[librpsecure] Whitelist statx() to fix amiiboc on armhf on Ubuntu 24.…

…04 and later.

On armhf (glibc-2.39), amiiboc ends up calling statx() indirectly through
the fgets() function:

Program received signal SIGSYS, Bad system call.
__libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
warning: 47     ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such file or directory
(gdb) bt
=0  __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
=1  0xb6d2ea0a in fstatat64_time64_statx (flag=4096, buf=0xbefff690,
    file=0xb6d91c18 "", fd=3) at ../sysdeps/unix/sysv/linux/fstatat64.c:50
=2  __GI___fstatat64_time64 (fd=3, file=0xb6d91c18 "", buf=0xbefff690,
    flag=4096) at ../sysdeps/unix/sysv/linux/fstatat64.c:150
=3  0xb6cdaae4 in __GI__IO_file_doallocate (fp=0x414f60) at libioP.h:1030
=4  0xb6ce5518 in __GI__IO_doallocbuf (fp=0x414f60) at libioP.h:1030
=5  __GI__IO_doallocbuf (fp=fp@entry=0x414f60) at genops.c:342
=6  0xb6ce3e86 in _IO_new_file_underflow (fp=0x414f60) at fileops.c:486
=7  0xb6ce557a in __GI__IO_default_uflow (fp=0x414f60) at libioP.h:1030
=8  0xb6cdc03e in __GI__IO_getline_info (fp=fp@entry=0x414f60,
    buf=buf@entry=0xbefff804 "ƀ㶫7\357Z\234\370\377\276\004\323\375\266\330\354\377\266\001", n=n@entry=255, delim=delim@entry=10,
    extract_delim=extract_delim@entry=1, eof=eof@entry=0x0) at iogetline.c:60
=9  0xb6cdc0c8 in __GI__IO_getline (fp=fp@entry=0x414f60,
    buf=buf@entry=0xbefff804 "ƀ㶫7\357Z\234\370\377\276\004\323\375\266\330\354\377\266\001", n=n@entry=255, delim=delim@entry=10,
    extract_delim=extract_delim@entry=1) at iogetline.c:34
=10 0xb6cdb288 in _IO_fgets (
    buf=buf@entry=0xbefff804 "ƀ㶫7\357Z\234\370\377\276\004\323\375\266\330\354\377\266\001", n=n@entry=256, fp=fp@entry=0x414f60) at iofgets.c:53
=11 0x004019e8 in fgets (__stream=0x414f60, __n=256,
    __s=0xbefff804 "ƀ㶫7\357Z\234\370\377\276\004\323\375\266\330\354\377\266\001") at /usr/include/arm-linux-gnueabihf/bits/stdio2.h:200
=12 main (argc=<optimized out>, argv=0xbefffaa4)
    at rom-properties/src/amiibo-data/amiiboc.cpp:204

debian/changelog

@@ -1,3 +1,9 @@
+rom-properties (2.4-1ppa6~oracular5) oracular; urgency=medium
+
+  * Add statx() to syscall whitelist to fix SIGSYS in amiiboc on armhf.
+
+ -- David Korth <[email protected]>  Tue, 12 Nov 2024 19:57:50 -0500
+
 rom-properties (2.4-1ppa6~oracular4) oracular; urgency=medium
 
   * rom-properties-gtk4: Depend on libromdata5, not libromdata2.

src/amiibo-data/amiiboc.cpp

@@ -126,8 +126,7 @@ static int set_security_options(void)
 #elif defined(HAVE_SECCOMP)
 	static constexpr int syscall_wl[] = {
 		// Syscalls used by amiiboc.
-		SCMP_SYS(close), SCMP_SYS(fstat), SCMP_SYS(fstat64), // __GI___fxstat() [printf()]
-		SCMP_SYS(fstatat64), SCMP_SYS(newfstatat),           // Ubuntu 19.10 (32-bit)
+		SCMP_SYS(close),
 		SCMP_SYS(gettimeofday),                              // 32-bit only?
 		SCMP_SYS(lseek), SCMP_SYS(_llseek),
 		SCMP_SYS(open),   // Ubuntu 16.04

