sandbox: Allow "statx" syscall on i386 for glibc 2.33

glibc versions 2.33 and newer use the modern "statx" system call in their implementations of stat() and opendir() for Linux on i386. Prevent failures in the sandbox unit tests by modifying the sandbox to allow this system call without restriction on i386 when it is available, and update the test suite to skip the "sandbox/stat_filename" test in this case as it is certain to fail.
2024-11-10 21:23:58 +01:00 · 2021-11-05 10:10:10 -04:00 · 2021-11-05 10:10:10 -04:00 · 001d880d10
commit 001d880d10
parent d59f63f1c4
2 changed files with 7 additions and 3 deletions
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@ -252,6 +252,9 @@ static int filter_nopar_gen[] = {
    SCMP_SYS(sigreturn),
 #endif
    SCMP_SYS(stat),
+#if defined(__i386__) && defined(__NR_statx)
+    SCMP_SYS(statx),
+#endif
    SCMP_SYS(uname),
    SCMP_SYS(wait4),
    SCMP_SYS(write),
--- a/src/test/test_sandbox.c
+++ b/src/test/test_sandbox.c
@ -332,12 +332,13 @@ struct testcase_t sandbox_tests[] = {

 /* Currently the sandbox is unable to filter stat() calls on systems where
 * glibc implements this function using either of the legacy "stat" or "stat64"
- * system calls, or where glibc version 2.33 or later is in use and the newer
- * "newfstatat" syscall is available.
+ * system calls, or (in glibc version 2.33 and later) either of the newer
+ * "newfstatat" or "statx" syscalls.
 *
 * Skip testing sandbox_cfg_allow_stat_filename() if it seems the likely the
 * function will have no effect and the test will therefore not succeed. */
-#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat)
+#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat) \
+  && !(defined(__i386__) && defined(__NR_statx))
  SANDBOX_TEST_IN_SANDBOX(stat_filename),
 #else
  SANDBOX_TEST_SKIPPED(stat_filename),