From 27232d52fee4abecd5f709acc616fa1296e0464f Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Mon, 31 Jul 2023 11:39:40 -0400
Subject: libsandbox: always permit access to '/memfd:'

For memfd objects, the kernel populates the target for symlinks under
/proc/$PID/fd as "/memfd:name". Said target does not actually exist.

It is unfortunate that the kernel includes the leading slash, but we
will just have to work around it.

Bug: https://bugs.gentoo.org/910561
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
 libsandbox/libsandbox.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libsandbox/libsandbox.c b/libsandbox/libsandbox.c
index 847b4e2..e5f6d38 100644
--- a/libsandbox/libsandbox.c
+++ b/libsandbox/libsandbox.c
@@ -713,6 +713,12 @@ static int check_access(sbcontext_t *sbcontext, int sb_nr, const char *func,
 		/* Fall in a read/write denied path, Deny Access */
 		goto out;
 
+	if (!strncmp(resolv_path, "/memfd:", strlen("/memfd:"))) {
+		/* Allow operations on memfd objects #910561 */
+		result = 1;
+		goto out;
+	}
+
 	if (!sym_func) {
 		retval = check_prefixes(sbcontext->deny_prefixes,
 			sbcontext->num_deny_prefixes, resolv_path);
-- 
cgit v1.2.3-65-gdbad