[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
*** This bug is a duplicate of bug 1876055 *** https://bugs.launchpad.net/bugs/1876055 Thanks Jamie, that will fix this bug here as well then, IMHO we should mark it as a dup then. ** This bug has been marked a duplicate of bug 1876055 SRU: Backport 2.4.3-1ubuntu2 from groovy to focal/eoan/bionic/xenial for newer syscalls for core20 base -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in docker.io package in Ubuntu: New Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: Triaged Status in docker.io source package in Disco: Won't Fix Status in libseccomp source package in Disco: Won't Fix Status in docker.io source package in Eoan: New Status in libseccomp source package in Eoan: Triaged Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
There is actually an SRU in progress for libseccomp: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1876055. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in docker.io package in Ubuntu: New Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: Triaged Status in docker.io source package in Disco: Won't Fix Status in libseccomp source package in Disco: Won't Fix Status in docker.io source package in Eoan: New Status in libseccomp source package in Eoan: Triaged Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
** Also affects: docker.io (Ubuntu) Importance: Undecided Status: New ** Changed in: docker.io (Ubuntu Disco) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in docker.io package in Ubuntu: New Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: New Status in libseccomp source package in Bionic: Triaged Status in docker.io source package in Disco: Won't Fix Status in libseccomp source package in Disco: Won't Fix Status in docker.io source package in Eoan: New Status in libseccomp source package in Eoan: Triaged Status in docker.io source package in Focal: New Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
Focal may be affected after all then -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Bionic: Triaged Status in libseccomp source package in Disco: Won't Fix Status in libseccomp source package in Eoan: Triaged Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
turns ou we may also need this fix in docker: https://github.com/moby/moby/pull/40739 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Bionic: Triaged Status in libseccomp source package in Disco: Won't Fix Status in libseccomp source package in Eoan: Triaged Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
of course, you do: cd /tmp && git clone https://github.com/xantares/test-seccomp-time64.git && docker build test-seccomp-time64 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Bionic: Triaged Status in libseccomp source package in Disco: Won't Fix Status in libseccomp source package in Eoan: Triaged Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
I believe the patch you're mentioning is worth backporting to Bionic and Eoan is this: $ git log -1 -p be65b26b67099be2b2b4890d736dbd1ad15adf36 | diffstat include/seccomp-syscalls.h| 208 +- src/arch-aarch64-syscalls.c | 35 ++- src/arch-arm-syscalls.c | 35 ++- src/arch-mips-syscalls.c | 51 -- src/arch-mips64-syscalls.c| 31 ++ src/arch-mips64n32-syscalls.c | 31 ++ src/arch-parisc-syscalls.c| 33 ++ src/arch-ppc-syscalls.c | 51 -- src/arch-ppc64-syscalls.c | 53 -- src/arch-s390-syscalls.c | 57 --- src/arch-s390.c | 160 src/arch-s390x-syscalls.c | 59 --- src/arch-s390x.c | 160 src/arch-x32-syscalls.c | 31 ++ src/arch-x86-syscalls.c | 105 ++--- src/arch-x86.c| 161 src/arch-x86_64-syscalls.c| 31 ++ 17 files changed, 1150 insertions(+), 142 deletions(-) and to be honest that seems appropriate as it only updates the tables and allows supporting newer system calls for all arches. ** Changed in: libseccomp (Ubuntu) Status: New => Triaged ** Also affects: libseccomp (Ubuntu Focal) Importance: Undecided Status: Triaged ** Also affects: libseccomp (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: libseccomp (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: libseccomp (Ubuntu Disco) Importance: Undecided Status: New ** Changed in: libseccomp (Ubuntu Focal) Status: Triaged => Fix Released ** Changed in: libseccomp (Ubuntu Eoan) Status: New => Confirmed ** Changed in: libseccomp (Ubuntu Disco) Status: New => Won't Fix ** Changed in: libseccomp (Ubuntu Bionic) Status: New => Confirmed ** Tags added: server-next ** Changed in: libseccomp (Ubuntu Bionic) Status: Confirmed => Triaged ** Changed in: libseccomp (Ubuntu Eoan) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Bionic: Triaged Status in libseccomp source package in Disco: Won't Fix Status in libseccomp source package in Eoan: Triaged Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
Could you provide a failing test case so we can base the SRU (stable release update) on that use it as a non-regression test ? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Bionic: Triaged Status in libseccomp source package in Disco: Won't Fix Status in libseccomp source package in Eoan: Triaged Status in libseccomp source package in Focal: Fix Released Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
The attachment "backport time64 syscalls from 2.4.2 into 2.4.1" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: New Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1868720] Re: backport time64 syscalls whitelist
** Patch added: "backport time64 syscalls from 2.4.2 into 2.4.1" https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+attachment/5340882/+files/libseccomp241-time64.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1868720 Title: backport time64 syscalls whitelist Status in libseccomp package in Ubuntu: New Bug description: A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x): 403: clock_gettime64 404: clock_settime64 405: clock_adjtime64 406: clock_getres_time64 407: clock_nanosleep_time64 408: timer_gettime64 409: timer_settime64 410: timerfd_gettime64 411: timerfd_settime64 412: utimensat_time64 413: pselect6_time64 414: ppoll_time64 In particular utimensat_time64 is now used inside glibc>=2.31 In turn ubuntu with has trouble running docker images of newer distros. This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal. See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154 A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1868720/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
