[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
This bug was fixed in the package libseccomp - 2.3.1-2.1ubuntu4.1 --- libseccomp (2.3.1-2.1ubuntu4.1) bionic; urgency=medium * d/p/lp-1755250-add-the-statx-syscall.patch: add statx support (LP: #1755250) * d/p/lp-1815415-*: Add syscalls up to kernel 4.15 (LP: #1815415) -- Christian Ehrhardt Fri, 08 Feb 2019 09:17:23 +0100 ** Changed in: libseccomp (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Released Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Hi, it has been released for Cosmic already. Some tests were blocking it for Bionic but I resolved those already. It should be released the next time an SRU member will look at this. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Has this been released ? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Tests were just flaky as assumed, retried and good now ** Changed in: libseccomp (Ubuntu Bionic) Status: Incomplete => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Thank you for testing! I see some lxc ADT regressions reported for this upload in bionic. Can you take a look and check if it's all unrelated, just-in-case? ** Changed in: libseccomp (Ubuntu Bionic) Status: Fix Committed => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Incomplete Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Ok for me too, I just installed libseccomp2_2.3.1-2.1ubuntu4.1_amd64.deb and it works: Step 16/18 : RUN gcc test-statx.c -o test-statx ---> Running in 501935bb923d Removing intermediate container 501935bb923d ---> a47f15cd6fc8 Step 17/18 : RUN touch test-file ---> Running in 1038f76ad915 Removing intermediate container 1038f76ad915 ---> b0722af4d6f1 Step 18/18 : RUN ./test-statx test-file ---> Running in 52e32a35825e statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:3a Inode: 4588842 Links: 1 Access: (0644/-rw-r--r--) Uid: 1000 Gid: 1000 Access: 2019-02-28 10:13:33.0+ Modify: 2019-02-28 10:13:33.0+ Change: 2019-02-28 10:13:33.836307736+ Birth: 2019-02-28 10:13:33.836307736+ Attributes: ( -... .---.-..) Removing intermediate container 52e32a35825e ---> 72fbbcb57e15 Successfully built 72fbbcb57e15 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Testing as-is (remember to clean old images if you have tested the ppa on the same system before) $ docker system prune -a ... Test steps ... Step 8/8 : RUN ./test-statx test-file ---> Running in 60210feb0c2e test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 Fails as expected Upgrading to libseccomp2 from proposed $ sudo apt install libseccomp2/bionic-proposed Reading package lists... Done Building dependency tree Reading state information... Done Selected version '2.3.1-2.1ubuntu4.1' (Ubuntu:18.04/bionic-proposed [amd64]) for 'libseccomp2' The following package was automatically installed and is no longer required: grub-pc-bin Use 'sudo apt autoremove' to remove it. The following additional packages will be installed: libseccomp-dev The following packages will be upgraded: libseccomp-dev libseccomp2 2 upgraded, 0 newly installed, 0 to remove and 26 not upgraded. Need to get 96.9 kB of archives. After this operation, 15.4 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libseccomp-dev amd64 2.3.1-2.1ubuntu4.1 [57.8 kB] Get:2 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libseccomp2 amd64 2.3.1-2.1ubuntu4.1 [39.1 kB] Fetched 96.9 kB in 0s (755 kB/s) (Reading database ... 102759 files and directories currently installed.) Preparing to unpack .../libseccomp-dev_2.3.1-2.1ubuntu4.1_amd64.deb ... Unpacking libseccomp-dev:amd64 (2.3.1-2.1ubuntu4.1) over (2.3.1-2.1ubuntu4) ... Preparing to unpack .../libseccomp2_2.3.1-2.1ubuntu4.1_amd64.deb ... Unpacking libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) over (2.3.1-2.1ubuntu4) ... Setting up libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) ... Setting up libseccomp-dev:amd64 (2.3.1-2.1ubuntu4.1) ... Processing triggers for libc-bin (2.27-3ubuntu1) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Retest the case: Step 8/8 : RUN ./test-statx test-file ---> Running in 3b7450662773 statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:31 Inode: 261790 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-28 09:38:56.0+ Modify: 2019-02-28 09:38:56.0+ Change: 2019-02-28 09:38:56.266396084+ Birth: 2019-02-28 09:38:56.266396084+ Attributes: ( -... .---.-..) Removing intermediate container 3b7450662773 ---> c381bca61860 Successfully built c381bca61860 Thereby setting verified ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes:
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Hello xantares, or anyone else affected, Accepted libseccomp into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.3.1-2.1ubuntu4.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: libseccomp (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
