From 6358d0eb78ed9a3a18cb48447419517aae8d2095 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Mon, 15 Sep 2025 23:50:00 +0500
Subject: [PATCH] propagate notify_used when merging filter collections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Merging filter collections didn’t carry over notify_used; if the
source had SCMP_ACT_NOTIFY rules, the merged filter could skip requesting
SECCOMP_FILTER_FLAG_NEW_LISTENER, yielding no listener FD. This ORs the flag
from source to destination to keep seccomp notification working.

Signed-off-by: Joshua Rogers <libseccomp@joshua.hu>
---
 src/db.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/db.c b/src/db.c
index 8531ce2f..f549c33d 100644
--- a/src/db.c
+++ b/src/db.c
@@ -1259,6 +1259,10 @@ int db_col_merge(struct db_filter_col *col_dst, struct db_filter_col *col_src)
 	/* reset the precompute */
 	db_col_precompute_reset(col_dst);
 
+    /* propagate NOTIFY usage so NEW_LISTENER is requested on load */
+    if (col_src->notify_used)
+        col_dst->notify_used = true;
+
 	/* free the source */
 	col_src->filter_cnt = 0;
 	db_col_release(col_src);