sys_linux: allow lstat and readlink in seccomp filter

These syscalls seem to be needed when gnutls is loading system trusted
certificates due to p11-kit >= 0.23.21 getting the program name from
/proc/self/exe.

diff --git a/sys_linux.c b/sys_linux.c
index 7cdd33c7dcde088d275705649e7cf213e1af32e6..2555e8b460b863d7703db2a78dbeffbbd4a7ed4c 100644 (file)
--- a/sys_linux.c
+++ b/sys_linux.c
@@ -533,7 +533,10 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_SystemCallContext context)
     SCMP_SYS(getdents),
     SCMP_SYS(getdents64),
     SCMP_SYS(lseek),
+    SCMP_SYS(lstat),
+    SCMP_SYS(lstat64),
     SCMP_SYS(newfstatat),
+    SCMP_SYS(readlink),
     SCMP_SYS(rename),
     SCMP_SYS(renameat),
     SCMP_SYS(renameat2),