M src/hook.rs => src/hook.rs +6 -1
@@ 4638,7 4638,12 @@ fn sandbox_path_1(
// Check if path is hidden for stat sandbox compat.
// Do this only when we want to report the access violation.
- let hidden = if !filter && action == Action::Deny && !caps.contains(Capability::CAP_STAT) {
+ // Do not do hidden check for memory fds.
+ let hidden = if !filter
+ && action == Action::Deny
+ && !Capability::mem(syscall_name)
+ && !caps.contains(Capability::CAP_STAT)
+ {
request.is_hidden(sandbox, path)
} else {
false
M src/sandbox.rs => src/sandbox.rs +5 -0
@@ 1016,6 1016,11 @@ impl Capability {
| "inotify_add_watch"
)
}
+
+ #[inline]
+ pub(crate) fn mem(syscall_name: &str) -> bool {
+ syscall_name == "memfd_create"
+ }
}
bitflags! {