From 0a0020e177de261434217146d9e12c5f6ff7bed4 Mon Sep 17 00:00:00 2001
From: Doug MacEachern <doug.maceachern@broadcom.com>
Date: Thu, 25 Sep 2025 19:41:41 -0700
Subject: [PATCH 1/2] crypto/rand: add syscall number fallbacks in
 seccomp_linux

seccomp_linux.go is only used for Go's own tests (commit 644628536f24),
but the package is included when building programs with CGO_ENABLED=1.

When using an older glibc (e.g. 2.17), SYS_getrandom and SYS_seccomp
are not defined, causing cgo compilation to fail.

Note that there are already several types and defines copied from
linux headers into seccomp_linux.go to support compilation on older systems.
---
 .../internal/sysrand/internal/seccomp/seccomp_linux.go    | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go b/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go
index 32ef52ad9e4e24..e2f85a6f5fa10d 100644
--- a/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go
+++ b/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go
@@ -49,6 +49,14 @@ struct seccomp_data {
 #define SECCOMP_RET_ALLOW 0x7fff0000U
 #define SECCOMP_SET_MODE_FILTER 1
 
+#ifndef SYS_getrandom
+#define SYS_getrandom -1
+#endif
+
+#ifndef SYS_seccomp
+#define SYS_seccomp -1
+#endif
+
 int disable_getrandom() {
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
         return 1;

From 412c349c7e4a562ed0d1e868ab4594b7cc415a13 Mon Sep 17 00:00:00 2001
From: Doug MacEachern <doug.maceachern@broadcom.com>
Date: Tue, 30 Sep 2025 09:04:53 -0700
Subject: [PATCH 2/2] crypto/rand: early return from disable_getrandom when
 fallbacks are used

---
 src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go b/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go
index e2f85a6f5fa10d..5447242d27ba3a 100644
--- a/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go
+++ b/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go
@@ -58,6 +58,9 @@ struct seccomp_data {
 #endif
 
 int disable_getrandom() {
+    if (SYS_getrandom == -1 || SYS_seccomp == -1) {
+        return 3;
+    }
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
         return 1;
     }