Commit e4f2b52d authored by Nick Mathewson's avatar Nick Mathewson 👜
Browse files

Merge branch 'maint-0.4.5' into maint-0.4.6

parents 5acf18bf d85ef0d5
o Minor features (compatibility, Linux seccomp sandbox):
- Add a workaround to enable the Linux sandbox to work correctly
on systems running Glibc 2.33. These versions have started
using the fstatat() system call, which previously our sandbox did not
allow.
Closes ticket 40382; see the ticket for a discussion of tradeoffs.
......@@ -1608,6 +1608,28 @@ add_noparam_filter(scmp_filter_ctx ctx)
}
}
if (is_libc_at_least(2, 33)) {
#ifdef __NR_newfstatat
// Libc 2.33 uses this syscall to implement both fstat() and stat().
//
// The trouble is that to implement fstat(fd, &st), it calls:
// newfstatat(fs, "", &st, AT_EMPTY_PATH)
// We can't detect this usage in particular, because "" is a pointer
// we don't control. And we can't just look for AT_EMPTY_PATH, since
// AT_EMPTY_PATH only has effect when the path string is empty.
//
// So our only solution seems to be allowing all fstatat calls, which
// means that an attacker can stat() anything on the filesystem. That's
// not a great solution, but I can't find a better one.
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add newfstatat() syscall; "
"received libseccomp error %d", rc);
return rc;
}
#endif
}
return 0;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment