--- /dev/null
+Pseudo changes the syscall access patterns which makes it incompatible with
+seccomp. Therefore intercept the seccomp syscall and alter it, pretending that
+seccomp was setup when in fact we do nothing. If we error as unsupported,
+utilities like file will exit with errors so we can't just disable it.
+
+Upstream-Status: Pending
+RP 2020/4/3
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: git/ports/linux/pseudo_wrappers.c
+===================================================================
+--- git.orig/ports/linux/pseudo_wrappers.c
++++ git/ports/linux/pseudo_wrappers.c
+@@ -57,6 +57,7 @@ int pseudo_capset(cap_user_header_t hdrp
+ long
+ syscall(long number, ...) {
+ long rc = -1;
++ va_list ap;
+
+ if (!pseudo_check_wrappers() || !real_syscall) {
+ /* rc was initialized to the "failure" value */
+@@ -77,6 +78,20 @@ syscall(long number, ...) {
+ (void) number;
+ #endif
+
++#ifdef SYS_seccomp
++ /* pseudo and seccomp are incompatible as pseudo uses different syscalls
++ * so pretend to enable seccomp but really do nothing */
++ if (number == SYS_seccomp) {
++ unsigned long cmd;
++ va_start(ap, number);
++ cmd = va_arg(ap, unsigned long);
++ va_end(ap);
++ if (cmd == SECCOMP_SET_MODE_FILTER) {
++ return 0;
++ }
++ }
++#endif
++
+ /* gcc magic to attempt to just pass these args to syscall. we have to
+ * guess about the number of args; the docs discuss calling conventions
+ * up to 7, so let's try that?
+@@ -92,3 +108,42 @@ static long wrap_syscall(long nr, va_lis
+ (void) ap;
+ return -1;
+ }
++
++int
++prctl(int option, ...) {
++ int rc = -1;
++ va_list ap;
++
++ if (!pseudo_check_wrappers() || !real_prctl) {
++ /* rc was initialized to the "failure" value */
++ pseudo_enosys("prctl");
++ return rc;
++ }
++
++ /* pseudo and seccomp are incompatible as pseudo uses different syscalls
++ * so pretend to enable seccomp but really do nothing */
++ if (option == PR_SET_SECCOMP) {
++ unsigned long cmd;
++ va_start(ap, option);
++ cmd = va_arg(ap, unsigned long);
++ va_end(ap);
++ if (cmd == SECCOMP_SET_MODE_FILTER) {
++ return 0;
++ }
++ }
++
++ /* gcc magic to attempt to just pass these args to prctl. we have to
++ * guess about the number of args; the docs discuss calling conventions
++ * up to 5, so let's try that?
++ */
++ void *res = __builtin_apply((void (*)()) real_prctl, __builtin_apply_args(), sizeof(long) * 5);
++ __builtin_return(res);
++}
++
++/* unused.
++ */
++static int wrap_prctl(int option, va_list ap) {
++ (void) option;
++ (void) ap;
++ return -1;
++}
+Index: git/ports/linux/guts/prctl.c
+===================================================================
+--- /dev/null
++++ git/ports/linux/guts/prctl.c
+@@ -0,0 +1,15 @@
++/*
++ * Copyright (c) 2020 Richard Purdie
++ *
++ * SPDX-License-Identifier: LGPL-2.1-only
++ *
++ * int prctl(int option, ...)
++ * int rc = -1;
++ */
++
++ /* we should never get here, prctl is hand-wrapped */
++ rc = -1;
++
++/* return rc;
++ * }
++ */
+Index: git/ports/linux/portdefs.h
+===================================================================
+--- git.orig/ports/linux/portdefs.h
++++ git/ports/linux/portdefs.h
+@@ -32,3 +32,5 @@ GLIBC_COMPAT_SYMBOL(memcpy,2.0);
+
+ #include <linux/capability.h>
+ #include <sys/syscall.h>
++#include <sys/prctl.h>
++#include <linux/seccomp.h>
+Index: git/ports/linux/wrapfuncs.in
+===================================================================
+--- git.orig/ports/linux/wrapfuncs.in
++++ git/ports/linux/wrapfuncs.in
+@@ -56,3 +56,4 @@ int getgrent_r(struct group *gbuf, char
+ int capset(cap_user_header_t hdrp, const cap_user_data_t datap); /* real_func=pseudo_capset */
+ long syscall(long nr, ...); /* hand_wrapped=1 */
+ int renameat2(int olddirfd, const char *oldpath, int newdirfd, const char *newpath, unsigned int flags); /* flags=AT_SYMLINK_NOFOLLOW */
++int prctl(int option, ...); /* hand_wrapped=1 */
