Add a variant of the Seccomp filter file that allows 'execve'.

This is useful when starting Emacs with a Seccomp filter enabled,
e.g. using 'bwrap'.

* lib-src/seccomp-filter.c (main): Generate new Seccomp files.

* lib-src/Makefile.in (all)
(seccomp-filter.bpf seccomp-filter.pfc seccomp-filter-exec.bpf
seccomp-filter-exec.pfc): Generate new Seccomp files.

* .gitignore: Ignore new Seccomp files.

* test/src/emacs-tests.el (emacs-tests/bwrap/allows-stdout): New unit
test.

1 files changed, 4 insertions, 3 deletions

diff --git a/lib-src/Makefile.in b/lib-src/Makefile.in
index 35cfa56d8be..091f4fb0199 100644
--- a/lib-src/Makefile.in
+++ b/lib-src/Makefile.in
@@ -240,7 +240,7 @@ config_h = ../src/config.h $(srcdir)/../src/conf_post.h
 all: ${EXE_FILES} ${SCRIPTS}
 
 ifeq ($(SECCOMP_FILTER),1)
-all: seccomp-filter.bpf
+all: seccomp-filter.bpf seccomp-filter-exec.bpf
 endif
 
 .PHONY: all need-blessmail maybe-blessmail
@@ -430,9 +430,10 @@ seccomp-filter$(EXEEXT): $(srcdir)/seccomp-filter.c $(config_h)
         $(AM_V_CCLD)$(CC) $(ALL_CFLAGS) $(LIBSECCOMP_CFLAGS) $< \
           $(LIBSECCOMP_LIBS) -o $@
 
-seccomp-filter.bpf seccomp-filter.pfc: seccomp-filter$(EXEEXT)
+seccomp-filter.bpf seccomp-filter.pfc seccomp-filter-exec.bpf seccomp-filter-exec.pfc: seccomp-filter$(EXEEXT)
         $(AM_V_GEN)./seccomp-filter$(EXEEXT) \
-          seccomp-filter.bpf seccomp-filter.pfc
+          seccomp-filter.bpf seccomp-filter.pfc \
+          seccomp-filter-exec.bpf seccomp-filter-exec.pfc
 endif
 
 ## Makefile ends here.