When used inside an unprivileged docker container, statx(2) gets rejected with -EPERM by the default seccomp profile, unless the host runs an almost-bleeding edge version of docker (at least 18.04). That causes most qt apps, qmake in particular, to fail.
While the qt release notes do mention this - Qt uses the statx(2) system call for obtaining file information on kernels 4.12 and later. Some older container systems install system call protection rules that do not include this system call. If you experience problems running Qt applications inside containers (such as the report of a file not existing when it does), ensure the statx(2) is allowed in the container configuration. it's not always feasible nor reasonable to upgrade (or tell one's customers to upgrade) the build infrastructure, especially since several distros as of this writing don't even seem to ship such a recent version in their official repositories. This opt-in patch simply monkey-patches out any (the only) use of statx and ensures that the -ENOSYS fallbacks are used. While I agree that this is really a bug in the container system, this takes the short and pragmatic approach to getting things to work. To opt-in, just prepend no-xstat: to OVERRIDES in some global configuration file, possibly restricting that to e.g. native and nativesdk. Signed-off-by: Rasmus Villemoes <[email protected]> --- ...temengine_unix.cpp-disable-use-of-statx-2.patch | 58 ++++++++++++++++++++++ recipes-qt/qt5/qt5-git.inc | 2 + 2 files changed, 60 insertions(+) create mode 100644 recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch diff --git a/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch new file mode 100644 index 0000000..6efbfe4 --- /dev/null +++ b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch @@ -0,0 +1,58 @@ +From dc5218c70d445a4692271add1a17091afb230095 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes <[email protected]> +Date: Mon, 16 Jul 2018 09:50:06 +0200 +Subject: [PATCH] qfilesystemengine_unix.cpp: disable use of statx(2) + +When used inside an unprivileged docker container, statx(2) gets +rejected with -EPERM by the default seccomp profile, unless the host +runs an almost-bleeding edge version of docker (at least 18.04). That +causes most qt apps, qmake in particular, to fail. + +While the qt release notes do mention this + + - Qt uses the statx(2) system call for obtaining file information on + kernels 4.12 and later. Some older container systems install system call + protection rules that do not include this system call. If you experience + problems running Qt applications inside containers (such as the report of + a file not existing when it does), ensure the statx(2) is allowed in the + container configuration. + +it's not always feasible nor reasonable to upgrade (or tell one's +customers to upgrade) the build infrastructure. + +This opt-in patch simply monkey-patches out any (the only) use of statx +and ensures that the -ENOSYS fallbacks are used. + +https://github.com/docker/for-linux/issues/208 +https://github.com/moby/moby/pull/36417 + +Upstream-Status: Inappropriate [workaround] +--- + src/corelib/io/qfilesystemengine_unix.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/corelib/io/qfilesystemengine_unix.cpp b/src/corelib/io/qfilesystemengine_unix.cpp +index b974af80dc..5f574901e3 100644 +--- a/src/corelib/io/qfilesystemengine_unix.cpp ++++ b/src/corelib/io/qfilesystemengine_unix.cpp +@@ -320,6 +320,9 @@ mtime(const T &statBuffer, int) + #ifdef STATX_BASIC_STATS + static int qt_real_statx(int fd, const char *pathname, int flags, struct statx *statxBuffer) + { ++#if 1 ++ return -ENOSYS; ++#else + #ifdef Q_ATOMIC_INT8_IS_SUPPORTED + static QBasicAtomicInteger<qint8> statxTested = Q_BASIC_ATOMIC_INITIALIZER(0); + #else +@@ -337,6 +340,7 @@ static int qt_real_statx(int fd, const char *pathname, int flags, struct statx * + } + statxTested.store(1); + return ret == -1 ? -errno : 0; ++#endif + } + + static int qt_statx(const char *pathname, struct statx *statxBuffer) +-- +2.16.4 + diff --git a/recipes-qt/qt5/qt5-git.inc b/recipes-qt/qt5/qt5-git.inc index 09b6cc5..41f9b7a 100644 --- a/recipes-qt/qt5/qt5-git.inc +++ b/recipes-qt/qt5/qt5-git.inc @@ -15,3 +15,5 @@ CVE_PRODUCT = "qt" S = "${WORKDIR}/git" PV = "5.11.1+git${SRCPV}" + +SRC_URI_append_no-xstat = " file://0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch" -- 2.16.4 -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
