Fix statx not being allowed on rpath/wpath pledges (#1291)

While always blocking statx did not lead to particularly bad results for most cases (most code that uses statx appears to utilize a fallback when statx is unavailable), it does lead to using usually far less used (thus far less well tested) code: for example, musl's current fstatat fallback for statx fails to set any values for stx_rdev_major and stx_rdev_minor, which the raw syscall wouldn't (I've have sent a patch to musl for this, but this won't fix older versions of musl and binaries/OSes using them). Along with the fact that statx extends stat in several useful ways, this seems to indicate it is far better to simply allow statx whenever pledge also allows stat-family syscalls, i.e. for both rpath and wpath pledges.
2025-01-31 03:27:39 +00:00 · 2024-09-13 23:31:29 +02:00 · 2024-09-13 23:31:29 +02:00 · 7d2c363963
commit 7d2c363963
parent 462ba6909e
1 changed files with 8 additions and 7 deletions
--- a/libc/calls/pledge-linux.c
+++ b/libc/calls/pledge-linux.c
@ -712,6 +712,7 @@ static const uint16_t kPledgeRpath[] = {
 #endif                             //
    __NR_linux_fstat,              //
    __NR_linux_fstatat,            //
+    __NR_linux_statx,              //
 #ifdef __NR_linux_access           //
    __NR_linux_access,             //
 #endif                             //
@ -739,6 +740,7 @@ static const uint16_t kPledgeWpath[] = {
    __NR_linux_lstat,               //
 #endif                              //
    __NR_linux_fstatat,             //
+    __NR_linux_statx,               //
 #ifdef __NR_linux_access            //
    __NR_linux_access,              //
 #endif                              //
@ -1005,16 +1007,15 @@ static const struct sock_filter kPledgeStart[] = {
    BPF_STMT(BPF_LD | BPF_W | BPF_ABS, OFF(nr)),
 #ifdef __NR_linux_memfd_secret
    // forbid some system calls with ENOSYS (rather than EPERM)
-    BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, __NR_linux_memfd_secret, 5, 0),
+    BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, __NR_linux_memfd_secret, 4, 0),
 #else
    BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, __NR_linux_landlock_restrict_self + 1,
-             5, 0),
+             4, 0),
 #endif
-    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_rseq, 4, 0),
-    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_memfd_create, 3, 0),
-    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_openat2, 2, 0),
-    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_clone3, 1, 0),
-    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_statx, 0, 1),
+    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_rseq, 3, 0),
+    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_memfd_create, 2, 0),
+    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_openat2, 1, 0),
+    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_linux_clone3, 0, 1),
    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (Enosys & SECCOMP_RET_DATA)),
 };