Re: [oe] [meta-qt5][PATCH] qfilesystemengine_unix.cpp: optionally disable use of statx(2)
On 2018-07-17 09:20, Martin Jansa wrote: > On Mon, Jul 16, 2018 at 11:22:21AM +0200, Rasmus Villemoes wrote: >> When used inside an unprivileged docker container, statx(2) gets >> rejected with -EPERM by the default seccomp profile, unless the host >> runs an almost-bleeding edge version of docker (at least 18.04). That >> causes most qt apps, qmake in particular, to fail. >> + >> diff --git a/recipes-qt/qt5/qt5-git.inc b/recipes-qt/qt5/qt5-git.inc >> index 09b6cc5..41f9b7a 100644 >> --- a/recipes-qt/qt5/qt5-git.inc >> +++ b/recipes-qt/qt5/qt5-git.inc >> @@ -15,3 +15,5 @@ CVE_PRODUCT = "qt" >> S = "${WORKDIR}/git" >> >> PV = "5.11.1+git${SRCPV}" >> + >> +SRC_URI_append_no-xstat = " >> file://0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch" > > Isn't this applicable only to *qtbase* ? That is entirely likely. I have no idea which source files go into building which qt modules, or if any source files are shared between modules. Rasmus -- ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Re: [oe] [meta-qt5][PATCH] qfilesystemengine_unix.cpp: optionally disable use of statx(2)
On Mon, Jul 16, 2018 at 11:22:21AM +0200, Rasmus Villemoes wrote: > When used inside an unprivileged docker container, statx(2) gets > rejected with -EPERM by the default seccomp profile, unless the host > runs an almost-bleeding edge version of docker (at least 18.04). That > causes most qt apps, qmake in particular, to fail. > > While the qt release notes do mention this > >- Qt uses the statx(2) system call for obtaining file information on >kernels 4.12 and later. Some older container systems install system call >protection rules that do not include this system call. If you experience >problems running Qt applications inside containers (such as the report of >a file not existing when it does), ensure the statx(2) is allowed in the >container configuration. > > it's not always feasible nor reasonable to upgrade (or tell one's > customers to upgrade) the build infrastructure, especially since several > distros as of this writing don't even seem to ship such a recent version > in their official repositories. > > This opt-in patch simply monkey-patches out any (the only) use of statx > and ensures that the -ENOSYS fallbacks are used. While I agree that this > is really a bug in the container system, this takes the short and > pragmatic approach to getting things to work. > > To opt-in, just prepend no-xstat: to OVERRIDES in some global > configuration file, possibly restricting that to e.g. native and > nativesdk. > > Signed-off-by: Rasmus Villemoes > --- > ...temengine_unix.cpp-disable-use-of-statx-2.patch | 58 > ++ > recipes-qt/qt5/qt5-git.inc | 2 + > 2 files changed, 60 insertions(+) > create mode 100644 > recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch > > diff --git > a/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch > > b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch > new file mode 100644 > index 000..6efbfe4 > --- /dev/null > +++ > b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch > @@ -0,0 +1,58 @@ > +From dc5218c70d445a4692271add1a17091afb230095 Mon Sep 17 00:00:00 2001 > +From: Rasmus Villemoes > +Date: Mon, 16 Jul 2018 09:50:06 +0200 > +Subject: [PATCH] qfilesystemengine_unix.cpp: disable use of statx(2) > + > +When used inside an unprivileged docker container, statx(2) gets > +rejected with -EPERM by the default seccomp profile, unless the host > +runs an almost-bleeding edge version of docker (at least 18.04). That > +causes most qt apps, qmake in particular, to fail. > + > +While the qt release notes do mention this > + > + - Qt uses the statx(2) system call for obtaining file information on > + kernels 4.12 and later. Some older container systems install system call > + protection rules that do not include this system call. If you experience > + problems running Qt applications inside containers (such as the report of > + a file not existing when it does), ensure the statx(2) is allowed in the > + container configuration. > + > +it's not always feasible nor reasonable to upgrade (or tell one's > +customers to upgrade) the build infrastructure. > + > +This opt-in patch simply monkey-patches out any (the only) use of statx > +and ensures that the -ENOSYS fallbacks are used. > + > +https://github.com/docker/for-linux/issues/208 > +https://github.com/moby/moby/pull/36417 > + > +Upstream-Status: Inappropriate [workaround] > +--- > + src/corelib/io/qfilesystemengine_unix.cpp | 4 > + 1 file changed, 4 insertions(+) > + > +diff --git a/src/corelib/io/qfilesystemengine_unix.cpp > b/src/corelib/io/qfilesystemengine_unix.cpp > +index b974af80dc..5f574901e3 100644 > +--- a/src/corelib/io/qfilesystemengine_unix.cpp > b/src/corelib/io/qfilesystemengine_unix.cpp > +@@ -320,6 +320,9 @@ mtime(const T , int) > + #ifdef STATX_BASIC_STATS > + static int qt_real_statx(int fd, const char *pathname, int flags, struct > statx *statxBuffer) > + { > ++#if 1 > ++return -ENOSYS; > ++#else > + #ifdef Q_ATOMIC_INT8_IS_SUPPORTED > + static QBasicAtomicInteger statxTested = > Q_BASIC_ATOMIC_INITIALIZER(0); > + #else > +@@ -337,6 +340,7 @@ static int qt_real_statx(int fd, const char *pathname, > int flags, struct statx * > + } > + statxTested.store(1); > + return ret == -1 ? -errno : 0; > ++#endif > + } > + > + static int qt_statx(const char *pathname, struct statx *statxBuffer) > +-- > +2.16.4 > + > diff --git a/recipes-qt/qt5/qt5-git.inc b/recipes-qt/qt5/qt5-git.inc > index 09b6cc5..41f9b7a 100644 > --- a/recipes-qt/qt5/qt5-git.inc > +++ b/recipes-qt/qt5/qt5-git.inc > @@ -15,3 +15,5 @@ CVE_PRODUCT = "qt" > S = "${WORKDIR}/git" > > PV = "5.11.1+git${SRCPV}" > + > +SRC_URI_append_no-xstat = " > file://0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch" Isn't this applicable only to *qtbase* ? > -- > 2.16.4 > > -- >
