
 #ifdef __NR_openat
 	SCMP_SYS(openat),	/* SUSE */
 #endif
 	SCMP_SYS(poll),
+	SCMP_SYS(pread64),
 	SCMP_SYS(pselect6),
 	SCMP_SYS(read),
 	SCMP_SYS(recvfrom),    /* Comment this out for testing.
@@ -362,6 +367,9 @@ int scmp_sc[] = {
 				*/
 	SCMP_SYS(recvmsg),
 	SCMP_SYS(rename),
+#ifdef __NR_renameat2
+	SCMP_SYS(renameat2),  /* riscv */
+#endif
 	SCMP_SYS(rt_sigaction),
 	SCMP_SYS(rt_sigprocmask),
 	SCMP_SYS(rt_sigreturn),
@@ -401,6 +409,7 @@ int scmp_sc[] = {
  * rather than generate a trap.
  */
 	SCMP_SYS(clone),	/* threads */
+	SCMP_SYS(clone3),
 	SCMP_SYS(kill),		/* generate signal */
 	SCMP_SYS(madvise),
 	SCMP_SYS(mprotect),
@@ -415,9 +424,9 @@ int scmp_sc[] = {
 	SCMP_SYS(nanosleep),
 #endif
 #ifdef CLOCK_SHM
-        SCMP_SYS(shmget),
-        SCMP_SYS(shmat),
-        SCMP_SYS(shmdt),
+	SCMP_SYS(shmget),
+	SCMP_SYS(shmat),
+	SCMP_SYS(shmdt),
 #endif
 
 	SCMP_SYS(fcntl64),
@@ -450,10 +459,9 @@ int scmp_sc[] = {
 	SCMP_SYS(mmap),
 #endif
 #if defined(__aarch64__)
-	SCMP_SYS(faccessat),
-	SCMP_SYS(newfstatat),
-	SCMP_SYS(renameat),
 	SCMP_SYS(linkat),
+	SCMP_SYS(renameat),
+	SCMP_SYS(syscall),
 	SCMP_SYS(unlinkat),
 #endif
 #if defined(__i386__) || defined(__arm__) || defined(__powerpc__)
@@ -463,6 +471,9 @@ int scmp_sc[] = {
 	SCMP_SYS(send),
 	SCMP_SYS(stat64),
 #endif
+#if defined(__arm__)
+	SCMP_SYS(statx),
+#endif
 };
 	{
 		for (unsigned int i = 0; i < COUNTOF(scmp_sc); i++) {
-- 
2.32.0