Fix seccomp sandbox rules for openat #27315

The need for casting negative syscall arguments depends on the glibc version. This affects the rules for the openat syscall which uses the constant AT_FDCWD that is defined as a negative number. This commit adds logic to only apply the cast when necessary, on glibc versions from 2.27 onwards.
author: Daniel Pinto <danielpinto52@gmail.com> 2020-07-01 20:30:04 +0100
committer: Daniel Pinto <danielpinto52@gmail.com> 2020-07-20 22:30:00 +0100
commit: c79b4397d3839b77e85ceccc5a948f58c9fe37e6 (patch)
tree: d039549cb26154de3a16b1643de9faa1c146f1cb /changes
parent: c9751e26119e375fcbc74107e89958957c00ee5e (diff)
download: tor-c79b4397d3839b77e85ceccc5a948f58c9fe37e6.tar.gz
tor-c79b4397d3839b77e85ceccc5a948f58c9fe37e6.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/changes/bug27315 b/changes/bug27315
new file mode 100644
index 0000000000..8af3ac8559
--- /dev/null
+++ b/changes/bug27315
@@ -0,0 +1,6 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Fix a regression on sandboxing rules for the openat() syscall.
+      The fix for bug 25440 fixed the problem on systems with glibc >=
+      2.27 but broke tor on previous versions of glibc. We now apply 
+      the correct seccomp rule according to the running glibc version.
+      Patch from Daniel Pinto. Fixes bug 27315; bugfix on 0.3.5.11.
author	Daniel Pinto <danielpinto52@gmail.com>	2020-07-01 20:30:04 +0100
committer	Daniel Pinto <danielpinto52@gmail.com>	2020-07-20 22:30:00 +0100
commit	c79b4397d3839b77e85ceccc5a948f58c9fe37e6 (patch)
tree	d039549cb26154de3a16b1643de9faa1c146f1cb /changes
parent	c9751e26119e375fcbc74107e89958957c00ee5e (diff)
download	tor-c79b4397d3839b77e85ceccc5a948f58c9fe37e6.tar.gz tor-c79b4397d3839b77e85ceccc5a948f58c9fe37e6.zip