Permit setrlimit, prlimit, prlimit64 calls.

We call setrlimit under some circumstances, and it can call prlimit
and prlimit64 under the hood.

Fixes bug 15221.

changes/bug15221

@@ -0,0 +1,4 @@
+  o Minor bugfixes (sandbox):
+    - Allow the setrlimit syscall, and the prlimit and prlimit64 syscalls,
+      which some libc implementations
+      use under the hood.  Fixes bug 15221.  Bugfix on 0.2.5.1-alpha.

src/common/sandbox.c

@@ -177,11 +177,20 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(mmap),
 #endif
     SCMP_SYS(munmap),
+#ifdef __NR_prlimit
+    SCMP_SYS(prlimit),
+#endif
+#ifdef __NR_prlimit64
+    SCMP_SYS(prlimit64),
+#endif
     SCMP_SYS(read),
     SCMP_SYS(rt_sigreturn),
     SCMP_SYS(sched_getaffinity),
     SCMP_SYS(sendmsg),
     SCMP_SYS(set_robust_list),
+#ifdef __NR_setrlimit
+    SCMP_SYS(setrlimit),
+#endif
 #ifdef __NR_sigreturn
     SCMP_SYS(sigreturn),
 #endif