Control: reassign -1 flatpak Control: retitle -1 flatpak: Wrong argument order for clone syscall seccomp filter on s390x
Hello flatpak maintainer! On Wed, Aug 05, 2020 at 03:19:39PM +0200, Christian Borntraeger wrote: > > On 21.07.20 13:24, Julian Andres Klode wrote: > > On Tue, Jul 21, 2020 at 12:49:59PM +0200, Christian Borntraeger wrote: > >> On 21.07.20 10:18, Adrian Bunk wrote: > >>> [ adding debian-s390 to Cc ] > >>> > >>> On Wed, Jul 08, 2020 at 01:42:33PM +0200, Julian Andres Klode wrote: > >>>> Package: make-dfsg > >>>> Version: 4.3-4 > >>>> Severity: serious > >>>> Tags: patch > >>>> User: ubuntu-de...@lists.ubuntu.com > >>>> Usertags: origin-ubuntu groovy ubuntu-patch > >>>> > >>>> In Ubuntu, the attached patch was applied to achieve the following: > >>>> > >>>> The autopkgtests for flatpak-builder/s390x where failing with > >>>> > >>>> echo Building > >>>> make: echo: Operation not permitted > >>>> make: *** [Makefile:2: all] Error 127 > >> > >> Julian, > >> > >> is there a launchpad entry for the Ubuntu bug that was fixed by this > >> change? > > > > Yes, https://bugs.launchpad.net/ubuntu/+source/make-dfsg/+bug/1886814, it's > > also > > in the IBM bugzilla thingy - you can see Andreas Krebbel is replying to > > that. > > FWIW, Stefan Liebler looked into this and this needs to be fixed in > flatpak-build. > See the bug for details. flatpak has the wrong argument order in the seccomp filter for 390x, the attached patch should fix it. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Description: Fix argument order of clone() for s390x in seccomp filter clone() is a mad syscall with about 4 different argument orders. While most of them agree that argument 0 is flags, s390 and s390x have the flags argument second - A0 is the child stack pointer there. Author: Julian Andres Klode <julian.kl...@canonical.com> Bug-Debian: https://bugs.debian.org/964541 Bug-Ubuntu: https://launchpad.net/bugs/1886814 Forwarded: no Last-Update: 2020-08-05 --- flatpak-1.8.1.orig/common/flatpak-run.c +++ flatpak-1.8.1/common/flatpak-run.c @@ -2667,7 +2667,11 @@ setup_seccomp (FlatpakBwrap *bwrap, {SCMP_SYS (unshare)}, {SCMP_SYS (mount)}, {SCMP_SYS (pivot_root)}, +#if defined(__s390__) || defined(__s390x__) + {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, +#else {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, +#endif /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},