--- Comment From s...@de.ibm.com 2021-04-22 07:23 EDT---
Hi,
I've also run some tests on s390x:
On Ubuntu 18.04 (bionic) with libseccomp2 2.5.1-1ubuntu1~18.04.1 and linux
4.15.0.142.129:
In a systemd-nspawn hirsute container:
bash -c "test -x /bin/bash"
returns 1 and strace shows:
faccessat2(AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 EPERM (Operation not
permitted)
and seccomp-tools dump showed that the seccomp-filter allows faccessat2(=0x1b7)
syscall!
After upgrading to 4.15.0-143-generic #147+hf1916485v20210421b1 from your PPA,
the command works fine:
faccessat2(AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 ENOSYS (Function not
implemented)
faccessat(AT_FDCWD, "/bin/bash", X_OK) = 0
In a "docker run -it ubuntu:hirsute /bin/bash" container
(runc-1.0.0~rc93-0ubuntu1~18.04.1), the command also works fine and the
seccomp-filter applied by docker also allows faccessat2.
On Ubuntu 20.10 (groovy) with libseccomp2 2.5.1-1ubuntu1~20.10.1 and linux
5.8.0.51.56, both the tests in systemd-nspawn and in docker container are
working fine and the dump of the seccomp-filter shows that faccessat2 is
allowed.
(On the same system before updating libseccomp2 to the mentioned version,
libseccomp2 2.4.3-1ubuntu4 was used. There the dump of the seccomp-filter
showed that the faccessat2 syscall was not allowed and thus the test command
failed.)
Thanks.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1916485
Title:
test -x fails inside shell scripts in containers
Status in Ubuntu on IBM z Systems:
New
Status in docker.io package in Ubuntu:
New
Status in glibc package in Ubuntu:
Opinion
Status in libseccomp package in Ubuntu:
Fix Committed
Status in runc package in Ubuntu:
Fix Released
Status in systemd package in Ubuntu:
Fix Released
Status in docker.io source package in Xenial:
New
Status in libseccomp source package in Xenial:
New
Status in runc source package in Xenial:
New
Status in systemd source package in Xenial:
Invalid
Status in docker.io source package in Bionic:
New
Status in libseccomp source package in Bionic:
New
Status in runc source package in Bionic:
Fix Released
Status in systemd source package in Bionic:
Fix Released
Status in docker.io source package in Focal:
New
Status in libseccomp source package in Focal:
New
Status in runc source package in Focal:
Fix Released
Status in systemd source package in Focal:
Fix Released
Status in docker.io source package in Groovy:
New
Status in libseccomp source package in Groovy:
New
Status in runc source package in Groovy:
Fix Released
Status in systemd source package in Groovy:
Fix Released
Status in docker.io source package in Hirsute:
New
Status in libseccomp source package in Hirsute:
Fix Committed
Status in runc source package in Hirsute:
Fix Released
Status in systemd source package in Hirsute:
Fix Released
Status in systemd package in Debian:
Fix Released
Bug description:
(SRU template for systemd)
[impact]
bash (and some other shells) builtin test command -x operation fails
[test case]
on any affected host system, start nspawn container, e.g.:
$ sudo apt install systemd-container
$ wget
https://cloud-images.ubuntu.com/hirsute/current/hirsute-server-cloudimg-amd64-root.tar.xz
$ mkdir h
$ cd h
$ tar xvf ../hirsute-server-cloudimg-amd64-root.tar.xz
$ sudo systemd-nspawn
Then from a bash shell, verify if test -x works:
root@h:~# ls -l /usr/bin/gpg
-rwxr-xr-x 1 1000 1000 1083472 Jan 16 09:53 /usr/bin/gpg
root@h:~# test -x /usr/bin/gpg || echo "fail"
fail
[regression potential]
any regression would likely occur during a syscall, most likely
faccessat2(), or during other syscalls.
[scope]
this is needed for b/f
this is fixed upstream by commit
bcf08acbffdee0d6360d3c31d268e73d0623e5dc which is in 247 and later, so
this is fixed in h
this was pulled into Debian at version 246.2 in commit
e80c5e5371ab77792bae94e0f8c5e85a4237e6eb, so this is fixed in g
in x, the entire systemd seccomp code is completely different and the
patch doesn't apply, nor does it appear to be needed, as the problem
doesn't reproduce in a h container under x.
[other info]
this needs fixing in libseccomp as well
[original description]
glibc regression causes test -x to fail inside scripts inside
docker/podman, dash and bash are broken, mksh and zsh are fine:
root@0df2ce5d7a46:/# test -x /usr/bin/gpg || echo Fail
root@0df2ce5d7a46:/# dash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root@0df2ce5d7a46:/# bash -c "test -x /usr/bin/gpg || echo Fail"
Fail
root@0df2ce5d7a46:/# mksh -c "test -x /usr/bin/gpg || echo Fail"
root@0df2ce5d7a46:/# zsh -c "test -x /usr/bin/gpg || echo Fail"
root@0df2ce5d7a46:/#
root@0df2ce5d7a46:/# zsh -c "[ -x /usr/bin/gpg ] || echo Fail"
root@0df2ce5d7a46:/# mksh -c "[