From e731d4c72d40f45fbc3ee3270998d9e59391c806 Mon Sep 17 00:00:00 2001
From: Kristaps Dz <kristaps@bsd.lv>
Date: Sat, 18 Nov 2023 15:26:08 -0800
Subject: [PATCH] Conditionally deny poll for seccomp.

This is not a valid system call on aarch64, which uses ppoll internally.
---
 sandbox-seccomp-filter.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 1a4346c0..b88987ee 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -89,7 +89,7 @@ static const struct sock_filter preauth_ctrl[] = {
 	/* Load the syscall number for checking. */
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
-#ifdef __NR_open
+#ifdef __NR_open /* not defined on aarch64 */
 	SC_DENY(open, EACCES),
 #endif
 #ifdef __NR_openat
@@ -129,7 +129,9 @@ static const struct sock_filter preauth_ctrl[] = {
 #ifdef __NR_ppoll
 	SC_ALLOW(ppoll),
 #endif
+#ifdef __NR_poll /* not defined on aarch64 */
 	SC_ALLOW(poll),
+#endif
 #ifdef __NR__newselect
 	SC_ALLOW(_newselect),
 #else
@@ -167,7 +169,7 @@ static const struct sock_filter preauth_work[] = {
 	/* Load the syscall number for checking. */
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 		offsetof(struct seccomp_data, nr)),
-#ifdef __NR_open
+#ifdef __NR_open /* not defined on aarch64 */
 	SC_DENY(open, EACCES),
 #endif
 #ifdef __NR_openat
@@ -202,7 +204,9 @@ static const struct sock_filter preauth_work[] = {
 #ifdef __NR_ppoll
 	SC_ALLOW(ppoll),
 #endif
+#ifdef __NR_poll /* not defined on aarch64 */
 	SC_ALLOW(poll),
+#endif
 #ifdef __NR__newselect
 	SC_ALLOW(_newselect),
 #else