It's not going to be simple I'm afraid, at least for the original problem! "scmp_sys_resolver close_range" will quickly test whether current seccomp has support for close_range (prints "-1" if not supported, "436" otherwise - at least on x86_64.) Ubuntu seccomp maintainers have been pretty happy SRUing this sort of thing before - it's a running problem, and the changes are trivial.
Outline of a reproducer for my original problem would be something like:
Without the patch, this should fail to return to the prompt, as the missing syscall seems to interfere with buildah's ability to to process EOF; with the patch it should return to the prompt.
In the event of failure there should also be messages logged about "close_range" being unsupported.
It's not going to be simple I'm afraid, at least for the original problem! "scmp_sys_resolver close_range" will quickly test whether current seccomp has support for close_range (prints "-1" if not supported, "436" otherwise - at least on x86_64.) Ubuntu seccomp maintainers have been pretty happy SRUing this sort of thing before - it's a running problem, and the changes are trivial.
Outline of a reproducer for my original problem would be something like:
1. download and unpack https:/ /cloud- images. ubuntu. com/releases/ focal/release/ ubuntu- 18.04-server- cloudimg- amd64-root. tar.xz resolve/ resolv. conf >etc/resolv.conf call-filter= @keyring\ close_range /download. opensuse. org/repositorie s/devel: /kubic: /libcontainers: /stable/ xUbuntu_ 18.04/ /" | sudo tee /etc/apt/ sources. list.d/ devel:kubic: libcontainers: stable. list /download. opensuse. org/repositorie s/devel: /kubic: /libcontainers: /stable/ xUbuntu_ 18.04/Release. key" | sudo apt-key add -
2. cd to the rootfs directory and start a container:
rm etc/resolv.conf && cat /run/systemd/
systemd-nspawn --system-
3. Add podman/buildah PPA:
echo "deb https:/
curl -L "https:/
sudo apt-get update
4. apt-get -y install buildah
5. add a new user and switch
adduser test --gecos "" --disabled-password
sudo -u test -Hs
cd ~
6. create scratch container and copy in busybox
ctr=$(buildah from scratch)
buildah copy $ctr /bin/busybox
7. check EOF handling
echo foo | buildah run $ctr /busybox cat
Without the patch, this should fail to return to the prompt, as the missing syscall seems to interfere with buildah's ability to to process EOF; with the patch it should return to the prompt.
In the event of failure there should also be messages logged about "close_range" being unsupported.