Re: [oe] [meta-qt5][PATCH] qfilesystemengine_unix.cpp: optionally disable use of statx(2)
On 2018-07-17 09:20, Martin Jansa wrote:
> On Mon, Jul 16, 2018 at 11:22:21AM +0200, Rasmus Villemoes wrote:
>> When used inside an unprivileged docker container, statx(2) gets
>> rejected with -EPERM by the default seccomp profile, unless the host
>> runs an almost-bleeding edge version of docker (at least 18.04). That
>> causes most qt apps, qmake in particular, to fail.
>> +
>> diff --git a/recipes-qt/qt5/qt5-git.inc b/recipes-qt/qt5/qt5-git.inc
>> index 09b6cc5..41f9b7a 100644
>> --- a/recipes-qt/qt5/qt5-git.inc
>> +++ b/recipes-qt/qt5/qt5-git.inc
>> @@ -15,3 +15,5 @@ CVE_PRODUCT = "qt"
>> S = "${WORKDIR}/git"
>>
>> PV = "5.11.1+git${SRCPV}"
>> +
>> +SRC_URI_append_no-xstat = "
>> file://0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch"
>
> Isn't this applicable only to *qtbase* ?
That is entirely likely. I have no idea which source files go into
building which qt modules, or if any source files are shared between
modules.
Rasmus
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Re: [oe] [meta-qt5][PATCH] qfilesystemengine_unix.cpp: optionally disable use of statx(2)
On Mon, Jul 16, 2018 at 11:22:21AM +0200, Rasmus Villemoes wrote:
> When used inside an unprivileged docker container, statx(2) gets
> rejected with -EPERM by the default seccomp profile, unless the host
> runs an almost-bleeding edge version of docker (at least 18.04). That
> causes most qt apps, qmake in particular, to fail.
>
> While the qt release notes do mention this
>
>- Qt uses the statx(2) system call for obtaining file information on
>kernels 4.12 and later. Some older container systems install system call
>protection rules that do not include this system call. If you experience
>problems running Qt applications inside containers (such as the report of
>a file not existing when it does), ensure the statx(2) is allowed in the
>container configuration.
>
> it's not always feasible nor reasonable to upgrade (or tell one's
> customers to upgrade) the build infrastructure, especially since several
> distros as of this writing don't even seem to ship such a recent version
> in their official repositories.
>
> This opt-in patch simply monkey-patches out any (the only) use of statx
> and ensures that the -ENOSYS fallbacks are used. While I agree that this
> is really a bug in the container system, this takes the short and
> pragmatic approach to getting things to work.
>
> To opt-in, just prepend no-xstat: to OVERRIDES in some global
> configuration file, possibly restricting that to e.g. native and
> nativesdk.
>
> Signed-off-by: Rasmus Villemoes
> ---
> ...temengine_unix.cpp-disable-use-of-statx-2.patch | 58
> ++
> recipes-qt/qt5/qt5-git.inc | 2 +
> 2 files changed, 60 insertions(+)
> create mode 100644
> recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
>
> diff --git
> a/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
>
> b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
> new file mode 100644
> index 000..6efbfe4
> --- /dev/null
> +++
> b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
> @@ -0,0 +1,58 @@
> +From dc5218c70d445a4692271add1a17091afb230095 Mon Sep 17 00:00:00 2001
> +From: Rasmus Villemoes
> +Date: Mon, 16 Jul 2018 09:50:06 +0200
> +Subject: [PATCH] qfilesystemengine_unix.cpp: disable use of statx(2)
> +
> +When used inside an unprivileged docker container, statx(2) gets
> +rejected with -EPERM by the default seccomp profile, unless the host
> +runs an almost-bleeding edge version of docker (at least 18.04). That
> +causes most qt apps, qmake in particular, to fail.
> +
> +While the qt release notes do mention this
> +
> + - Qt uses the statx(2) system call for obtaining file information on
> + kernels 4.12 and later. Some older container systems install system call
> + protection rules that do not include this system call. If you experience
> + problems running Qt applications inside containers (such as the report of
> + a file not existing when it does), ensure the statx(2) is allowed in the
> + container configuration.
> +
> +it's not always feasible nor reasonable to upgrade (or tell one's
> +customers to upgrade) the build infrastructure.
> +
> +This opt-in patch simply monkey-patches out any (the only) use of statx
> +and ensures that the -ENOSYS fallbacks are used.
> +
> +https://github.com/docker/for-linux/issues/208
> +https://github.com/moby/moby/pull/36417
> +
> +Upstream-Status: Inappropriate [workaround]
> +---
> + src/corelib/io/qfilesystemengine_unix.cpp | 4
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/src/corelib/io/qfilesystemengine_unix.cpp
> b/src/corelib/io/qfilesystemengine_unix.cpp
> +index b974af80dc..5f574901e3 100644
> +--- a/src/corelib/io/qfilesystemengine_unix.cpp
> b/src/corelib/io/qfilesystemengine_unix.cpp
> +@@ -320,6 +320,9 @@ mtime(const T , int)
> + #ifdef STATX_BASIC_STATS
> + static int qt_real_statx(int fd, const char *pathname, int flags, struct
> statx *statxBuffer)
> + {
> ++#if 1
> ++return -ENOSYS;
> ++#else
> + #ifdef Q_ATOMIC_INT8_IS_SUPPORTED
> + static QBasicAtomicInteger statxTested =
> Q_BASIC_ATOMIC_INITIALIZER(0);
> + #else
> +@@ -337,6 +340,7 @@ static int qt_real_statx(int fd, const char *pathname,
> int flags, struct statx *
> + }
> + statxTested.store(1);
> + return ret == -1 ? -errno : 0;
> ++#endif
> + }
> +
> + static int qt_statx(const char *pathname, struct statx *statxBuffer)
> +--
> +2.16.4
> +
> diff --git a/recipes-qt/qt5/qt5-git.inc b/recipes-qt/qt5/qt5-git.inc
> index 09b6cc5..41f9b7a 100644
> --- a/recipes-qt/qt5/qt5-git.inc
> +++ b/recipes-qt/qt5/qt5-git.inc
> @@ -15,3 +15,5 @@ CVE_PRODUCT = "qt"
> S = "${WORKDIR}/git"
>
> PV = "5.11.1+git${SRCPV}"
> +
> +SRC_URI_append_no-xstat = "
> file://0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch"
Isn't this applicable only to *qtbase* ?
