The socket arg filters that block AF_ALG and AF_VSOCK only apply to the
direct socket(2) syscall. On architectures with the legacy socketcall(2)
multiplexer (i386, s390, MIPS o32), libseccomp auto-generates a
socketcall(SYS_SOCKET) -> ALLOW companion for each socket ALLOW rule.
This companion only checks the socketcall sub-command number, not the
address family (behind a pointer BPF cannot dereference), bypassing the
AF_ALG block for 32-bit binaries.

Add an explicit socketcall -> ERRNO(ENOSYS) deny rule placed before the
socket allow rules. ENOSYS must be used instead of EPERM because the
deny errno must differ from DefaultErrnoRet (EPERM): runc skips calling
seccomp_rule_add() entirely when a rule's action matches the default
action, so an EPERM deny is never passed to libseccomp and the
auto-generated socketcall ALLOW path survives unchallenged. With ENOSYS,
runc passes the rule through, and libseccomp replaces the auto-generated
ALLOW path with ERRNO(ENOSYS) in the BPF.

Since Linux 4.3, all affected architectures provide direct socket
syscalls and modern glibc/musl already use them. Only very old
statically-linked 32-bit binaries compiled against pre-4.3 glibc would
be affected.

Co-authored-by: Tianon Gravi <[email protected]>
Signed-off-by: Paweł Gronowski <[email protected]>

seccomp: Explicitly block socketcall to prevent AF_ALG filter bypass