Bug#1071822: libseccomp2: missing support for newer syscalls like fchmodat2 in bookworm(-backports)

2024-05-25 Thread Felix Geyer

Control: fixed -1 libseccomp/2.5.5-1

Hi,

On 25.05.24 08:48, Tianon Gravi wrote:

Source: libseccomp
Version: 2.5.4-1
Severity: normal
X-Debbugs-Cc: tia...@debian.org

Hi!  When using Docker in bookworm (current stable) and trying to run
containers based on newer distributions (like the recently released
Alpine 3.20), they will sometimes attempt to invoke newer syscalls like
fchmodat2.  Due to the way syscalls that libseccomp does not know about
interact with Docker's seccomp profiles, these sometimes get EPERM
instead of ENOSYS like they should, which breaks their fallback.

Is there any chance of getting these newer syscalls into some version in
bookworm? (backports is very acceptable, but it *seems* like this might
be appropriate for a stable update too?  I very much defer to your
wisdom/experience! <3)


I think this is suitable for a stable update. At least I've pushed the same
kind of change to bullseye.
I've opened #1071920 for the release team.


I think you're probably already way more aware than I am, but from my
own look at the changes in the 2.5.5 upstream release, they're pretty
minimal (a few typo fixes and the desired syscall table updates [1]), so
perhaps 2.5.5 would be appropriate/sufficient and it's not necessary to
backport the patch by itself

While the source changes of 2.5.5 look reasonably small, it looks different
when you diff the tarballs with pre-generated C and autotools files.
That's why I prefer to cherry-pick the commit.

Cheers,
Felix



Bug#1071822: libseccomp2: missing support for newer syscalls like fchmodat2 in bookworm(-backports)

2024-05-25 Thread Tianon Gravi
On Fri, 24 May 2024 at 23:54, Tianon Gravi  wrote:
> Hi!  When using Docker in bookworm (current stable) and trying to run
> containers based on newer distributions (like the recently released
> Alpine 3.20), they will sometimes attempt to invoke newer syscalls like
> fchmodat2.  Due to the way syscalls that libseccomp does not know about
> interact with Docker's seccomp profiles, these sometimes get EPERM
> instead of ENOSYS like they should, which breaks their fallback.
>
> Is there any chance of getting these newer syscalls into some version in
> bookworm? (backports is very acceptable, but it *seems* like this might
> be appropriate for a stable update too?  I very much defer to your
> wisdom/experience! <3)

To add more useful affirmative data -- I reproduced one of my
confirmed failing builds against stable's 2.5.4, upgraded just
libseccomp2 to unstable's 2.5.5, and the build was then successful. :D

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4



Bug#1071822: libseccomp2: missing support for newer syscalls like fchmodat2 in bookworm(-backports)

2024-05-25 Thread Tianon Gravi
Source: libseccomp
Version: 2.5.4-1
Severity: normal
X-Debbugs-Cc: tia...@debian.org

Hi!  When using Docker in bookworm (current stable) and trying to run
containers based on newer distributions (like the recently released
Alpine 3.20), they will sometimes attempt to invoke newer syscalls like
fchmodat2.  Due to the way syscalls that libseccomp does not know about
interact with Docker's seccomp profiles, these sometimes get EPERM
instead of ENOSYS like they should, which breaks their fallback.

Is there any chance of getting these newer syscalls into some version in
bookworm? (backports is very acceptable, but it *seems* like this might
be appropriate for a stable update too?  I very much defer to your
wisdom/experience! <3)

I think you're probably already way more aware than I am, but from my
own look at the changes in the 2.5.5 upstream release, they're pretty
minimal (a few typo fixes and the desired syscall table updates [1]), so
perhaps 2.5.5 would be appropriate/sufficient and it's not necessary to
backport the patch by itself?

[1]: https://github.com/seccomp/libseccomp/compare/v2.5.4...v2.5.5


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-21-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash