tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit b4e24d751f7ca304beba21afd64b847e1bb52d54
parent d502b269d05beb0d575eea1d79d3ce4c5e71f4fd
Author: KernelKraze <admin@mail.free-proletariat.dpdns.org>
Date:   Sat, 22 Nov 2025 14:45:56 +0900

sandbox: Allow fstatat64, statx and lstat64 syscalls on i386 for glibc 2.33+

   On i386 architecture, glibc 2.33+ uses fstatat64 instead of newfstatat
   for stat operations. The existing sandbox code only allowed newfstatat
   (which is not defined on i386), causing SIGHUP configuration reload to
   fail when using sandbox mode with %include directives.

   Additionally, glibc 2.33+ on i386 may use statx for time64 support
   (Y2038), and glob() in glibc 2.36+ uses statx for directory traversal.
   The existing code only added statx as a fallback when __NR_stat was
   undefined, but on i386 __NR_stat is always defined, so statx was never
   allowed.

   Also allow lstat64 syscall which is used by glob() on i386 with
   glibc 2.36+ when processing %include directives with directory patterns.

   This fixes test_include.sh failures on i386 with Debian Bookworm or newer.

Diffstat:

Achanges/bug_sandbox_lstat64 | 9+++++++++


Msrc/lib/sandbox/sandbox.c | 23+++++++++++++++++++++++


2 files changed, 32 insertions(+), 0 deletions(-)

diff --git a/changes/bug_sandbox_lstat64 b/changes/bug_sandbox_lstat64
@@ -0,0 +1,9 @@
+  o Minor features (linux seccomp2 sandbox):
+    - Allow the fstatat64 and statx syscalls on i386 architecture when
+      glibc >= 2.33. On i386, glibc uses fstatat64 instead of newfstatat
+      for stat operations, and statx for time64 support. Without this,
+      SIGHUP configuration reload fails when using sandbox mode with
+      %include directives on i386 with Debian Bookworm or newer.
+    - Allow the lstat64 syscall on i386 architecture. This syscall is used
+      by glob() in glibc 2.36+ when processing %include directives with
+      directory patterns.
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
@@ -289,6 +289,10 @@ static int filter_nopar_gen[] = {
     // getaddrinfo uses this..
     SCMP_SYS(stat64),
 #endif
+#ifdef __NR_lstat64
+    // glob uses this on i386 with glibc 2.36+
+    SCMP_SYS(lstat64),
+#endif
 
 #ifdef __NR_getrandom
     SCMP_SYS(getrandom),
@@ -2022,6 +2026,25 @@ add_noparam_filter(scmp_filter_ctx ctx)
           "received libseccomp error %d", rc);
       return rc;
     }
+#elif defined(__NR_fstatat64)
+    // On i386, glibc uses fstatat64 instead of newfstatat.
+    // This is needed for glob() and stat() operations on 32-bit systems.
+    rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstatat64));
+    if (rc != 0) {
+      log_err(LD_BUG,"(Sandbox) failed to add fstatat64() syscall; "
+          "received libseccomp error %d", rc);
+      return rc;
+    }
+#endif
+#if defined(__i386__) && defined(__NR_statx)
+    // On i386 with glibc 2.33+, statx may be used for time64 support.
+    // glob() in glibc 2.36+ uses statx for directory traversal.
+    rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(statx));
+    if (rc != 0) {
+      log_err(LD_BUG,"(Sandbox) failed to add statx() syscall; "
+          "received libseccomp error %d", rc);
+      return rc;
+    }
 #endif
   }