src/gtk/thumbnailer-dbus/rptsecure.c

@@ -36,8 +36,6 @@ int rpt_do_security_options(void)
 		SCMP_SYS(close),
 		SCMP_SYS(dup),		// gzdopen()
 		SCMP_SYS(fcntl),     SCMP_SYS(fcntl64),		// gcc profiling
-		SCMP_SYS(fstat),     SCMP_SYS(fstat64),		// __GI___fxstat() [printf()]
-		SCMP_SYS(fstatat64), SCMP_SYS(newfstatat),	// Ubuntu 19.10 (32-bit)
 		SCMP_SYS(ftruncate),	// LibRpBase::RpFile::truncate() [from LibRpBase::RpPngWriterPrivate ctors]
 		SCMP_SYS(ftruncate64),
 		SCMP_SYS(futex),	// iconv_open(), dlopen()
@@ -66,11 +64,6 @@ int rpt_do_security_options(void)
 		// NOTE: Only seems to get triggered on PowerPC...
 		SCMP_SYS(clock_gettime), SCMP_SYS(clock_gettime64),
 
-#if defined(__SNR_statx) || defined(__NR_statx)
-		SCMP_SYS(getcwd),	// called by glibc's statx()
-		SCMP_SYS(statx),
-#endif /* __SNR_statx || __NR_statx */
-
 		// glibc ncsd
 		// TODO: Restrict connect() to AF_UNIX.
 		SCMP_SYS(connect), SCMP_SYS(recvmsg), SCMP_SYS(sendto),

src/librpbase/tests/gtest_init.cpp

@@ -49,8 +49,6 @@ int RP_C_API _tmain(int argc, TCHAR *argv[])
 		SCMP_SYS(clock_gettime64),
 #endif /* __SNR_clock_gettime64 || __NR_clock_gettime64 */
 		SCMP_SYS(fcntl),     SCMP_SYS(fcntl64),		// gcc profiling
-		SCMP_SYS(fstat),     SCMP_SYS(fstat64),		// __GI___fxstat() [printf()]
-		SCMP_SYS(fstatat64), SCMP_SYS(newfstatat),	// Ubuntu 19.10 (32-bit)
 		SCMP_SYS(futex),	// iconv_open()
 		SCMP_SYS(gettimeofday),	// 32-bit only? [testing::internal::GetTimeInMillis()]
 		SCMP_SYS(mmap),		// iconv_open()
@@ -89,11 +87,6 @@ int RP_C_API _tmain(int argc, TCHAR *argv[])
 		// TODO: Restrict connect() to AF_UNIX.
 		SCMP_SYS(connect), SCMP_SYS(recvmsg), SCMP_SYS(sendto),
 
-#if defined(__SNR_statx) || defined(__NR_statx)
-		//SCMP_SYS(getcwd),	// called by glibc's statx() [referenced above]
-		SCMP_SYS(statx),
-#endif /* __SNR_statx || __NR_statx */
-
 		// for posix_fadvise()
 		SCMP_SYS(fadvise64), SCMP_SYS(fadvise64_64),
 		SCMP_SYS(arm_fadvise64_64),	// CPU-specific syscall for Linux on 32-bit ARM

src/librpsecure/os-secure_linux.c

@@ -85,6 +85,16 @@ int rp_secure_enable(rp_secure_param_t param)
 		__NR_faccessat2		// Required for Gentoo's sandbox (amiiboc)
 #endif /* __SNR_faccessat2 || __NR_faccessat2 */
 
+		// stat()
+		SCMP_SYS(fstat), SCMP_SYS(fstat64), 		// __GI___fxstat() [printf()]
+		SCMP_SYS(fstatat64), SCMP_SYS(newfstatat),	// Ubuntu 19.10 (32-bit)
+
+#if defined(__SNR_statx) || defined(__NR_statx)
+		// statx()
+		SCMP_SYS(getcwd),	// called by glibc's statx()
+		SCMP_SYS(statx),
+#endif /* __SNR_statx || __NR_statx */
+
 		// restart_syscall() is called by glibc to restart
 		// certain syscalls if they're interrupted.
 		SCMP_SYS(restart_syscall),

