From d59f63f1c40771e80638bac447947e51c07e3ad4 Mon Sep 17 00:00:00 2001 From: Simon South Date: Wed, 3 Nov 2021 12:21:35 -0400 Subject: test: Skip sandbox/stat_filename where "stat64" syscall defined On 32-bit architectures where Linux provides the "stat64" system call, including i386, the sandbox is unable to filter calls to stat() as glibc uses this system call itself internally and the sandbox must allow it without restriction. Update the sandbox unit tests to skip the "sandbox/stat_filename" test on systems where the "stat64" system call is defined and the test is certain to fail. Also reorder the "#if" statement's clauses to correspond with the comment preceding it, for clarity. --- src/test/test_sandbox.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/test') diff --git a/src/test/test_sandbox.c b/src/test/test_sandbox.c index e5064c58ec..ab3356771f 100644 --- a/src/test/test_sandbox.c +++ b/src/test/test_sandbox.c @@ -331,13 +331,13 @@ struct testcase_t sandbox_tests[] = { SANDBOX_TEST_IN_SANDBOX(rename_filename), /* Currently the sandbox is unable to filter stat() calls on systems where - * glibc implements this function using the legacy "stat" system call, or where - * glibc version 2.33 or later is in use and the newer "newfstatat" syscall is - * available. + * glibc implements this function using either of the legacy "stat" or "stat64" + * system calls, or where glibc version 2.33 or later is in use and the newer + * "newfstatat" syscall is available. * * Skip testing sandbox_cfg_allow_stat_filename() if it seems the likely the * function will have no effect and the test will therefore not succeed. */ -#if !defined(__NR_newfstatat) && (!defined(__NR_stat) || defined(__NR_stat64)) +#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat) SANDBOX_TEST_IN_SANDBOX(stat_filename), #else SANDBOX_TEST_SKIPPED(stat_filename), -- cgit v1.2.3-54-g00ecf From 001d880d1082f5d124e10554e2718e407c7e88c6 Mon Sep 17 00:00:00 2001 From: Simon South Date: Fri, 5 Nov 2021 10:10:10 -0400 Subject: sandbox: Allow "statx" syscall on i386 for glibc 2.33 glibc versions 2.33 and newer use the modern "statx" system call in their implementations of stat() and opendir() for Linux on i386. Prevent failures in the sandbox unit tests by modifying the sandbox to allow this system call without restriction on i386 when it is available, and update the test suite to skip the "sandbox/stat_filename" test in this case as it is certain to fail. --- src/lib/sandbox/sandbox.c | 3 +++ src/test/test_sandbox.c | 7 ++++--- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'src/test') diff --git a/src/lib/sandbox/sandbox.c b/src/lib/sandbox/sandbox.c index fb02a345ab..a15f99ad76 100644 --- a/src/lib/sandbox/sandbox.c +++ b/src/lib/sandbox/sandbox.c @@ -252,6 +252,9 @@ static int filter_nopar_gen[] = { SCMP_SYS(sigreturn), #endif SCMP_SYS(stat), +#if defined(__i386__) && defined(__NR_statx) + SCMP_SYS(statx), +#endif SCMP_SYS(uname), SCMP_SYS(wait4), SCMP_SYS(write), diff --git a/src/test/test_sandbox.c b/src/test/test_sandbox.c index ab3356771f..7ec08a3546 100644 --- a/src/test/test_sandbox.c +++ b/src/test/test_sandbox.c @@ -332,12 +332,13 @@ struct testcase_t sandbox_tests[] = { /* Currently the sandbox is unable to filter stat() calls on systems where * glibc implements this function using either of the legacy "stat" or "stat64" - * system calls, or where glibc version 2.33 or later is in use and the newer - * "newfstatat" syscall is available. + * system calls, or (in glibc version 2.33 and later) either of the newer + * "newfstatat" or "statx" syscalls. * * Skip testing sandbox_cfg_allow_stat_filename() if it seems the likely the * function will have no effect and the test will therefore not succeed. */ -#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat) +#if !defined(__NR_stat) && !defined(__NR_stat64) && !defined(__NR_newfstatat) \ + && !(defined(__i386__) && defined(__NR_statx)) SANDBOX_TEST_IN_SANDBOX(stat_filename), #else SANDBOX_TEST_SKIPPED(stat_filename), -- cgit v1.2.3-54-g00ecf