add restricted filesystem access to sel_ldr

src/trusted/service_runtime/sys_fdio.c

Index: src/trusted/service_runtime/sys_fdio.c
diff --git a/src/trusted/service_runtime/sys_fdio.c b/src/trusted/service_runtime/sys_fdio.c
index dfa5c5b30584d292298546200a93549d90ca0076..8130ddb5fe808ed0ad8fd77b4a98c1439cda544e 100644
--- a/src/trusted/service_runtime/sys_fdio.c
+++ b/src/trusted/service_runtime/sys_fdio.c
@@ -135,7 +135,7 @@ int32_t NaClSysGetdents(struct NaClAppThread *natp,
            "%"NACL_PRIuS"[0x%"NACL_PRIxS"])\n"),
           (uintptr_t) natp, d, dirp, count, count);
 
-  if (!NaClAclBypassChecks) {
+  if (!NaClAclBypassChecks && NaClRootDir == NULL) {
     /*
      * Filesystem access is disabled, so disable the getdents() syscall.
      * We do this for security hardening, though it should be redundant,
@@ -416,7 +416,7 @@ int32_t NaClSysFstat(struct NaClAppThread *natp,
   retval = (*((struct NaClDescVtbl const *) ndp->base.vtbl)->
             Fstat)(ndp, &result);
   if (0 == retval) {
-    if (!NaClAclBypassChecks) {
+    if (!NaClAclBypassChecks && NaClRootDir == NULL) {
       result.nacl_abi_st_ino = NACL_FAKE_INODE_NUM;
     }
     if (!NaClCopyOutToUser(nap, nasp, &result, sizeof result)) {