src/rp-download/rp-download.cpp

@@ -255,8 +255,6 @@ int RP_C_API _tmain(int argc, TCHAR *argv[])
 		SCMP_SYS(close),
 		SCMP_SYS(fcntl),     SCMP_SYS(fcntl64),		// gcc profiling
 		SCMP_SYS(fsetxattr),
-		SCMP_SYS(fstat),     SCMP_SYS(fstat64),		// __GI___fxstat() [printf()]
-		SCMP_SYS(fstatat64), SCMP_SYS(newfstatat),	// Ubuntu 19.10 (32-bit)
 		SCMP_SYS(futex),
 		SCMP_SYS(getdents), SCMP_SYS(getdents64),
 		SCMP_SYS(getppid),	// for bubblewrap verification
@@ -279,11 +277,6 @@ int RP_C_API _tmain(int argc, TCHAR *argv[])
 		SCMP_SYS(unlink),	// to delete expired cache files
 		SCMP_SYS(utimensat),
 
-#if defined(__SNR_statx) || defined(__NR_statx)
-		SCMP_SYS(getcwd),	// called by glibc's statx()
-		SCMP_SYS(statx),
-#endif /* __SNR_statx || __NR_statx */
-
 		// glibc ncsd
 		// TODO: Restrict connect() to AF_UNIX.
 		SCMP_SYS(connect), SCMP_SYS(recvmsg), SCMP_SYS(sendto),

src/rp-stub/rp-stub_secure.c

@@ -47,8 +47,6 @@ int rp_stub_do_security_options(bool config)
 
 		// dlopen()
 		SCMP_SYS(fcntl),     SCMP_SYS(fcntl64),		// gcc profiling
-		SCMP_SYS(fstat),     SCMP_SYS(fstat64),		// __GI___fxstat() [printf()]
-		SCMP_SYS(fstatat64), SCMP_SYS(newfstatat),	// Ubuntu 19.10 (32-bit)
 		SCMP_SYS(gettimeofday),	// 32-bit only?
 		SCMP_SYS(mmap),
 		SCMP_SYS(mmap2),	// might only be needed on i386...
@@ -78,11 +76,6 @@ int rp_stub_do_security_options(bool config)
 
 		SCMP_SYS(getppid),	// dll-search.c: walk_proc_tree()
 
-#if defined(__SNR_statx) || defined(__NR_statx)
-		SCMP_SYS(getcwd),	// called by glibc's statx()
-		SCMP_SYS(statx),
-#endif /* __SNR_statx || __NR_statx */
-
 		// ConfReader checks timestamps between rpcli runs.
 		// NOTE: Only seems to get triggered on PowerPC...
 		SCMP_SYS(clock_gettime), SCMP_SYS(clock_gettime64),

src/rpcli/rpcli_secure.c

@@ -36,8 +36,6 @@ int rpcli_do_security_options(void)
 		SCMP_SYS(close),
 		SCMP_SYS(dup),		// gzdopen()
 		SCMP_SYS(fcntl),     SCMP_SYS(fcntl64),		// gcc profiling
-		SCMP_SYS(fstat),     SCMP_SYS(fstat64),		// __GI___fxstat() [printf()]
-		SCMP_SYS(fstatat64), SCMP_SYS(newfstatat),	// Ubuntu 19.10 (32-bit)
 		SCMP_SYS(ftruncate),	// LibRpBase::RpFile::truncate() [from LibRpBase::RpPngWriterPrivate ctors]
 		SCMP_SYS(ftruncate64),
 		SCMP_SYS(futex),
@@ -69,11 +67,6 @@ int rpcli_do_security_options(void)
 		__NR_clock_gettime64,
 #endif /* __SNR_clock_gettime64 || __NR_clock_gettime64 */
 
-#if defined(__SNR_statx) || defined(__NR_statx)
-		SCMP_SYS(getcwd),	// called by glibc's statx()
-		SCMP_SYS(statx),
-#endif /* __SNR_statx || __NR_statx */
-
 		// glibc ncsd
 		// TODO: Restrict connect() to AF_UNIX.
 		SCMP_SYS(connect), SCMP_SYS(recvmsg), SCMP_SYS(sendto),