commit 001d880d1082f5d124e10554e2718e407c7e88c6
parent d59f63f1c40771e80638bac447947e51c07e3ad4
Author: Simon South <simon@simonsouth.net>
Date: Fri, 5 Nov 2021 10:10:10 -0400
sandbox: Allow "statx" syscall on i386 for glibc 2.33
glibc versions 2.33 and newer use the modern "statx" system call in their
implementations of stat() and opendir() for Linux on i386. Prevent failures in
the sandbox unit tests by modifying the sandbox to allow this system call
without restriction on i386 when it is available, and update the test suite to
skip the "sandbox/stat_filename" test in this case as it is certain to fail.
Diffstat:
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
@@ -252,6 +252,9 @@ static int filter_nopar_gen[] = {
SCMP_SYS(sigreturn),
#endif
SCMP_SYS(stat),
+#if defined(__i386__) && defined(__NR_statx)
+ SCMP_SYS(statx),
+#endif
SCMP_SYS(uname),
SCMP_SYS(wait4),
SCMP_SYS(write),
diff --git a/src/test/test_sandbox.c b/src/test/test_sandbox.c
@@ -332,12 +332,13 @@ struct testcase_t sandbox_tests[] = {
/* Currently the sandbox is unable to filter stat() calls on systems where
* glibc implements this function using either of the legacy "stat" or "stat64"
- * system calls, or where glibc version 2.33 or later is in use and the newer
- * "newfstatat" syscall is available.
+ * system calls, or (in glibc version 2.33 and later) either of the newer
+ * "newfstatat" or "statx" syscalls.
*
* Skip testing sandbox_cfg_allow_stat_filename() if it seems the likely the
* function will have no effect and the test will therefore not succeed. */
-#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat)
+#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat) \
+ && !(defined(__i386__) && defined(__NR_statx))
SANDBOX_TEST_IN_SANDBOX(stat_filename),
#else
SANDBOX_TEST_SKIPPED(stat_filename),
