All pre-checks and tests complete, and uploaded to the SRU review queue
** Changed in: libseccomp (Ubuntu Bionic)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1755250
Title:
backport statx syscall whitelist fix
Status in docker.io package in Ubuntu:
Invalid
Status in libseccomp package in Ubuntu:
Fix Released
Status in docker.io source package in Bionic:
Invalid
Status in libseccomp source package in Bionic:
In Progress
Status in docker.io source package in Cosmic:
Invalid
Status in libseccomp source package in Cosmic:
Fix Released
Bug description:
[Impact]
* Some newer workloads fail due to libseccomp as in Bionic lacking
statx support
* This backports the syscall definitions for statx to Bionic to allow
to manage those
[Test Case]
# Note: I took a KVM image of Bionic to not spoil my system with Docker
config for this test too much
$ sudo apt install docker.io
$ sudo usermod -a -G docker ubuntu
$ cat > test-statx/Dockerfile << EOF
FROM ubuntu:18.04
RUN apt-get update && apt-get install -y wget gcc
WORKDIR /tmp
RUN wget -q
https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c
RUN gcc test-statx.c -o test-statx
RUN touch test-file
RUN chmod +x ./test-statx
RUN ./test-statx test-file
EOF
$ docker build test-statx
With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic
that yields
[...]
Step 8/8 : RUN ./test-statx test-file
---> Running in 6e60a82409e6
test-file: Operation not permitted
statx(test-file) = -1
The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1
With the fix applied it would work and look like:
Step 8/8 : RUN ./test-statx test-file
---> Running in a83bc043e7bd
statx(test-file) = 0
results=fff
Size: 0 Blocks: 0 IO Block: 4096 regular file
Device: 00:32 Inode: 261994 Links: 1
Access: (0644/-rw-r--r--) Uid: 0 Gid: 0
Access: 2019-02-08 07:57:42.000000000+0000
Modify: 2019-02-08 07:57:42.000000000+0000
Change: 2019-02-08 07:57:43.076507007+0000
Birth: 2019-02-08 07:57:43.076507007+0000
Attributes: 0000000000000000 (........ ........ ........ ........ ........
........ ....-... .---.-..)
Removing intermediate container a83bc043e7bd
---> d428d14cbc57
Successfully built d428d14cbc57
[Regression Potential]
* This "only" defines a new syscall number for all the architectures.
It does not make any other changes, thereby it should be rather safe.
If anything software could now manage statx through libseccomp and
behavior that was formerly failing (like the reported docker case)
would not succeed and due to that be a change in behavior - but I
think it is a wanted change.
[Other Info]
* n/a
---
Hello maintainer,
The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall
which is needed to build qt >=5.10 applications:
https://github.com/docker/for-linux/issues/208#issuecomment-372400859
Could this fix be backported in the ubuntu package ?
https://github.com/moby/moby/pull/36417
regards,
xan.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
