Fix some seccomp2 issues

Fix for #10563.  This is a compatibility issue with libseccomp-2.1.
I guess you could call it a bugfix on 0.2.5.1?

2 files changed, 13 insertions, 0 deletions

diff --git a/changes/seccomp2-fixes b/changes/seccomp2-fixes
new file mode 100644
index 0000000000..600feecd11
--- /dev/null
+++ b/changes/seccomp2-fixes
@@ -0,0 +1,3 @@
+  o Minor bugfixes:
+    - Fix compilation warnings and startup issues when running with
+      libseccomp-2.1.0. Fixes bug 10563.
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 7ef577dbec..0b67b18973 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -250,6 +250,7 @@ static int
 sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
   int rc = 0;
+  (void)filter;
 
   rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2,
        SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ),
@@ -405,6 +406,14 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 
   rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
       SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
+      SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK),
+      SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
+  if (rc)
+    return rc;
+
+
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3,
+      SCMP_CMP(0, SCMP_CMP_EQ, PF_INET),
       SCMP_CMP(1, SCMP_CMP_EQ, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK),
       SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
   if (rc)
@@ -504,6 +513,7 @@ static int
 sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
   int rc = 0;
+  (void) filter;
 
   rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1,
       SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));