glib2/gspawn-eperm.patch

diff --git a/glib/gspawn.c b/glib/gspawn.c
index 67be6a6af..aaefd5b0d 100644
--- a/glib/gspawn.c
+++ b/glib/gspawn.c
@@ -1598,9 +1598,18 @@ safe_fdwalk_set_cloexec (int lowfd)
    *
    * Handle ENOSYS in case it’s supported in libc but not the kernel; if so,
    * fall back to safe_fdwalk(). Handle EINVAL in case `CLOSE_RANGE_CLOEXEC`
-   * is not supported. */
+   * is not supported.
+   *
+   * Also handle EPERM for the cases where GLib is running under broken versions
+   * of Docker+libseccomp which don’t recognise `close_range()` so block calls
+   * to it under a default security policy which returns EPERM rather than (the
+   * correct) ENOSYS. This workaround should be carried in distributions until
+   * they have versions of libseccomp and Docker which contain:
+   *  - https://salsa.debian.org/debian/libseccomp/-/blob/debian/bullseye/debian/patches/syscalls_add_close_range_syscall.patch
+   *  - https://github.com/opencontainers/runc/issues/2151
+   */
   ret = close_range (lowfd, G_MAXUINT, CLOSE_RANGE_CLOEXEC);
-  if (ret == 0 || !(errno == ENOSYS || errno == EINVAL))
+  if (ret == 0 || !(errno == ENOSYS || errno == EINVAL || errno == EPERM))
     return ret;
 #endif  /* HAVE_CLOSE_RANGE */
 
@@ -1624,9 +1633,15 @@ safe_closefrom (int lowfd)
    * situations: https://bugs.python.org/issue38061
    *
    * Handle ENOSYS in case it’s supported in libc but not the kernel; if so,
-   * fall back to safe_fdwalk(). */
+   * fall back to safe_fdwalk().
+   *
+   * Also handle EPERM for the cases where GLib is running under broken versions
+   * of Docker+libseccomp which don’t recognise `close_range()` so block calls
+   * to it under a default security policy which returns EPERM rather than (the
+   * correct) ENOSYS.
+   */
   ret = close_range (lowfd, G_MAXUINT, 0);
-  if (ret == 0 || errno != ENOSYS)
+  if (ret == 0 || errno != ENOSYS || errno == EPERM)
     return ret;
 #endif  /* HAVE_CLOSE_RANGE */