On Mon, Jul 16, 2018 at 11:22:21AM +0200, Rasmus Villemoes wrote: > When used inside an unprivileged docker container, statx(2) gets > rejected with -EPERM by the default seccomp profile, unless the host > runs an almost-bleeding edge version of docker (at least 18.04). That > causes most qt apps, qmake in particular, to fail. > > While the qt release notes do mention this > > - Qt uses the statx(2) system call for obtaining file information on > kernels 4.12 and later. Some older container systems install system call > protection rules that do not include this system call. If you experience > problems running Qt applications inside containers (such as the report of > a file not existing when it does), ensure the statx(2) is allowed in the > container configuration. > > it's not always feasible nor reasonable to upgrade (or tell one's > customers to upgrade) the build infrastructure, especially since several > distros as of this writing don't even seem to ship such a recent version > in their official repositories. > > This opt-in patch simply monkey-patches out any (the only) use of statx > and ensures that the -ENOSYS fallbacks are used. While I agree that this > is really a bug in the container system, this takes the short and > pragmatic approach to getting things to work. > > To opt-in, just prepend no-xstat: to OVERRIDES in some global > configuration file, possibly restricting that to e.g. native and > nativesdk. > > Signed-off-by: Rasmus Villemoes <[email protected]> > --- > ...temengine_unix.cpp-disable-use-of-statx-2.patch | 58 > ++++++++++++++++++++++ > recipes-qt/qt5/qt5-git.inc | 2 + > 2 files changed, 60 insertions(+) > create mode 100644 > recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch > > diff --git > a/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch > > b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch > new file mode 100644 > index 0000000..6efbfe4 > --- /dev/null > +++ > b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch > @@ -0,0 +1,58 @@ > +From dc5218c70d445a4692271add1a17091afb230095 Mon Sep 17 00:00:00 2001 > +From: Rasmus Villemoes <[email protected]> > +Date: Mon, 16 Jul 2018 09:50:06 +0200 > +Subject: [PATCH] qfilesystemengine_unix.cpp: disable use of statx(2) > + > +When used inside an unprivileged docker container, statx(2) gets > +rejected with -EPERM by the default seccomp profile, unless the host > +runs an almost-bleeding edge version of docker (at least 18.04). That > +causes most qt apps, qmake in particular, to fail. > + > +While the qt release notes do mention this > + > + - Qt uses the statx(2) system call for obtaining file information on > + kernels 4.12 and later. Some older container systems install system call > + protection rules that do not include this system call. If you experience > + problems running Qt applications inside containers (such as the report of > + a file not existing when it does), ensure the statx(2) is allowed in the > + container configuration. > + > +it's not always feasible nor reasonable to upgrade (or tell one's > +customers to upgrade) the build infrastructure. > + > +This opt-in patch simply monkey-patches out any (the only) use of statx > +and ensures that the -ENOSYS fallbacks are used. > + > +https://github.com/docker/for-linux/issues/208 > +https://github.com/moby/moby/pull/36417 > + > +Upstream-Status: Inappropriate [workaround] > +--- > + src/corelib/io/qfilesystemengine_unix.cpp | 4 ++++ > + 1 file changed, 4 insertions(+) > + > +diff --git a/src/corelib/io/qfilesystemengine_unix.cpp > b/src/corelib/io/qfilesystemengine_unix.cpp > +index b974af80dc..5f574901e3 100644 > +--- a/src/corelib/io/qfilesystemengine_unix.cpp > ++++ b/src/corelib/io/qfilesystemengine_unix.cpp > +@@ -320,6 +320,9 @@ mtime(const T &statBuffer, int) > + #ifdef STATX_BASIC_STATS > + static int qt_real_statx(int fd, const char *pathname, int flags, struct > statx *statxBuffer) > + { > ++#if 1 > ++ return -ENOSYS; > ++#else > + #ifdef Q_ATOMIC_INT8_IS_SUPPORTED > + static QBasicAtomicInteger<qint8> statxTested = > Q_BASIC_ATOMIC_INITIALIZER(0); > + #else > +@@ -337,6 +340,7 @@ static int qt_real_statx(int fd, const char *pathname, > int flags, struct statx * > + } > + statxTested.store(1); > + return ret == -1 ? -errno : 0; > ++#endif > + } > + > + static int qt_statx(const char *pathname, struct statx *statxBuffer) > +-- > +2.16.4 > + > diff --git a/recipes-qt/qt5/qt5-git.inc b/recipes-qt/qt5/qt5-git.inc > index 09b6cc5..41f9b7a 100644 > --- a/recipes-qt/qt5/qt5-git.inc > +++ b/recipes-qt/qt5/qt5-git.inc > @@ -15,3 +15,5 @@ CVE_PRODUCT = "qt" > S = "${WORKDIR}/git" > > PV = "5.11.1+git${SRCPV}" > + > +SRC_URI_append_no-xstat = " > file://0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch"
Isn't this applicable only to *qtbase* ? > -- > 2.16.4 > > -- > _______________________________________________ > Openembedded-devel mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-devel -- Martin 'JaMa' Jansa jabber: [email protected]
signature.asc
Description: Digital signature
-- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
