From f94f3e279169d0b7ab15e2b5b39c6705f87218f8 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 16 Mar 2017 11:21:18 +1100
Subject: [PATCH] 4581.   [port]          Linux: Add getpid and getrandom to
 the list of system                         calls named uses for seccomp. [RT
 #44883]

---
 CHANGES                           |  3 +++
 bin/named/include/named/seccomp.h | 16 ++++++++++++++++
 config.h.in                       |  3 +++
 configure                         | 12 ++++++++++++
 configure.in                      |  2 ++
 5 files changed, 36 insertions(+)

diff --git a/CHANGES b/CHANGES
index 51dd906cbd..90be225c3d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4581.	[port]		Linux: Add getpid and getrandom to the list of system
+		        calls named uses for seccomp. [RT #44883]
+
 4580.	[bug]		4578 introduced a regression when handling CNAME to
 			referral below the current domain. [RT #44850]
 
diff --git a/bin/named/include/named/seccomp.h b/bin/named/include/named/seccomp.h
index ecf12ee7c8..cec93c5922 100644
--- a/bin/named/include/named/seccomp.h
+++ b/bin/named/include/named/seccomp.h
@@ -50,6 +50,10 @@ int scmp_syscalls[] = {
 	SCMP_SYS(fstat),
 	SCMP_SYS(epoll_ctl),
 	SCMP_SYS(gettimeofday),
+	SCMP_SYS(getpid),
+#ifdef HAVE_GETRANDOM
+	SCMP_SYS(getrandom),
+#endif
 	SCMP_SYS(unlink),
 	SCMP_SYS(socket),
 	SCMP_SYS(sendto),
@@ -113,6 +117,10 @@ const char *scmp_syscall_names[] = {
 	"fstat",
 	"epoll_ctl",
 	"gettimeofday",
+	"getpid",
+#ifdef HAVE_GETRANDOM
+	"getrandom",
+#endif
 	"unlink",
 	"socket",
 	"sendto",
@@ -182,6 +190,10 @@ int scmp_syscalls[] = {
 	SCMP_SYS(fstat64),
 	SCMP_SYS(epoll_ctl),
 	SCMP_SYS(gettimeofday),
+	SCMP_SYS(getpid),
+#ifdef HAVE_GETRANDOM
+	SCMP_SYS(getrandom),
+#endif
 	SCMP_SYS(unlink),
 #ifndef ISC_PLATFORM_USETHREADS
 	SCMP_SYS(fcntl64),
@@ -218,6 +230,10 @@ const char *scmp_syscall_names[] = {
 	"fstat64",
 	"epoll_ctl",
 	"gettimeofday",
+	"getpid",
+#ifdef HAVE_GETRANDOM
+	"getrandom",
+#endif
 	"unlink",
 #ifndef ISC_PLATFORM_USETHREADS
 	"fcntl64",
diff --git a/config.h.in b/config.h.in
index c4ecebf3e8..597f9e6ff2 100644
--- a/config.h.in
+++ b/config.h.in
@@ -254,6 +254,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Build with GeoIP Country IPv6 support */
 #undef HAVE_GEOIP_V6
 
+/* Define to 1 if you have the `getrandom' function. */
+#undef HAVE_GETRANDOM
+
 /* Define to use gperftools CPU profiler. */
 #undef HAVE_GPERFTOOLS_PROFILER
 
diff --git a/configure b/configure
index 7ebbee19c2..71634e118b 100755
--- a/configure
+++ b/configure
@@ -11493,7 +11493,19 @@ yes)
 	;;
 esac
 
+
 #libseccomp sandboxing
+for ac_func in getrandom
+do :
+  ac_fn_c_check_func "$LINENO" "getrandom" "ac_cv_func_getrandom"
+if test "x$ac_cv_func_getrandom" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_GETRANDOM 1
+_ACEOF
+
+fi
+done
+
 # Check whether --enable-seccomp was given.
 if test "${enable_seccomp+set}" = set; then :
   enableval=$enable_seccomp;
diff --git a/configure.in b/configure.in
index 34f0408f49..97d9d1554f 100644
--- a/configure.in
+++ b/configure.in
@@ -86,7 +86,9 @@ yes)
 	;;
 esac
 
+
 #libseccomp sandboxing
+AC_CHECK_FUNCS(getrandom)
 AC_ARG_ENABLE(seccomp,
 	AS_HELP_STRING([--enable-seccomp],[enable support for libseccomp system call filtering [default=no]]))
 case "$enable_seccomp" in