Merge remote-tracking branch 'tor-gitlab/mr/480' into main

changes/bug40505

+  o Minor bugfixes (sandbox):
+    - Fix the sandbox on i386 by modifying it to allow the
+      "clock_gettime64" and "statx" system calls and to filter the
+      "chown32" and "stat64" system calls in place of "chown" and
+      "stat", respectively.  Fixes bug 40505; bugfix on 0.2.5.4-alpha.
\ No newline at end of file

src/lib/sandbox/sandbox.c

@@ -152,7 +152,11 @@ static sandbox_cfg_t *filter_dynamic = NULL;
 static int filter_nopar_gen[] = {
     SCMP_SYS(access),
     SCMP_SYS(brk),
+#ifdef __NR_clock_gettime64
+    SCMP_SYS(clock_gettime64),
+#else
     SCMP_SYS(clock_gettime),
+#endif
     SCMP_SYS(close),
     SCMP_SYS(clone),
     SCMP_SYS(dup),
@@ -248,6 +252,9 @@ static int filter_nopar_gen[] = {
     SCMP_SYS(sigreturn),
 #endif
     SCMP_SYS(stat),
+#if defined(__i386__) && defined(__NR_statx)
+    SCMP_SYS(statx),
+#endif
     SCMP_SYS(uname),
     SCMP_SYS(wait4),
     SCMP_SYS(write),
@@ -599,6 +606,32 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   return 0;
 }
 
+#ifdef __i386__
+static int
+sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+{
+  int rc;
+  sandbox_cfg_t *elem = NULL;
+
+  // for each dynamic parameter filters
+  for (elem = filter; elem != NULL; elem = elem->next) {
+    smp_param_t *param = elem->param;
+
+    if (param != NULL && param->prot == 1 && param->syscall
+        == SCMP_SYS(chown32)) {
+      rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(chown32),
+            SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
+      if (rc != 0) {
+        log_err(LD_BUG,"(Sandbox) failed to add chown32 syscall, received "
+            "libseccomp error %d", rc);
+        return rc;
+      }
+    }
+  }
+
+  return 0;
+}
+#else
 static int
 sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 {
@@ -623,6 +656,7 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
 
   return 0;
 }
+#endif /* defined(__i386__) */
 
 /**
  * Function responsible for setting up the rename syscall for
@@ -1270,7 +1304,11 @@ static sandbox_filter_func_t filter_func[] = {
 #ifdef __NR_mmap2
     sb_mmap2,
 #endif
+#ifdef __i386__
+    sb_chown32,
+#else
     sb_chown,
+#endif
     sb_chmod,
     sb_open,
     sb_openat,
@@ -1544,6 +1582,12 @@ new_element(int syscall, char *value)
   return new_element2(syscall, value, NULL);
 }
 
+#ifdef __i386__
+#define SCMP_chown SCMP_SYS(chown32)
+#else
+#define SCMP_chown SCMP_SYS(chown)
+#endif
+
 #ifdef __NR_stat64
 #define SCMP_stat SCMP_SYS(stat64)
 #else
@@ -1594,7 +1638,7 @@ sandbox_cfg_allow_chown_filename(sandbox_cfg_t **cfg, char *file)
 {
   sandbox_cfg_t *elem = NULL;
 
-  elem = new_element(SCMP_SYS(chown), file);
+  elem = new_element(SCMP_chown, file);
 
   elem->next = *cfg;
   *cfg = elem;

src/test/test_sandbox.c

@@ -331,13 +331,14 @@ struct testcase_t sandbox_tests[] = {
   SANDBOX_TEST_IN_SANDBOX(rename_filename),
 
 /* Currently the sandbox is unable to filter stat() calls on systems where
- * glibc implements this function using the legacy "stat" system call, or where
- * glibc version 2.33 or later is in use and the newer "newfstatat" syscall is
- * available.
+ * glibc implements this function using either of the legacy "stat" or "stat64"
+ * system calls, or (in glibc version 2.33 and later) either of the newer
+ * "newfstatat" or "statx" syscalls.
  *
  * Skip testing sandbox_cfg_allow_stat_filename() if it seems the likely the
  * function will have no effect and the test will therefore not succeed. */
-#if !defined(__NR_newfstatat) && (!defined(__NR_stat) || defined(__NR_stat64))
+#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat) \
+  && !(defined(__i386__) && defined(__NR_statx))
   SANDBOX_TEST_IN_SANDBOX(stat_filename),
 #else
   SANDBOX_TEST_SKIPPED(stat_filename),