gosh_store: allow fstatat Linux syscall

Seems like on aarch64 newfstatat is identical to fstat. However, due to too many indirections, newfstatat is unknown somewhere in between and cannot be allowed despite being part of @System-service. Reported and discussed in #63.
oxzi · Oct 16, 2024 · c55f4fa · c55f4fa
1 parent b4997cb
commit c55f4fa
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/gosh_store.go b/gosh_store.go
@@ -88,6 +88,7 @@ func mainStore(conf Config) {
 			"~@swap",
 			/* @process */ "~execve", "~execveat", "~fork", "~kill",
 			/* @network-io */ "~bind", "~connect", "~listen",
+			"fstatat", // for aarch64, same as newfstatat
 		})
 	if err != nil {
 		slog.Error("Failed to apply seccomp-bpf filter", slog.Any("error", err))