[oe] [meta-qt5][PATCH] qfilesystemengine_unix.cpp: optionally disable use of statx(2)
When used inside an unprivileged docker container, statx(2) gets rejected with -EPERM by the default seccomp profile, unless the host runs an almost-bleeding edge version of docker (at least 18.04). That causes most qt apps, qmake in particular, to fail. While the qt release notes do mention this - Qt uses the statx(2) system call for obtaining file information on kernels 4.12 and later. Some older container systems install system call protection rules that do not include this system call. If you experience problems running Qt applications inside containers (such as the report of a file not existing when it does), ensure the statx(2) is allowed in the container configuration. it's not always feasible nor reasonable to upgrade (or tell one's customers to upgrade) the build infrastructure, especially since several distros as of this writing don't even seem to ship such a recent version in their official repositories. This opt-in patch simply monkey-patches out any (the only) use of statx and ensures that the -ENOSYS fallbacks are used. While I agree that this is really a bug in the container system, this takes the short and pragmatic approach to getting things to work. To opt-in, just prepend no-xstat: to OVERRIDES in some global configuration file, possibly restricting that to e.g. native and nativesdk. Signed-off-by: Rasmus Villemoes --- ...temengine_unix.cpp-disable-use-of-statx-2.patch | 58 ++ recipes-qt/qt5/qt5-git.inc | 2 + 2 files changed, 60 insertions(+) create mode 100644 recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch diff --git a/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch new file mode 100644 index 000..6efbfe4 --- /dev/null +++ b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch @@ -0,0 +1,58 @@ +From dc5218c70d445a4692271add1a17091afb230095 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Mon, 16 Jul 2018 09:50:06 +0200 +Subject: [PATCH] qfilesystemengine_unix.cpp: disable use of statx(2) + +When used inside an unprivileged docker container, statx(2) gets +rejected with -EPERM by the default seccomp profile, unless the host +runs an almost-bleeding edge version of docker (at least 18.04). That +causes most qt apps, qmake in particular, to fail. + +While the qt release notes do mention this + + - Qt uses the statx(2) system call for obtaining file information on + kernels 4.12 and later. Some older container systems install system call + protection rules that do not include this system call. If you experience + problems running Qt applications inside containers (such as the report of + a file not existing when it does), ensure the statx(2) is allowed in the + container configuration. + +it's not always feasible nor reasonable to upgrade (or tell one's +customers to upgrade) the build infrastructure. + +This opt-in patch simply monkey-patches out any (the only) use of statx +and ensures that the -ENOSYS fallbacks are used. + +https://github.com/docker/for-linux/issues/208 +https://github.com/moby/moby/pull/36417 + +Upstream-Status: Inappropriate [workaround] +--- + src/corelib/io/qfilesystemengine_unix.cpp | 4 + 1 file changed, 4 insertions(+) + +diff --git a/src/corelib/io/qfilesystemengine_unix.cpp b/src/corelib/io/qfilesystemengine_unix.cpp +index b974af80dc..5f574901e3 100644 +--- a/src/corelib/io/qfilesystemengine_unix.cpp b/src/corelib/io/qfilesystemengine_unix.cpp +@@ -320,6 +320,9 @@ mtime(const T , int) + #ifdef STATX_BASIC_STATS + static int qt_real_statx(int fd, const char *pathname, int flags, struct statx *statxBuffer) + { ++#if 1 ++return -ENOSYS; ++#else + #ifdef Q_ATOMIC_INT8_IS_SUPPORTED + static QBasicAtomicInteger statxTested = Q_BASIC_ATOMIC_INITIALIZER(0); + #else +@@ -337,6 +340,7 @@ static int qt_real_statx(int fd, const char *pathname, int flags, struct statx * + } + statxTested.store(1); + return ret == -1 ? -errno : 0; ++#endif + } + + static int qt_statx(const char *pathname, struct statx *statxBuffer) +-- +2.16.4 + diff --git a/recipes-qt/qt5/qt5-git.inc b/recipes-qt/qt5/qt5-git.inc index 09b6cc5..41f9b7a 100644 --- a/recipes-qt/qt5/qt5-git.inc +++ b/recipes-qt/qt5/qt5-git.inc @@ -15,3 +15,5 @@ CVE_PRODUCT = "qt" S = "${WORKDIR}/git" PV = "5.11.1+git${SRCPV}" + +SRC_URI_append_no-xstat = " file://0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch" -- 2.16.4 -- ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel