[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
Focal may be affected after all then -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Bionic: Triaged Status in libseccomp source package in Disco: Won't Fix Status in libseccomp source package in Eoan: Triaged Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
turns ou we may also need this fix in docker: https://github.com/moby/moby/pull/40739 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Bionic: Triaged Status in libseccomp source package in Disco: Won't Fix Status in libseccomp source package in Eoan: Triaged Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
of course, you do: cd /tmp && git clone https://github.com/xantares/test-seccomp-time64.git && docker build test-seccomp-time64 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Bionic: Triaged Status in libseccomp source package in Disco: Won't Fix Status in libseccomp source package in Eoan: Triaged Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
** Patch added: "backport time64 syscalls from 2.4.2 into 2.4.1" https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+attachment/5340882/+files/libseccomp241-time64.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: New Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] [NEW] backport time64 syscalls whitelist
Public bug reported: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). ** Affects: libseccomp (Ubuntu) Importance: Undecided Status: New ** Tags: docker ** Description changed: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly - to what happened for the statx whitelisting (#1755250). + to what happened for the statx whitelisting + (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: New Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Has this been released ? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Ok for me too, I just installed libseccomp2_2.3.1-2.1ubuntu4.1_amd64.deb and it works: Step 16/18 : RUN gcc test-statx.c -o test-statx ---> Running in 501935bb923d Removing intermediate container 501935bb923d ---> a47f15cd6fc8 Step 17/18 : RUN touch test-file ---> Running in 1038f76ad915 Removing intermediate container 1038f76ad915 ---> b0722af4d6f1 Step 18/18 : RUN ./test-statx test-file ---> Running in 52e32a35825e statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:3a Inode: 4588842 Links: 1 Access: (0644/-rw-r--r--) Uid: 1000 Gid: 1000 Access: 2019-02-28 10:13:33.0+ Modify: 2019-02-28 10:13:33.0+ Change: 2019-02-28 10:13:33.836307736+ Birth: 2019-02-28 10:13:33.836307736+ Attributes: ( -... .---.-..) Removing intermediate container 52e32a35825e ---> 72fbbcb57e15 Successfully built 72fbbcb57e15 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
hello, how long does it take usually for ubuntu to review the changes ? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: In Progress Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
here is a patch against libseccomp 2.3.1 in bionic (on top of the debian risc port patch) I manually applied changes from libseccomp 2.3.3 that reference the statx syscalls for the risc part i used the diff from https://github.com/seccomp/libseccomp/blob/2a70ad4f3e8ab80e88f0662a760f4ef1d9219205/src /arch-parisc-syscalls.c successfully rebuilt the package and tested it on x86_64 please apply for ubuntu bionic to test it in a docker container you can do: WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN ./test-statx test-file ** Patch added: "libsecomp231-statx.patch" https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1755250/+attachment/5236693/+files/libsecomp231-statx.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Confirmed Status in libseccomp package in Ubuntu: Confirmed Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
