1744849 - PR_GET_SECCOMP doesn't need to be allowed

Status: NEW

(Core :: Security: Process Sandboxing, enhancement, P3)

Description

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

In bug 1257361 we stopped using PR_GET_SECCOMP to detect threads that already have seccomp-bpf applied, but I forgot to remove it from the policy. Allowing it isn't a problem for security (revealing that seccomp-bpf is in use isn't an issue, and the kernel attack surface is trivial), but it seems to not be needed and we might as well save an instruction or two in the seccomp-bpf program.

(Further context: on kernels older than 3.17 we don't have the seccomp syscall / SECCOMP_FILTER_FLAG_TSYNC, so we have to iterate our own threads trying to reach a fixed point with all threads sandboxed; at first we used PR_GET_SECCOMP, but this fails if external software has already applied a seccomp-bpf policy; see bug 1257361 for more details.)