Re: [OE-core] [PATCH] fix close_range fails unexpectedly in unprivileged process

Khem Raj Wed, 12 Oct 2022 17:48:41 -0700

On Wed, Oct 12, 2022 at 5:41 PM Changqing Li <[email protected]>
wrote:


>
> On 10/8/22 15:13, Changqing Li wrote:
>
> On 9/30/22 17:50, Ross Burton wrote:
>
> [Please note: This e-mail is from an EXTERNAL e-mail address]
>
> Yeah, this is a Docker issue. Fix your docker.
>
> Ross
>
> Hi,
>
> I know this is an docker issue, but this will block yocto build in old
> docker. I noticed we already
>
> have an local patch for glibc to fix similar issue. So, maybe this patch
> is also need.
>
>
> https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/glibc/glibc/0023-fix-create-thread-failed-in-unprivileged-process-BZ-.patch
> <https://urldefense.com/v3/__https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/glibc/glibc/0023-fix-create-thread-failed-in-unprivileged-process-BZ-.patch__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lrbDVeMs$>
>
> BRs
>
>
These patches are addressing a corner case for supported systems and the
patches are not backports and it’s perhaps better to keep them local
Infact  I would suggest to send a patch to remove the above patch from core
glibc recipe instead

> Changqing
>
> ping
>
> On 30 Sep 2022, at 09:48, Changqing Li via lists.openembedded.org 
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lHw1qYsY$>
>  <[email protected]> 
> <[email protected]> wrote:
>
> From: Changqing Li <[email protected]> <[email protected]>
>
> After commit [1], start a unprivileged container (docker run without 
> --privileged),
> close file will fail.
>
> This is actually an docker issue, see [2]. But this issue will
> block yocto build in docker with glibc2.35+. so add this local patch.
>
> [1] 
> https://gitlab.gnome.org/GNOME/glib/-/commit/ce04a124040be091407e070280d86ca810bacb8c
>  
> <https://urldefense.com/v3/__https://gitlab.gnome.org/GNOME/glib/-/commit/ce04a124040be091407e070280d86ca810bacb8c__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lUw7m6AI$>
> [2] https://github.com/moby/moby/issues/43595 
> <https://urldefense.com/v3/__https://github.com/moby/moby/issues/43595__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lfE8TzmQ$>
>
> Signed-off-by: Changqing Li <[email protected]> 
> <[email protected]>
> ---
> ...fails-unexpectedly-in-unprivileged-p.patch | 46 +++++++++++++++++++
> meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb 
> <https://urldefense.com/v3/__http://glib-2.0_2.72.3.bb__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lPpFuHiw$>
>  |  1 +
> 2 files changed, 47 insertions(+)
> create mode 100644 
> meta/recipes-core/glib-2.0/glib-2.0/0001-fix-close_range-fails-unexpectedly-in-unprivileged-p.patch
>
> diff --git 
> a/meta/recipes-core/glib-2.0/glib-2.0/0001-fix-close_range-fails-unexpectedly-in-unprivileged-p.patch
>  
> b/meta/recipes-core/glib-2.0/glib-2.0/0001-fix-close_range-fails-unexpectedly-in-unprivileged-p.patch
> new file mode 100644
> index 0000000000..213ee7b11f
> --- /dev/null
> +++ 
> b/meta/recipes-core/glib-2.0/glib-2.0/0001-fix-close_range-fails-unexpectedly-in-unprivileged-p.patch
> @@ -0,0 +1,46 @@
> +From 0fb283b3b1e3b4958b985804cbc40b7bff8b0e65 Mon Sep 17 00:00:00 2001
> +From: Changqing Li <[email protected]> <[email protected]>
> +Date: Fri, 30 Sep 2022 08:29:41 +0000
> +Subject: [PATCH] fix close_range fails unexpectedly in unprivileged process
> +
> +After change [1], start a unprivileged container (docker run without 
> --privileged),
> +close file may fail.
