[tor-commits] [tor/main] sandbox: Allow "statx" syscall on i386 for glibc 2.33

ahf at torproject.org ahf at torproject.org
Mon Nov 8 14:13:26 UTC 2021 

commit 001d880d1082f5d124e10554e2718e407c7e88c6
Author: Simon South <simon at simonsouth.net>
Date:   Fri Nov 5 10:10:10 2021 -0400

    sandbox: Allow "statx" syscall on i386 for glibc 2.33
    
    glibc versions 2.33 and newer use the modern "statx" system call in their
    implementations of stat() and opendir() for Linux on i386.  Prevent failures in
    the sandbox unit tests by modifying the sandbox to allow this system call
    without restriction on i386 when it is available, and update the test suite to
    skip the "sandbox/stat_filename" test in this case as it is certain to fail.
---
 src/lib/sandbox/sandbox.c | 3 +++
 src/test/test_sandbox.c   | 7 ++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c
index fb02a345ab..a15f99ad76 100644
--- a/src/lib/sandbox/sandbox.c
+++ b/src/lib/sandbox/sandbox.c
@@ -252,6 +252,9 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(sigreturn),
 #endif
     SCMP_SYS(stat),
+#if defined(__i386__) && defined(__NR_statx)
+    SCMP_SYS(statx),
+#endif
     SCMP_SYS(uname),
     SCMP_SYS(wait4),
     SCMP_SYS(write),
diff --git a/src/test/test_sandbox.c b/src/test/test_sandbox.c
index ab3356771f..7ec08a3546 100644
--- a/src/test/test_sandbox.c
+++ b/src/test/test_sandbox.c
@@ -332,12 +332,13 @@ struct testcase_t sandbox_tests[] = {
 
 /* Currently the sandbox is unable to filter stat() calls on systems where
  * glibc implements this function using either of the legacy "stat" or "stat64"
- * system calls, or where glibc version 2.33 or later is in use and the newer
- * "newfstatat" syscall is available.
+ * system calls, or (in glibc version 2.33 and later) either of the newer
+ * "newfstatat" or "statx" syscalls.
  *
  * Skip testing sandbox_cfg_allow_stat_filename() if it seems the likely the
  * function will have no effect and the test will therefore not succeed. */
-#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat)
+#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat) \
+  && !(defined(__i386__) && defined(__NR_statx))
   SANDBOX_TEST_IN_SANDBOX(stat_filename),
 #else
   SANDBOX_TEST_SKIPPED(stat_filename),

More information about the tor-commits mailing list