From 99b5445cda5da420983ce1fe4ecd550e9638d523 Mon Sep 17 00:00:00 2001
From: Thomas Habets <thomas@habets.se>
Date: Mon, 15 Jan 2024 14:16:47 +0000
Subject: [PATCH] seccomp: Check for and allow statx
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Alternative solution to #54

Really this should be checking that the path name is empty, too,
because the first arg is `dirfd`, and so this filter is based on:

```
By file descriptor
 If pathname is an empty string and the AT_EMPTY_PATH flag  is  speci‐
 fied  in  flags (see below), then the target file is the one referred
 to by the file descriptor dirfd.
```
---
 configure.ac | 20 ++++++++++++++++++++
 src/arping.c |  8 ++++++++
 2 files changed, 28 insertions(+)

diff --git a/configure.ac b/configure.ac
index 4de5db4..0917df4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -195,6 +195,26 @@ AC_ARG_ENABLE(warnings,
         CHECK_COMPILER_OPTION([-Wtrampolines])
 ])
 
+AC_DEFUN([CHECK_SECCOMP_SYSCALL], [
+  AC_MSG_CHECKING([seccomp syscall $1])
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include<seccomp.h>
+]], [[
+void test()
+{
+scmp_filter_ctx ctx;
+seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS($1), 0);
+}
+]])],
+[
+  AC_MSG_RESULT(yes)
+  AC_DEFINE([HAVE_SECCOMP_SYSCALL_$1], [1], [Have seccomp syscall])
+],[AC_MSG_RESULT(no)])])
+
+CHECK_SECCOMP_SYSCALL([fstat]);
+CHECK_SECCOMP_SYSCALL([statx]);
+CHECK_SECCOMP_SYSCALL([nonexistant]);
+
 AC_CONFIG_FILES([Makefile])
 AC_CONFIG_FILES([src/Makefile])
 AC_CONFIG_FILES([doc/Makefile])
diff --git a/src/arping.c b/src/arping.c
index 8501871..5fc825c 100644
--- a/src/arping.c
+++ b/src/arping.c
@@ -645,10 +645,18 @@ static void drop_seccomp(int libnet_fd)
         //
 
         // Write to stdout and stderr.
+#if HAVE_SECCOMP_SYSCALL_statx
+        if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(statx), 1, SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO))) {
+                perror("seccomp_rule_add(statx stdout)");
+                exit(1);
+        }
+#endif
+#if HAVE_SECCOMP_SYSCALL_fstat
         if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 1, SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO))) {
                 perror("seccomp_rule_add(fstat stdout)");
                 exit(1);
         }
+#endif
         if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO))) {
                 perror("seccomp_rule_add(write stdout)");
                 exit(1);