From c223d3c14bdb19abcd45babe6aae0987924feddf Mon Sep 17 00:00:00 2001
From: Simon Evans <si@si.org>
Date: Sun, 20 Oct 2019 12:35:16 +0100
Subject: [PATCH] statx: fallback to lstat if ENOSYS is returned in errno.

- Security mechanisms used in Linux VMs, eg libseccomp and
  Docker's security policy may block certain system calls if they
  are new and unknown to the library and ENOSYS may be returned
  instead of EPERM.

- Update the use of statx() to disable future calls and fallback to
  lstat() if ENOSYS is returned.
---
 Foundation/FileManager+POSIX.swift | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/Foundation/FileManager+POSIX.swift b/Foundation/FileManager+POSIX.swift
index ff87c42459..f907ad528a 100644
--- a/Foundation/FileManager+POSIX.swift
+++ b/Foundation/FileManager+POSIX.swift
@@ -915,10 +915,14 @@ extension FileManager {
                 let statxErrno = _stat_with_btime(fsRep, &statInfo, &btime)
                 guard statxErrno == 0 else {
                     switch statxErrno {
-                    case EPERM:
-                      return try _statxFallback(atPath: path, withFileSystemRepresentation: fsRep)
+                    case EPERM, ENOSYS:
+                        // statx() may be blocked by a security mechanism (eg libseccomp or Docker) even if the kernel verison is new enough. EPERM or ENONSYS may be reported.
+                        // Dont try to use it in future and fallthough to a normal lstat() call.
+                        supportsStatx = false
+                        return try _statxFallback(atPath: path, withFileSystemRepresentation: fsRep)
+
                     default:
-                      throw _NSErrorWithErrno(statxErrno, reading: true, path: path)
+                        throw _NSErrorWithErrno(statxErrno, reading: true, path: path)
                     }
                 }