Sandbox failures with glibc 2.33
It appears that glibc 2.33 is using yet another new set of system calls to implement our old friends. In particular I'm seeing newfstatat
used to implement both stat and fstat.
Incidentally, this change will probably mean that we can't allow fstat() without allowing all stat() calls in the sandbox, since the behavior of using fstatat
to implement fstat
or seems to depend on the presence of AT_EMPTY_PATH
and on having an empty string for the path argument, and we can't detect a glibc-generated empty string from the seccomp sandbox.
So, how bad is it to allow all stat() calls from the sandbox? Probably it's not so great, but I don't see a choice here.