syscall: don't use faccessat2 on android

The Android seccomp policy does not allow faccessat2, so attempting to
use it results in a SIGSYS. Avoid it and go straight to the fallback.

Fixes #57393.

Change-Id: I8d4e12a6f46cea5642d3b5b5a02c682529882f29
Reviewed-on: https://go-review.googlesource.com/c/go/+/458495
Reviewed-by: Austin Clements <austin@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Changkun Ou <mail@changkun.de>
Run-TryBot: Michael Pratt <mpratt@google.com>

diff --git a/src/syscall/syscall_linux.go b/src/syscall/syscall_linux.go
index 30fa641627e79a5e9ab09bcc71ffcadad2572425..d4cc34bdee0b2f1c5c9f128e76e2a14fd65838f1 100644 (file)
--- a/src/syscall/syscall_linux.go
+++ b/src/syscall/syscall_linux.go
@@ -13,6 +13,7 @@ package syscall
 
 import (
        "internal/itoa"
+       "runtime"
        "unsafe"
 )
 
@@ -145,8 +146,17 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
                return faccessat(dirfd, path, mode)
        }
 
-       if err := faccessat2(dirfd, path, mode, flags); err != ENOSYS && err != EPERM {
-               return err
+       // Attempt to use the newer faccessat2, which supports flags directly,
+       // falling back if it doesn't exist.
+       //
+       // Don't attempt on Android, which does not allow faccessat2 through
+       // its seccomp policy [1] on any version of Android as of 2022-12-20.
+       //
+       // [1] https://cs.android.com/android/platform/superproject/+/master:bionic/libc/SECCOMP_BLOCKLIST_APP.TXT;l=4;drc=dbb8670dfdcc677f7e3b9262e93800fa14c4e417
+       if runtime.GOOS != "android" {
+               if err := faccessat2(dirfd, path, mode, flags); err != ENOSYS && err != EPERM {
+                       return err
+               }
        }
 
        // The Linux kernel faccessat system call does not take any flags.