> --
> 2.16.4
>
> --
>
[oe] [meta-qt5][PATCH] qfilesystemengine_unix.cpp: optionally disable use of statx(2)
When used inside an unprivileged docker container, statx(2) gets
rejected with -EPERM by the default seccomp profile, unless the host
runs an almost-bleeding edge version of docker (at least 18.04). That
causes most qt apps, qmake in particular, to fail.
While the qt release notes do mention this
- Qt uses the statx(2) system call for obtaining file information on
kernels 4.12 and later. Some older container systems install system call
protection rules that do not include this system call. If you experience
problems running Qt applications inside containers (such as the report of
a file not existing when it does), ensure the statx(2) is allowed in the
container configuration.
it's not always feasible nor reasonable to upgrade (or tell one's
customers to upgrade) the build infrastructure, especially since several
distros as of this writing don't even seem to ship such a recent version
in their official repositories.
This opt-in patch simply monkey-patches out any (the only) use of statx
and ensures that the -ENOSYS fallbacks are used. While I agree that this
is really a bug in the container system, this takes the short and
pragmatic approach to getting things to work.
To opt-in, just prepend no-xstat: to OVERRIDES in some global
configuration file, possibly restricting that to e.g. native and
nativesdk.
Signed-off-by: Rasmus Villemoes
---
...temengine_unix.cpp-disable-use-of-statx-2.patch | 58 ++
recipes-qt/qt5/qt5-git.inc | 2 +
2 files changed, 60 insertions(+)
create mode 100644
recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
diff --git
a/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
new file mode 100644
index 000..6efbfe4
--- /dev/null
+++
b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
@@ -0,0 +1,58 @@
+From dc5218c70d445a4692271add1a17091afb230095 Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes
+Date: Mon, 16 Jul 2018 09:50:06 +0200
+Subject: [PATCH] qfilesystemengine_unix.cpp: disable use of statx(2)
+
+When used inside an unprivileged docker container, statx(2) gets
+rejected with -EPERM by the default seccomp profile, unless the host
+runs an almost-bleeding edge version of docker (at least 18.04). That
+causes most qt apps, qmake in particular, to fail.
+
+While the qt release notes do mention this
+
+ - Qt uses the statx(2) system call for obtaining file information on
+ kernels 4.12 and later. Some older container systems install system call
+ protection rules that do not include this system call. If you experience
+ problems running Qt applications inside containers (such as the report of
+ a file not existing when it does), ensure the statx(2) is allowed in the
+ container configuration.
+
+it's not always feasible nor reasonable to upgrade (or tell one's
+customers to upgrade) the build infrastructure.
+
+This opt-in patch simply monkey-patches out any (the only) use of statx
+and ensures that the -ENOSYS fallbacks are used.
+
+https://github.com/docker/for-linux/issues/208
+https://github.com/moby/moby/pull/36417
+
+Upstream-Status: Inappropriate [workaround]
+---
+ src/corelib/io/qfilesystemengine_unix.cpp | 4
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/corelib/io/qfilesystemengine_unix.cpp
b/src/corelib/io/qfilesystemengine_unix.cpp
+index b974af80dc..5f574901e3 100644
+--- a/src/corelib/io/qfilesystemengine_unix.cpp
b/src/corelib/io/qfilesystemengine_unix.cpp
+@@ -320,6 +320,9 @@ mtime(const T , int)
+ #ifdef STATX_BASIC_STATS
+ static int qt_real_statx(int fd, const char *pathname, int flags, struct
statx *statxBuffer)
+ {
++#if 1
++return -ENOSYS;
++#else
+ #ifdef Q_ATOMIC_INT8_IS_SUPPORTED
+ static QBasicAtomicInteger statxTested =
Q_BASIC_ATOMIC_INITIALIZER(0);
+ #else
+@@ -337,6 +340,7 @@ static int qt_real_statx(int fd, const char *pathname, int
flags, struct statx *
+ }
+ statxTested.store(1);
+ return ret == -1 ? -errno : 0;
++#endif
+ }
+
+ static int qt_statx(const char *pathname, struct statx *statxBuffer)
+--
+2.16.4
+
diff --git a/recipes-qt/qt5/qt5-git.inc b/recipes-qt/qt5/qt5-git.inc
index 09b6cc5..41f9b7a 100644
--- a/recipes-qt/qt5/qt5-git.inc
+++ b/recipes-qt/qt5/qt5-git.inc
@@ -15,3 +15,5 @@ CVE_PRODUCT = "qt"
S = "${WORKDIR}/git"
PV = "5.11.1+git${SRCPV}"
+
+SRC_URI_append_no-xstat = "
file://0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch"
--
2.16.4
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
