diff options
-rw-r--r-- | src/lib/sandbox/sandbox.c | 3 | ||||
-rw-r--r-- | src/test/test_sandbox.c | 7 |
2 files changed, 7 insertions, 3 deletions
diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c index fb02a345ab..a15f99ad76 100644 --- a/src/lib/sandbox/sandbox.c +++ b/src/lib/sandbox/sandbox.c @@ -252,6 +252,9 @@ static int filter_nopar_gen[] = { SCMP_SYS(sigreturn), #endif SCMP_SYS(stat), +#if defined(__i386__) && defined(__NR_statx) + SCMP_SYS(statx), +#endif SCMP_SYS(uname), SCMP_SYS(wait4), SCMP_SYS(write), diff --git a/src/test/test_sandbox.c b/src/test/test_sandbox.c index ab3356771f..7ec08a3546 100644 --- a/src/test/test_sandbox.c +++ b/src/test/test_sandbox.c @@ -332,12 +332,13 @@ struct testcase_t sandbox_tests[] = { /* Currently the sandbox is unable to filter stat() calls on systems where * glibc implements this function using either of the legacy "stat" or "stat64" - * system calls, or where glibc version 2.33 or later is in use and the newer - * "newfstatat" syscall is available. + * system calls, or (in glibc version 2.33 and later) either of the newer + * "newfstatat" or "statx" syscalls. * * Skip testing sandbox_cfg_allow_stat_filename() if it seems the likely the * function will have no effect and the test will therefore not succeed. */ -#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat) +#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat) \ + && !(defined(__i386__) && defined(__NR_statx)) SANDBOX_TEST_IN_SANDBOX(stat_filename), #else SANDBOX_TEST_SKIPPED(stat_filename), |