Tar fails to extract archives that include folders with certain permissions on armhf

Status changed to 'Confirmed' because the bug affects multiple users.

This also affects ppc64le Docker images. These commands work fine on x86_64, arm64 and s390 but fail on POWER9.

```
docker run -it --rm ubuntu:noble
apt-get -y update
apt install -y wget
cd /tmp
wget a-tar-file-of-your-choice.tar.gz
tar -xzf a-tar-file-of-your-choice.tar.gz
```

Error message:

...
tar: your/file.1: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: your/file.2: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: your/file.3: Cannot change mode to rwxrwxr-x: Operation not permitted
tar: Exiting with failure status due to previous errors
```

If you compile tar from scratch within the Docker container, then you do not see the error.

```
wget https://ftp.gnu.org/gnu/tar/tar-1.35.tar.gz
tar -xzf tar-1.35.tar.gz
```

Ignore the errors from the tar process :-)

```
apt install build-essential libacl1-dev -y
cd tar-1.35
FORCE_UNSAFE_CONFIGURE=1 ./configure --prefix=/usr
make install
```

Now `tar -xf` works as expected.

I did some analysis [here](https://github.com/ocaml/infrastructure/issues/121).

libseccomp needs to be >= 2.55 and Docker >= 25.0.3 and then this issue goes away. Without these the system call `fchmodat2` return EPERM rather than `ENOSYS`.

Hello anyone affected,

I have written a patch for jammy for libseccomp to fix the bug.
Thank you @mark-elvers for confirming that ppc64le is also affected

Uploaded:

Uploading libseccomp_2.5.3-2ubuntu2.1.dsc
Uploading libseccomp_2.5.3.orig.tar.gz
Uploading libseccomp_2.5.3-2ubuntu2.1.debian.tar.xz
Uploading libseccomp_2.5.3-2ubuntu2.1_source.buildinfo
Uploading libseccomp_2.5.3-2ubuntu2.1_source.changes

Are we sure this issue doesn't affect 24.04? This bug was filed on 27 March, a day after libseccomp 2.5.5-1ubuntu1 was published into the Noble release pocket. It looks like this was first fixed upstream in 2.5.5. The original reporter (understandably) did not report the version of the libseccomp package used. After fixing the Test Plan as I've requested below, please run that against 24.04 to make sure, and report the results.

Presumably this bug isn't currently fixed in 23.10 since 2.5.4-1ubuntu3 is current there. This is a prerequisite to fixing 22.04. Please see https://wiki.ubuntu.com/StableReleaseUpdates#Newer_Releases.

> On an ARM 64 machine install the latest version of docker on a jammy host by following the official docker documentation. [https://docs.docker.com/engine/install/ubuntu/]

Please update the Test Plan to use Docker as shipped by Ubuntu. Or, if this issue only affects a version of Docker external to the Ubuntu archive, then we might still be able to fix libseccomp for you, but it changes the calculus considerably. Please document the specifics, and tie it to a specific version that has specific behaviour (what, exactly?) rather than the moving target of "latest".

> However docker seccomp profile defaults to returning EPERM for all non defined syscalls and writing an entry for fchmodat2 in the docker seccomp profile to return ENOSYS does not work on systems where libseccomp does not have support for fchmodat2.

Will libseccomp allow Docker to return ENOSYS for all non defined syscalls instead? This seems like it would be the correct general fix to me, to avoid future breakages of the same class. Is this possible, and how would doing this instead change the risk to 22.04 in this fix? If this issue only affects an upstream version of Docker, can that be fixed there please, rather than risking regression to all other libseccomp consumers by working around this in libseccomp in 22.04? Then I think your "use the latest version of upstream Docker" would just start working?

The proposed patch looks like it adds system call numbers for fchmodat2 for all architectures, as well as for a bunch of other system calls. The architecture-specific changes seem to apply to cacheflush and memfd_secret system calls only. So is this an armhf-specific problem, or is it a general one that affects all architectures?

Following "the requirements for stable updates are not necessarily the same as those in the development release" from https://wiki.ubuntu.com/StableReleaseUpdates#Why, why is this SRU patch not minimal, adding the definition for the required system call for the affected architectures only?

Or, if the problem we're solving is wider than this and requires the full patch, then I think we need to include that in our regression analysis please, together with a Test Plan that exercises relevant code paths.

In particular, I'm concerned that the proposed change will affect much more than the bug being fixed, increasing regression risk including to other consumers of libseccomp, and that these additional cases aren't covered by the Test Plan. Many more system calls could suddenly "start working" from the perspective of glibc, rather th...

I confirm that this also affects Noble.

If libseccomp2 is >= 2.55, then Docker must be >= 25.0.3.

I looked at fixing the Docker profile, and this works for `docker run`, but `docker build` always uses the build-in/default profile, so it's a limited workaround.

> I confirm that this also affects Noble.

Thanks! Oracular and Noble are at the same version of libseccomp then, so I'll mark those tasks as still open.

> ...but `docker build` always uses the build-in/default profile, so it's a limited workaround.

Can Docker be fixed upstream instead, such that it works correctly with older libseccomp versions?

The instructions from the Test Plan led me to https://download.docker.com/linux/ubuntu/dists/noble/pool/stable/amd64/docker-ce-cli_26.1.4-1~ubuntu.24.04~noble_amd64.deb, which ships /usr/bin/docker, but that dynamic executable only uses libc. How is it accessing libseccomp dynamically, if at all? Is is using dlopen?

Presumably via /usr/bin/runc.