> +
> +This is actually an docker issue, see [2]. But this issue will
> +block yocto build in docker with glibc2.35+. so add this local patch.
> +
> +[1] 
> https://gitlab.gnome.org/GNOME/glib/-/commit/ce04a124040be091407e070280d86ca810bacb8c
>  
> <https://urldefense.com/v3/__https://gitlab.gnome.org/GNOME/glib/-/commit/ce04a124040be091407e070280d86ca810bacb8c__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lUw7m6AI$>
> +[2] https://github.com/moby/moby/issues/43595 
> <https://urldefense.com/v3/__https://github.com/moby/moby/issues/43595__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lfE8TzmQ$>
> +
> +Upstream-Status: Inappropriate [Rejected by upstream]
> +
> +Signed-off-by: Changqing Li <[email protected]> 
> <[email protected]>
> +---
> + glib/gspawn.c | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/glib/gspawn.c b/glib/gspawn.c
> +index 0a2cbe5..83553a1 100644
> +--- a/glib/gspawn.c
> ++++ b/glib/gspawn.c
> +@@ -1544,7 +1544,7 @@ safe_fdwalk_set_cloexec (int lowfd)
> +    * fall back to safe_fdwalk(). Handle EINVAL in case `CLOSE_RANGE_CLOEXEC`
> +    * is not supported. */
> +   int ret = close_range (lowfd, G_MAXUINT, CLOSE_RANGE_CLOEXEC);
> +-  if (ret == 0 || !(errno == ENOSYS || errno == EINVAL))
> ++  if (ret == 0 || !(errno == ENOSYS || errno == EINVAL || errno == EPERM))
> +     return ret;
> + #endif  /* HAVE_CLOSE_RANGE */
> +   return safe_fdwalk (set_cloexec, GINT_TO_POINTER (lowfd));
> +@@ -1597,7 +1597,7 @@ safe_closefrom (int lowfd)
> +    * Handle ENOSYS in case it’s supported in libc but not the kernel; if so,
> +    * fall back to safe_fdwalk(). */
> +   int ret = close_range (lowfd, G_MAXUINT, 0);
> +-  if (ret == 0 || errno != ENOSYS)
> ++  if (ret == 0 || !(errno == ENOSYS || errno == EPERM))
> +     return ret;
> + #endif  /* HAVE_CLOSE_RANGE */
> +   return safe_fdwalk (close_func, GINT_TO_POINTER (lowfd));
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb 
> <https://urldefense.com/v3/__http://glib-2.0_2.72.3.bb__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lPpFuHiw$>
>  b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb 
> <https://urldefense.com/v3/__http://glib-2.0_2.72.3.bb__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lPpFuHiw$>
> index dd1ea508d2..bbaacc64a4 100644
> --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb 
> <https://urldefense.com/v3/__http://glib-2.0_2.72.3.bb__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lPpFuHiw$>
> +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb 
> <https://urldefense.com/v3/__http://glib-2.0_2.72.3.bb__;!!AjveYdw8EvQ!eYLVLZ08i44b_x9_dIbN2TSPyxAcGhsmfzSKGDqz016oV_Ho6qPIx5-JFpq4dQFyePJxNDxvfYRzGfProOLpzc_lPpFuHiw$>
> @@ -16,6 +16,7 @@ SRC_URI = 
> "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
>            file://0001-Do-not-write-bindir-into-pkg-config-files.patch \
>            file://0001-meson-Run-atomics-test-on-clang-as-well.patch \
>            
> file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
> +           
> file://0001-fix-close_range-fails-unexpectedly-in-unprivileged-p.patch \
>            "
> SRC_URI:append:class-native = " file://relocate-modules.patch"
>
> --
> 2.34.1
>
>
>
>
>
>
>
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#171679): 
https://lists.openembedded.org/g/openembedded-core/message/171679
Mute This Topic: https://lists.openembedded.org/mt/94012543/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] fix close_range fails unexpectedly in unprivileged process

Reply via email to