Hello anyone affected, I have written a patch for jammy for libseccomp to fix the bug. Thank you @mark-elvers for confirming that ppc64le is also affected
** Description changed: - When running Ubuntu Noble in an arm32 Docker container, on certain hosts - (Azure VM CI agents), tar fails to extract certain archives that include - folders with specific permissions set. + Thank you @loganbussell-msft for the bug report! + + [Impact] + + Currently running containers using modern versions of glibc such as the + one available in noble on older hosts causes permissions issues inside + the container. This is due to newer versions of glibc expecting the + fchmodat2 syscall to be available and to return ENOSYS in case it is + not. However docker seccomp profile defaults to returning EPERM for all + non defined syscalls and writing an entry for fchmodat2 in the docker + seccomp profile to return ENOSYS does not work on systems where + libseccomp does not have support for fchmodat2. + + Running armhf noble docker containers on arm64 jammy hosts has been seen + to exhibit this behavior and a patch to libseccomp for jammy is required + to fix the issue. + + Other architectures may also be affected by this issue that such as + ppc64le as reported by @mark-elvers. + + I have backported a fix from upstream that adds the missing syscalls to + libseccomp and verified it on an ampere arm machine as well as on a + raspberry pi 4 + + [Test Plan] + + 1- On an ARM 64 machine install the latest version of docker on a jammy + host by following the official docker documentation. + [https://docs.docker.com/engine/install/ubuntu/] + + 2- Create an armhf noble docker container: + $ docker run --rm -it --platform linux/arm/v7 --entrypoint bash ubuntu.azurecr.io/ubuntu:noble + + 3- inside the docker container execute the following commands to create + a new tar file and then extract it: + + mkdir /test \ + && chmod 775 /test \ + && cd /test \ + && mkdir 775 \ + && chmod 775 775 \ + && touch 775/test.txt \ + && chmod 644 775/test.txt \ + && tar -czvf /test.tar.gz . + + mkdir -p /test2 \ + && tar -tzvf /test.tar.gz \ + && tar -oxzf /test.tar.gz -C /test2 + + 4- you will see the following errors: + + tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted + tar: Exiting with failure status due to previous errors + + 5- When libseccomp is patched the command will run with no permission + issues + + [Where problems could occur] + + * the issue might still occur on other platforms + * if using an older version of docker the issue will still occur + + + [Original Description] + When running Ubuntu Noble in an arm32 Docker container, on certain hosts (Azure VM CI agents), tar fails to extract certain archives that include folders with specific permissions set. Here's a concise repro. The error occurs in when building the Dockerfile. I can only get this to work on Azure VMs, but can't find out why. ```Dockerfile FROM ubuntu.azurecr.io/ubuntu:noble # Create the problematic archive RUN mkdir /test \ && chmod 775 /test \ && cd /test \ && mkdir 775 \ && chmod 775 775 \ && touch 775/test.txt \ && chmod 644 775/test.txt \ && tar -czvf /test.tar.gz . # Extracting it gives an error RUN mkdir -p /test2 \ && tar -tzvf /test.tar.gz \ && tar -oxzf /test.tar.gz -C /test2 ``` What I expected to happen: The test.tar.gz archive should be successfully extracted to the /test2 directory. What happened instead: Tar throws the following error: ``` tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted tar: Exiting with failure status due to previous errors ``` The Ubuntu container is running as root so there shouldn't be any permission errors. Since this is running in a container, I observed this happening on the following kernel: `Linux version 5.15.148.2-2.cm2 (root@CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) #1 SMP Fri Feb 23 23:38:33 UTC 2024` - As well as + As well as `Linux <hostname> 6.5.0-1017-azure #17~22.04.1-Ubuntu SMP Sat Mar 9 10:04:07 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux` I was not able to reproduce it using Ubuntu 22.04 Jammy (ubuntu.azurecr.io/ubuntu:jammy), using the same kernel as above. Additionally I was not able to reproduce this on the kernel `Linux cb0507859b24 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux`, which is running on my work machine, using Docker qemu emulation for the arm32 image. Ubuntu version: Ubuntu Noble Numbat (development branch) 24.04 (from ubuntu.azurecr.io/ubuntu:noble) tar version: `1.35+dfsg-3` ** Also affects: libseccomp (Ubuntu) Importance: Undecided Status: New ** Changed in: libseccomp (Ubuntu) Assignee: (unassigned) => Ghadi Rahme (ghadi-rahme) ** Changed in: libseccomp (Ubuntu Jammy) Assignee: (unassigned) => Ghadi Rahme (ghadi-rahme) ** Changed in: tar (Ubuntu Jammy) Status: New => Invalid ** No longer affects: tar (Ubuntu Jammy) ** Changed in: libseccomp (Ubuntu) Status: New => Confirmed ** Changed in: libseccomp (Ubuntu Jammy) Status: New => Confirmed ** Patch added: "jammy.debdiff" https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/2059734/+attachment/5787198/+files/jammy.debdiff ** Changed in: libseccomp (Ubuntu) Importance: Undecided => High ** Changed in: libseccomp (Ubuntu Jammy) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059734 Title: Tar fails to extract archives that include folders with certain permissions on armhf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/2059734/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
