whitelist 64-bit time syscalls

Bug #1886831 reported by xantares
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
docker.io (Ubuntu)
New
Undecided
Unassigned

Bug Description

following up the libseccomp SRU to handle newer syscalls:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1876055

docker needs to be updated to support newer syscalls including:
403: clock_gettime64
404: clock_settime64
405: clock_adjtime64
406: clock_getres_time64
407: clock_nanosleep_time64
408: timer_gettime64
409: timer_settime64
410: timerfd_gettime64
411: timerfd_settime64
412: utimensat_time64
413: pselect6_time64
414: ppoll_time64

here are the relevant changes to backport:
https://github.com/docker/docker-ce/commit/3c5d28f12ba6f3839ae77837633372993a073f57

here is a testcase that ends up calling utimensat_time64 via docker:
cd /tmp && git clone https://github.com/xantares/test-seccomp-time64.git && docker build test-seccomp-time64

this affects bionic, but also focal as the same version 19.03 is used

Tags: patch
xantares (xantares09)
description: updated
xantares (xantares09)
description: updated
Revision history for this message
xantares (xantares09) wrote :

I ran more tests, and the first version to work is 19.03.9, I wonder if an update would be possible:

bionic: 19.03.6 => 19.03.9
focal: 19.03.8 => 19.03.9
groovy: 19.03.11 ok

xantares (xantares09)
summary: - whitelist 64-bit time_t syscalls
+ whitelist 64-bit time syscalls
Revision history for this message
Alex Murray (alexmurray) wrote :

It is not clear to me whether this is a request for a feature addition to docker.io to support these syscalls, or whether it is a report of a regression that has occurred as a result of the SRU - can you please clarify?

Revision history for this message
xantares (xantares09) wrote :

this is a feature request for the docker version in bionic/focal to pick up a commit from v19.03.9
to allow these syscalls (or update these packages to 19.03.9)

the libseccomp SRU was a necessary condition to allow such a backport
(in other words the syscalls were blocked at the libseccomp level, now they're only blocked at the docker level)

Revision history for this message
xantares (xantares09) wrote :

I just rebuilt docker-doc_19.03.6-0ubuntu1~18.04.1_all.deb (in bionic) with this patch:
apt-get source docker.io && cd docker.io-19.03.6/ && curl -L https://github.com/docker/docker-ce/commit/3c5d28f12ba6f3839ae77837633372993a073f57.patch | patch -p1 && dpkg-source --commit && debuild -us -uc

I can confirm this patch applies cleanly and fixes the issue:
https://github.com/docker/docker-ce/commit/3c5d28f12ba6f3839ae77837633372993a073f57

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "engine-seccomp-add-64-bit-time_t-syscalls.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
xantares (xantares09) wrote :

is there a git repository for ubuntu's docker.io package where I could submit the update ?

Revision history for this message
xantares (xantares09) wrote :

hello, could someone help get that patch get merged ?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers