control: tag -1 + patch Hi,
On 2026-02-24 16:03, Emanuele Rocca wrote: > Source: rumur > Version: 2025.08.31-1 > Severity: important > Tags: ftbfs upstream > Justification: fails to build from source > User: [email protected] > Usertags: glibc-2.43 > > Hi, > > rumur fails to build from source on arm64 when using glibc 2.43, > currently in experimental. > > The issue is triggered by glibc 2.43 on arm64 enabling 2MB THP by > default: > https://sourceware.org/git/?p=glibc.git;a=commit;h=321e1fc73f53081d92ba357cdd48c56b79292020 > > Successful build with glibc 2.42, currently in sid: > https://people.debian.org/~ema/glibc-2.43-rebuilds/output-2/rumur_arm64.build > > Logs of a failed build with glibc 2.43 are here: > https://people.debian.org/~ema/glibc-2.43-rebuilds/output-1/rumur_arm64.build > > The following tests are failing: > > test_rumur[False-False-basic-sandbox.m-non-debug] > test_rumur[False-False-basic-sandbox.m-debug] > test_rumur[False-False-basic-sandbox.m-XML] > test_rumur[False-True-basic-sandbox.m-non-debug] > test_rumur[False-True-basic-sandbox.m-debug] > test_rumur[False-True-basic-sandbox.m-XML] > test_rumur[True-False-basic-sandbox.m-non-debug] > test_rumur[True-False-basic-sandbox.m-debug] > test_rumur[True-False-basic-sandbox.m-XML] > test_rumur[True-True-basic-sandbox.m-non-debug] > test_rumur[True-True-basic-sandbox.m-debug] > test_rumur[True-True-basic-sandbox.m-XML] > test_strace_sandbox > > The cause for the above failures is that the seccomp sandbox stops the > attempted open of /sys/kernel/mm/transparent_hugepage/enabled: > > E AssertionError: model failed: > execve("/tmp/pytest-of-ema/pytest-15/test_strace_sandbox0/model.exe", > ["/tmp/pytest-of-ema/pytest-15/tes"...], 0xffffe78abf90 /* 96 vars */) = 0 > > [...] > > E openat(AT_FDCWD, "/sys/kernel/mm/transparent_hugepage/enabled", > O_RDONLY) = -1 ENETDOWN (Network is down) > E --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, > si_call_addr=0xe3ac16e98c60, si_syscall=__NR_openat, > si_arch=AUDIT_ARCH_AARCH64} --- > E +++ killed by SIGSYS (core dumped) +++ > > One possible solution would be updating the seccomp filter to allow the > action above, but perhaps more discussion with glibc upstream is needed > to see if there are alternatives to opening a file under /sys, which can > cause problems in other scenarios too. Please find below a patch implementing that. I tested it fixes the issue. --- rumur-2025.08.31.orig/rumur/resources/header.c +++ rumur-2025.08.31/rumur/resources/header.c @@ -266,6 +266,11 @@ static void sandbox(void) { BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_munmap, 0, 1), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), #endif +#ifdef __NR_openat + /* malloc might use openat to check files in /sys/kernel/mm. */ + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 0, 1), + BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), +#endif /* If we're running multithreaded, enable syscalls used by pthreads. */ #ifdef __NR_clone Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B [email protected] http://aurel32.net
