glibc 2.32 rseq support incompatible with Firefox sandbox

[Florian Weimer]

* Gian-Carlo Pascutto:

> If all we need to do here is allow rseq, then it's not really a
> problem. If it's a more fundamental issue with the signal blocking,
> we'll need to figure out a workaround until sandboxed browsers can add
> support for and add the entirely new seccomp implementation.

rseq and rt_sigprocmask are the only new system call after clone in
glibc 2.32.  rt_sigprocmask should be fine, so only rseq needs to be
permitted.  It would be be best not to deny rseq on specific threads if
it has already succeeded on the main thread.

Thanks,
Florian