Sandbox failures with glibc 2.33
It appears that glibc 2.33 is using yet another new set of system calls to implement our old friends. In particular I'm seeing
newfstatat used to implement both stat and fstat.
Incidentally, this change will probably mean that we can't allow fstat() without allowing all stat() calls in the sandbox, since the behavior of using
fstatat to implement
fstat or seems to depend on the presence of
AT_EMPTY_PATH and on having an empty string for the path argument, and we can't detect a glibc-generated empty string from the seccomp sandbox.
So, how bad is it to allow all stat() calls from the sandbox? Probably it's not so great, but I don't see a choice here.