```
# ldd /usr/bin/runc
 linux-vdso.so.1 (0x0000003940e63000)
 libseccomp.so.2 => /lib/riscv64-linux-gnu/libseccomp.so.2 (0x0000003940e3a000)
 libc.so.6 => /lib/riscv64-linux-gnu/libc.so.6 (0x0000003940cba000)
 /lib/ld-linux-riscv64-lp64d.so.1 (0x0000003940e65000)
```

Hello Robie and anyone else affected,

> Are we sure this issue doesn't affect 24.04?

24.04 is does have the patched version of libseccomp and is not affected by the issue when using the upstream version of docker. I have tested it on an ARM machine based on the test plan I wrote and it's not affected.

> Presumably this bug isn't currently fixed in 23.10 since 2.5.4-1ubuntu3 is current there.

Correct! I skipped Mantic thinking that since it is close to EOL it wouldn't be worth it but since it is a hard requirement I will back-port the patch to it as well.

> Please update the Test Plan to use Docker as shipped by Ubuntu. Or, if this issue only affects a version of Docker external to the Ubuntu archive, then we might still be able to fix libseccomp for you...

The docker version shipped by ubuntu (docker.io) is affected by the issue on all ubuntu releases (including noble). The fix needed is the following: https://github.com/moby/moby/pull/47341/files and https://github.com/containerd/containerd/commit/a6e52c74fa043a63d7dae4ac6998215f6c1bb6ac
Which as @mark-elvers pointed out is available since docker 25.0.3
The thing is that all this patch does is change the default seccomp profile used by docker (which can be done by the user through the argument: --security-opt seccomp=/path/to/seccomp/profile.json in docker).
Of course I understand that this does mean that docker.io will still need to be updated even if a workaround is possible. But the reason I am stating this is because before back-porting this patch to docker.io, the libseccomp patches will need to be back-ported and made available first. Noble and oracular being the only exceptions to this rule since they already have a libseccomp version that is aware of fchmodat2.
I assume the method to follow would be to get the libseccomp patch in all the ubuntu releases, verify that the patch works with the upstream version of docker, then patch docker.io on these versions and verify that docker.io works?

> Will libseccomp allow Docker to return ENOSYS for all non defined syscalls instead? This seems like it would be the correct general fix to me, to avoid future breakages of the same class.

Sadly no. The default behavior in the seccomp profile is that all syscalls that have no rules defined to them in the docker seccomp profile will return EPERM. This applies to syscalls that libseccomp is aware of as well as those of which it is not aware of. The return value can be modified but it cannot be limited to syscalls not defined in libseccomp.

> Is this possible, and how would doing this instead change the risk to 22.04 in this fix?

Current applications have been running fine in docker with EPERM as the return value for denied syscalls, changing this default return to ENOSYS will affect any application that makes use of these syscalls that get denied. The docker seccomp profile denies syscalls based on this default return value and for the few other syscalls that need to get denied with a different value it has exceptions for them written in the default seccomp profile. Changing this default will require a rewrite to this profile and will make the majority of syscalls that get denied with E...