Sandbox methods with seccomp-BPF; except cdrom, gpgv, rsh

This reduces the number of syscalls to about 140 from about
350 or so, significantly reducing security risks.

Also change prepare-release to ignore the architecture lists
in the build dependencies when generating the build-depends
package for travis.

We might want to clean up things a bit more and/or move it
somewhere else.

2 files changed, 28 insertions, 0 deletions

diff --git a/CMake/FindSeccomp.cmake b/CMake/FindSeccomp.cmake
new file mode 100644
index 000000000..5cfd13a37
--- /dev/null
+++ b/CMake/FindSeccomp.cmake
@@ -0,0 +1,25 @@
+# - Try to find SECCOMP
+# Once done, this will define
+#
+#  SECCOMP_FOUND - system has SECCOMP
+#  SECCOMP_INCLUDE_DIRS - the SECCOMP include directories
+#  SECCOMP_LIBRARIES - the SECCOMP library
+find_package(PkgConfig)
+
+pkg_check_modules(SECCOMP_PKGCONF libseccomp)
+
+find_path(SECCOMP_INCLUDE_DIRS
+  NAMES seccomp.h
+  PATHS ${SECCOMP_PKGCONF_INCLUDE_DIRS}
+)
+
+
+find_library(SECCOMP_LIBRARIES
+  NAMES seccomp
+  PATHS ${SECCOMP_PKGCONF_LIBRARY_DIRS}
+)
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(SECCOMP DEFAULT_MSG SECCOMP_INCLUDE_DIRS SECCOMP_LIBRARIES)
+
+mark_as_advanced(SECCOMP_INCLUDE_DIRS SECCOMP_LIBRARIES)
diff --git a/CMake/config.h.in b/CMake/config.h.in
index e1e4f83a1..cfaa14ed1 100644
--- a/CMake/config.h.in
+++ b/CMake/config.h.in
@@ -20,6 +20,9 @@
 /* Define if we have the udev library */
 #cmakedefine HAVE_UDEV
 
+/* Define if we have the seccomp library */
+#cmakedefine HAVE_SECCOMP
+
 /* These two are used by the statvfs shim for glibc2.0 and bsd */
 /* Define if we have sys/vfs.h */
 #cmakedefine HAVE_VFS_H