Florian Weimer wrote: > I suspect some of the preprocessor conditionals in > SyscallSets::IsFileSystem in > > <https://chromium.googlesource.com/chromium/src.git/+/refs/heads/master/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc> > > need fixing. Unfortunately, the fix is more complicated than that. It is really not helpful behavior from glibc to use the fstatat syscall to implement fstat. (What is the benefit of doing that?) It is particularly hard to detect that an fstatat call is really an fstat in a seccomp sandbox because BPF does not support validating string arguments, but the path being an empty string is a necessary condition to check. I have come up with this fix: https://src.fedoraproject.org/rpms/qt5-qtwebengine/blob/master/f/qtwebengine-everywhere-src-5.15.2-%231904652.patch that works for me (and it actually ends up calling the fstat syscall as the old glibc did, because that is the only safe way to prevent retriggering another SIGSYS from the SIGSYS handler). So far, it has not yet been applied to the chromium package, only to qt5-qtwebengine. Kevin Kofler _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
