Index: chromium-98.0.4758.80/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc =================================================================== --- chromium-98.0.4758.80.orig/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +++ chromium-98.0.4758.80/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc @@ -287,6 +287,18 @@ ResultExpr EvaluateSyscallImpl(int fs_de return RestrictKillTarget(current_pid, sysno); } +#if defined(__NR_newfstatat) + if (sysno == __NR_newfstatat) { + return RewriteFstatatSIGSYS(); + } +#endif + +#if defined(__NR_fstatat64) + if (sysno == __NR_fstatat64) { + return RewriteFstatatSIGSYS(); + } +#endif + // memfd_create is considered a file system syscall which below will be denied // with fs_denied_errno, we need memfd_create for Mojo shared memory channels. if (sysno == __NR_memfd_create) { @@ -310,7 +310,7 @@ // with fs_denied_errno. However some allowed fstat syscalls are rewritten by // libc implementations to fstatat syscalls, and we need to rewrite them back. if (sysno == __NR_fstatat_default) { - return RewriteFstatatSIGSYS(fs_denied_errno); + return RewriteFstatatSIGSYS(); } // The statx syscall is a filesystem syscall, which will be denied below with Index: chromium-98.0.4758.80/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc =================================================================== --- chromium-98.0.4758.80.orig/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc +++ chromium-98.0.4758.80/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc @@ -6,6 +6,7 @@ #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" +#include #include #include #include @@ -354,17 +355,28 @@ intptr_t SIGSYSSchedHandler(const struct } intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, - void* fs_denied_errno) { - if (args.nr == __NR_fstatat_default) { - if (*reinterpret_cast(args.args[1]) == '\0' && - args.args[3] == static_cast(AT_EMPTY_PATH)) { - return syscall(__NR_fstat_default, static_cast(args.args[0]), - reinterpret_cast(args.args[2])); - } - return -reinterpret_cast(fs_denied_errno); + void* aux) { + switch (args.nr) { +#if defined(__NR_newfstatat) + case __NR_newfstatat: +#endif +#if defined(__NR_fstatat64) + case __NR_fstatat64: +#endif +#if defined(__NR_newfstatat) || defined(__NR_fstatat64) + if (*reinterpret_cast(args.args[1]) == '\0' + && args.args[3] == static_cast(AT_EMPTY_PATH)) { + return sandbox::sys_fstat64(static_cast(args.args[0]), + reinterpret_cast(args.args[2])); + } else { + errno = EACCES; + return -1; + } + break; +#endif } - CrashSIGSYS_Handler(args, fs_denied_errno); + CrashSIGSYS_Handler(args, aux); // Should never be reached. RAW_CHECK(false); @@ -403,9 +415,8 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); } -bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno) { - return bpf_dsl::Trap(SIGSYSFstatatHandler, - reinterpret_cast(fs_denied_errno)); +bpf_dsl::ResultExpr RewriteFstatatSIGSYS() { + return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL); } void AllocateCrashKeys() { Index: chromium-98.0.4758.80/sandbox/linux/services/syscall_wrappers.cc =================================================================== --- chromium-98.0.4758.80.orig/sandbox/linux/services/syscall_wrappers.cc +++ chromium-98.0.4758.80/sandbox/linux/services/syscall_wrappers.cc @@ -204,4 +204,13 @@ int sys_fstatat64(int dirfd, #endif } +SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf) +{ +#if defined(__NR_fstat64) + return syscall(__NR_fstat64, fd, buf); +#else + return syscall(__NR_fstat, fd, buf); +#endif +} + } // namespace sandbox Index: chromium-98.0.4758.80/sandbox/linux/services/syscall_wrappers.h =================================================================== --- chromium-98.0.4758.80.orig/sandbox/linux/services/syscall_wrappers.h +++ chromium-98.0.4758.80/sandbox/linux/services/syscall_wrappers.h @@ -19,6 +19,7 @@ struct cap_hdr; struct cap_data; struct kernel_stat; struct kernel_stat64; +struct stat64; namespace sandbox { @@ -99,6 +100,9 @@ SANDBOX_EXPORT int sys_fstatat64(int dir struct kernel_stat64* stat_buf, int flags); +// Recent glibc rewrites fstat to fstatat. +SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf); + } // namespace sandbox #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_ Index: chromium-98.0.4758.80/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h =================================================================== --- chromium-98.0.4758.80.orig/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +++ chromium-98.0.4758.80/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h @@ -77,7 +77,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex(); SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace(); SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS(); -SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(int fs_denied_errno); +SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(); // Allocates a crash key so that Seccomp information can be recorded. void AllocateCrashKeys(); Index: chromium-98.0.4758.80/sandbox/policy/linux/sandbox_linux.cc =================================================================== --- chromium-98.0.4758.80.orig/sandbox/policy/linux/sandbox_linux.cc +++ chromium-98.0.4758.80/sandbox/policy/linux/sandbox_linux.cc @@ -529,7 +529,7 @@ // fstatat() to fail, see https://crbug.com/1243290#c8 for details. const bpf_dsl::Arg flags(3); return bpf_dsl::If((flags & AT_EMPTY_PATH) == AT_EMPTY_PATH, - RewriteFstatatSIGSYS(BPFBasePolicy::GetFSDeniedErrno())) + RewriteFstatatSIGSYS()) .Else(handle_via_broker); } else { return handle_via_broker;