backport statx syscall whitelist fix
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
docker.io (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Invalid
|
Undecided
|
Unassigned | ||
Cosmic |
Invalid
|
Undecided
|
Unassigned | ||
libseccomp (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Some newer workloads fail due to libseccomp as in Bionic lacking statx support
* This backports the syscall definitions for statx to Bionic to allow to manage those
[Test Case]
# Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much
$ sudo apt install docker.io
$ sudo usermod -a -G docker ubuntu
$ cat > test-statx/
FROM ubuntu:18.04
RUN apt-get update && apt-get install -y wget gcc
WORKDIR /tmp
RUN wget -q https:/
RUN gcc test-statx.c -o test-statx
RUN touch test-file
RUN chmod +x ./test-statx
RUN ./test-statx test-file
EOF
$ docker build test-statx
With the bug and current docker 18.06.1-
[...]
Step 8/8 : RUN ./test-statx test-file
---> Running in 6e60a82409e6
test-file: Operation not permitted
statx(test-file) = -1
The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1
With the fix applied it would work and look like:
Step 8/8 : RUN ./test-statx test-file
---> Running in a83bc043e7bd
statx(test-file) = 0
results=fff
Size: 0 Blocks: 0 IO Block: 4096 regular file
Device: 00:32 Inode: 261994 Links: 1
Access: (0644/-rw-r--r--) Uid: 0 Gid: 0
Access: 2019-02-08 07:57:42.
Modify: 2019-02-08 07:57:42.
Change: 2019-02-08 07:57:43.
Birth: 2019-02-08 07:57:43.
Attributes: 0000000000000000 (........ ........ ........ ........ ........ ........ ....-... .---.-..)
Removing intermediate container a83bc043e7bd
---> d428d14cbc57
Successfully built d428d14cbc57
[Regression Potential]
* This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change.
[Other Info]
* n/a
---
Hello maintainer,
The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications:
https:/
Could this fix be backported in the ubuntu package ?
https:/
regards,
xan.
Related branches
- Andreas Hasenack: Approve
- xantares (community): Approve
- Seth Arnold (community): Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 1499 lines (+1460/-0)6 files modifieddebian/changelog (+7/-0)
debian/patches/lp-1755250-add-the-statx-syscall.patch (+308/-0)
debian/patches/lp-1815415-arch-update-syscalls-for-Linux-4.9.patch (+536/-0)
debian/patches/lp-1815415-arch-update-syscalls-for-Linux-v4.15.patch (+499/-0)
debian/patches/lp-1815415-update-the-syscall-tables-to-4.10.patch (+106/-0)
debian/patches/series (+4/-0)
We're planing to have version 17.12 for bionic.
On 13 March 2018 at 06:58, xantares <email address hidden> wrote:
> Public bug reported: /github. com/docker/ for-linux/ issues/ 208#issuecommen t-372400859 /github. com/moby/ moby/pull/ 36417 /bugs.launchpad .net/bugs/ 1755250 /bugs.launchpad .net/ubuntu/ +source/ docker. io/+bug/ +subscriptions
>
> Hello maintainer,
>
> The docker version 17.03 (bionic) in ubuntu doesn't allow the statx
> syscall which is needed to build qt >=5.10 applications:
> https:/
>
> Could this fix be backported in the ubuntu package ?
> https:/
>
> regards,
> xan.
>
> ** Affects: docker.io (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> docker.io in Ubuntu.
> https:/
>
> Title:
> backport statx syscall whitelist fix
>
> To manage notifications about this bug go to:
> https:/
> 1755250/
>