From 9da5d174e3ef219baab020a79c789f2075ace45c Mon Sep 17 00:00:00 2001
From: Ali Polatel <alip@chesswob.org>
Date: Sat, 4 Nov 2023 19:45:01 +0100
Subject: [PATCH] system: fix detection of WAIT_KILLABLE_RECV flag

The kernel returns EINVAL when this flag is passed to seccomp
without the new listener flag so we should pass the along as well.

Reference on where the check happens in the kernel:
https://github.com/torvalds/linux/blob/aea6bf908d730b01bd264a8821159db9463c111c/kernel/seccomp.c#L1926-L1932

Signed-off-by: Ali Polatel <alip@chesswob.org>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
---
 src/system.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/system.c b/src/system.c
index e205de7a..f2709521 100644
--- a/src/system.c
+++ b/src/system.c
@@ -311,8 +311,16 @@ int sys_chk_seccomp_flag(int flag)
 			state.sup_flag_tsync_esrch = _sys_chk_flag_kernel(flag);
 		return state.sup_flag_tsync_esrch;
 	case SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV:
-		if (state.sup_flag_wait_kill < 0)
-			state.sup_flag_wait_kill = _sys_chk_flag_kernel(flag);
+		if (state.sup_flag_wait_kill < 0) {
+			/* kernel requires NEW_LISTENER with WAIT_KILLABLE_RECV */
+			flag |= SECCOMP_FILTER_FLAG_NEW_LISTENER;
+			sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_NEW_LISTENER);
+			if (state.sup_flag_new_listener) {
+				state.sup_flag_wait_kill = _sys_chk_flag_kernel(flag);
+			} else {
+				state.sup_flag_wait_kill = 0;
+			}
+		}
 		return state.sup_flag_wait_kill;
 	}