backport statx syscall whitelist fix

Bug #1755250 reported by xantares on 2018-03-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
docker.io (Ubuntu)
Undecided
Unassigned
libseccomp (Ubuntu)
Undecided
Unassigned

Bug Description

Hello maintainer,

The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications:
https://github.com/docker/for-linux/issues/208#issuecomment-372400859

Could this fix be backported in the ubuntu package ?
https://github.com/moby/moby/pull/36417

regards,
xan.

We're planing to have version 17.12 for bionic.

On 13 March 2018 at 06:58, xantares <email address hidden> wrote:

> Public bug reported:
>
> Hello maintainer,
>
> The docker version 17.03 (bionic) in ubuntu doesn't allow the statx
> syscall which is needed to build qt >=5.10 applications:
> https://github.com/docker/for-linux/issues/208#issuecomment-372400859
>
> Could this fix be backported in the ubuntu package ?
> https://github.com/moby/moby/pull/36417
>
> regards,
> xan.
>
> ** Affects: docker.io (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> docker.io in Ubuntu.
> https://bugs.launchpad.net/bugs/1755250
>
> Title:
> backport statx syscall whitelist fix
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/
> 1755250/+subscriptions
>

xantares (xantares09) wrote :

Unfortunately that's not recent enough: the bug has just been fixed a few days ago and will need some backporting.

Tianon Gravi (tianon) wrote :

Indeed, looks like this fix isn't in a released version at all yet (likely to be in 18.04).

Julien Schueller (jschueller) wrote :

Hi,

Could this fix be backported now that docker 17.12 is in bionic and (docker is 18.04 out too with the fix).

xan.

Andreas Hasenack (ahasenack) wrote :

This looks like a simple fix, if indeed all it takes is that upstream couple of one-liners. @mwhydson, do you have any comments?

Looking into this deeper -- applying this patch for bionic will have
net-zero effect, given this comment:
https://github.com/moby/moby/pull/36417#issuecomment-369266565

For this patch to do anything, "libseccomp" needs to be at least version
2.3.3, and bionic is only at 2.3.1 (so the added line would essentially be
ignored and you'd still get EPERM).

Felix Abecassis (flx42) wrote :

Tianon is right, runc silently discards syscalls it doesn't know about:
https://github.com/opencontainers/runc/blob/ecd55a4135e0a26de884ce436442914f945b1e76/libcontainer/seccomp/seccomp_linux.go#L168-L173

This affects other syscalls, like preadv2:
https://github.com/opencontainers/runtime-spec/issues/972

Failing to whitelist a syscall than the kernel does support is safe, but failing to *blacklist* a syscall could be more problematic. But failing to whitelist could also impact functionality/performance compared to a non-containerized application.

I couldn't find if anything is backported in "2.3.1-2.1ubuntu4", but the upstream "2.3.1" limits us to syscalls up to Linux 4.5-rc4.

Summoning Christian to help in bumping the priority of this issue.

Christian Brauner (cbrauner) wrote :

This is indeed pretty important for some use-cases so we should try to come up with a reasonable solution.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.