seccomp: Check for and allow statx

Alternative solution to #54

Really this should be checking that the path name is empty, too,
because the first arg is `dirfd`, and so this filter is based on:

```
By file descriptor
 If pathname is an empty string and the AT_EMPTY_PATH flag  is  speci‐
 fied  in  flags (see below), then the target file is the one referred
 to by the file descriptor dirfd.
```

configure.ac

@@ -195,6 +195,26 @@ AC_ARG_ENABLE(warnings,
         CHECK_COMPILER_OPTION([-Wtrampolines])
 ])
 
+AC_DEFUN([CHECK_SECCOMP_SYSCALL], [
+  AC_MSG_CHECKING([seccomp syscall $1])
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include<seccomp.h>
+]], [[
+void test()
+{
+scmp_filter_ctx ctx;
+seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS($1), 0);
+}
+]])],
+[
+  AC_MSG_RESULT(yes)
+  AC_DEFINE([HAVE_SECCOMP_SYSCALL_$1], [1], [Have seccomp syscall])
+],[AC_MSG_RESULT(no)])])
+
+CHECK_SECCOMP_SYSCALL([fstat]);
+CHECK_SECCOMP_SYSCALL([statx]);
+CHECK_SECCOMP_SYSCALL([nonexistant]);
+
 AC_CONFIG_FILES([Makefile])
 AC_CONFIG_FILES([src/Makefile])
 AC_CONFIG_FILES([doc/Makefile])

src/arping.c

@@ -645,10 +645,18 @@ static void drop_seccomp(int libnet_fd)
         //
 
         // Write to stdout and stderr.
+#if HAVE_SECCOMP_SYSCALL_statx
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(statx), 1, SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO))) {
+                perror("seccomp_rule_add(statx stdout)");
+                exit(1);
+        }
+#endif
+#if HAVE_SECCOMP_SYSCALL_fstat
         if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 1, SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO))) {
                 perror("seccomp_rule_add(fstat stdout)");
                 exit(1);
         }
+#endif
         if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO))) {
                 perror("seccomp_rule_add(write stdout)");
                 exit(1);