From 99e943998dcfd1263301224104ef98596325f9f2 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 26 Apr 2017 12:56:06 -0400
Subject: [PATCH 1/2] Add getpid() to the seccomp2 sandbox.

We hadn't needed this before, because most getpid() callers on Linux
were looking at the vDSO version of getpid().  I don't know why at
least one version of OpenSSL seems to be ignoring the vDSO, but this
change should fix it.

Fixes bug 21943; bugfix on 0.2.5.1-alpha when the sandbox was
introduced.
---
 src/common/sandbox.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index ebc843e13..95c9f83b8 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -155,6 +155,7 @@ static int filter_nopar_gen[] = {
 #ifdef __NR_getgid32
     SCMP_SYS(getgid32),
 #endif
+    SCMP_SYS(getpid),
 #ifdef __NR_getrlimit
     SCMP_SYS(getrlimit),
 #endif

From 1cdad9782d31f10e8e622a642b49f39deebc3737 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 8 May 2017 13:39:59 -0400
Subject: [PATCH 2/2] Add a changes file for 21943.

---
 changes/bug21943 | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 changes/bug21943

diff --git a/changes/bug21943 b/changes/bug21943
new file mode 100644
index 000000000..dbe2c726d
--- /dev/null
+++ b/changes/bug21943
@@ -0,0 +1,6 @@
+  o Minor bugfixes (Linux seccomp2 sandbox):
+    - The getpid() system call is now permitted under the Linux seccomp2
+      sandbox, to avoid crashing with versions of OpenSSL (and other
+      libraries) that attempt to learn the process's PID by using the
+      syscall rather than the VDSO code. Fixes bug 21943; bugfix on
+      0.2.5.1-alpha.