GitLab

It appears that glibc 2.33 is using yet another new set of system calls to implement our old friends. In particular I'm seeing newfstatat used to implement both stat and fstat.

Incidentally, this change will probably mean that we can't allow fstat() without allowing all stat() calls in the sandbox, since the behavior of using fstatat to implement fstat or seems to depend on the presence of AT_EMPTY_PATH and on having an empty string for the path argument, and we can't detect a glibc-generated empty string from the seccomp sandbox.

So, how bad is it to allow all stat() calls from the sandbox? Probably it's not so great, but I don't see a choice here.