adjust seccomp filter for select->poll conversion

Needed to add ppoll syscall but also to relax the fallback rlimit
sandbox. Linux poll() fails with EINVAL if npfds > RLIMIT_NOFILE,
so we have to allow a single fd in the rlimit.

sandbox-seccomp-filter.c

@@ -270,6 +270,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR__newselect
 	SC_ALLOW(__NR__newselect),
 #endif
+#ifdef __NR_ppoll
+	SC_ALLOW(__NR_ppoll),
+#endif
 #ifdef __NR_poll
 	SC_ALLOW(__NR_poll),
 #endif
@@ -391,7 +394,7 @@ ssh_sandbox_child_debugging(void)
 void
 ssh_sandbox_child(struct ssh_sandbox *box)
 {
-	struct rlimit rl_zero;
+	struct rlimit rl_zero, rl_one = {.rlim_cur = 1, .rlim_max = 1};
 	int nnp_failed = 0;
 
 	/* Set rlimits for completeness if possible. */
@@ -399,7 +402,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)
 		fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s",
 			__func__, strerror(errno));
-	if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1)
+	/*
+	 * Cannot use zero for nfds, because poll(2) will fail with
+	 * errno=EINVAL if npfds>RLIMIT_NOFILE.
+	 */
+	if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1)
 		fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s",
 			__func__, strerror(errno));
 	if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1)