sandbox: fix AArch64 file ops filtering
Noticed via the new sandbox unit tests added in 0.4.7.x (thanks!). It seems like the sandbox has not worked properly on AArch64 before due to two issues:
-
A regression caused by d75e7daa: while it looks like x86_64 is not sign-extending its negative 32 bit integers, AArch64 is. This fix seems fragile to me, it seems like the comparison should only get done on the bottom 32 bit somehow, but that's out of the scope of this MR.
-
The chmod/chown/rename syscalls never existed on AArch64 since it's a fairly new arch. glibc (and likely others) use fchmodat/fchownat/renameat with AT_CWD to implement the POSIX chmod/chown/rename functions. This MR adds new filter support for fchmodat/fchownat/renameat and uses it on AArch64 (this change is expected to be neutral in seccomp filter space usage).
Fixes #40599 (closed).
First time contributing, let me know if there's anything I'm doing wrong!