This causes an issue when using glib's gspawn APIs under libseccomp on
impish. It uses close_range to set CLOEXEC on some open file descriptors
and rightfully checks for ENOSYS. However, since seccomp doesn't know
about the syscall that becomes EPERM and it skips setting CLOEXEC
assuming there was
** Changed in: libseccomp (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1944436
Title:
Please backport support for
Reminds me of LP: #1943049. I mentioned this bug there, as we should
make sure that close_range doesn't bring us back to that same issue.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
I think the long test case in #5 now works. Note that later versions of
crun have worked around the problem:
https://github.com/containers/crun/pull/672
Still worth fixing, though, I think, as it is likely to cause further
problems as more code starts to use close_range.
--
You received this
Still working out kinks in the above, but here's a simpler one. Needs
running in an nspawn container again (steps 1-2 above); should either
succeed (no output) or print "function not implemented", but without
seccomp support nspawn will block it and it will print "not permitted"
#include
It's not going to be simple I'm afraid, at least for the original
problem! "scmp_sys_resolver close_range" will quickly test whether
current seccomp has support for close_range (prints "-1" if not
supported, "436" otherwise - at least on x86_64.) Ubuntu seccomp
maintainers have been pretty happy
Can you please post a simple reproducer?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1944436
Title:
Please backport support for "close_range" syscall
Status in
Can confirm rebuilding seccomp in focal with the relevant bits of the
above two commits allows me to whitelist close_range in systemd-nspawn,
solving my problem.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in
https://github.com/seccomp/libseccomp/pull/322/ (or at least parts of
it) probably required too.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1944436
Title:
Please
9 matches
Mail list logo