hello, how long does it take usually for ubuntu to review the changes ? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: In Progress Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
All pre-checks and tests complete, and uploaded to the SRU review queue ** Changed in: libseccomp (Ubuntu Bionic) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: In Progress Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
I opened a MP [1] for review by different parties: - you (@xantares) as the original author if you are fine with my polishing - security to get their ack on it - server-team to spot silly errors that I might have missed or done [1]: https://code.launchpad.net/~paelzer/ubuntu/+source/libseccomp/+git/libseccomp/+merge/362906 ** Tags added: server-next ** Changed in: libseccomp (Ubuntu Bionic) Assignee: (unassigned) => Christian Ehrhardt (paelzer) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Triaged Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/libseccomp/+git/libseccomp/+merge/362906 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Triaged Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -... .---.-..) Removing intermediate container a83bc043e7bd ---> d428d14cbc57 Successfully built d428d14cbc57 [Regression Potential] * This "only" defines a new syscall number for all the architectures. It does not make any other changes, thereby it should be rather safe. If anything software could now manage statx through libseccomp and behavior that was formerly failing (like the reported docker case) would not succeed and due to that be a change in behavior - but I think it is a wanted change. [Other Info] * n/a --- Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Ok, tests worked fine for me - I added all I had as SRU template in the bug description. ** Description changed: + [Impact] + + * Some newer workloads fail due to libseccomp as in Bionic lacking + statx support + + * This backports the syscall definitions for statx to Bionic to allow + to manage those + + [Test Case] + + # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much + $ sudo apt install docker.io + $ sudo usermod -a -G docker ubuntu + $ cat > test-statx/Dockerfile << EOF + FROM ubuntu:18.04 + RUN apt-get update && apt-get install -y wget gcc + WORKDIR /tmp + RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c + RUN gcc test-statx.c -o test-statx + RUN touch test-file + RUN chmod +x ./test-statx + RUN ./test-statx test-file + EOF + $ docker build test-statx + + With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that + yields + + [...] + Step 8/8 : RUN ./test-statx test-file + ---> Running in 6e60a82409e6 + test-file: Operation not permitted + statx(test-file) = -1 + The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 + + With the fix applied it would work and look like: + Step 8/8 : RUN ./test-statx test-file + ---> Running in a83bc043e7bd + statx(test-file) = 0 + results=fff + Size: 0 Blocks: 0 IO Block: 4096regular file + Device: 00:32 Inode: 261994 Links: 1 + Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 + Access: 2019-02-08 07:57:42.0+ + Modify: 2019-02-08 07:57:42.0+ + Change: 2019-02-08 07:57:43.076507007+ + Birth: 2019-02-08 07:57:43.076507007+ + Attributes: ( -... .---.-..) + Removing intermediate container a83bc043e7bd + ---> d428d14cbc57 + Successfully built d428d14cbc57 + + + [Regression Potential] + + * This "only" defines a new syscall number for all the architectures. + It does not make any other changes, thereby it should be rather safe. If + anything software could now manage statx through libseccomp and behavior + that was formerly failing (like the reported docker case) would not + succeed and due to that be a change in behavior - but I think it is a + wanted change. + + [Other Info] + + * n/a + + --- + + Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Triaged Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: [Impact] * Some newer workloads fail due to libseccomp as in Bionic lacking statx support * This backports the syscall definitions for statx to Bionic to allow to manage those [Test Case] # Note: I took a KVM image of Bionic to not spoil my system with Docker config for this test too much $ sudo apt install docker.io $ sudo usermod -a -G docker ubuntu $ cat > test-statx/Dockerfile << EOF FROM ubuntu:18.04 RUN apt-get update && apt-get install -y wget gcc WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN chmod +x ./test-statx RUN ./test-statx test-file EOF $ docker build test-statx With the bug and current docker 18.06.1-0ubuntu1~18.04.1 in Bionic that yields [...] Step 8/8 : RUN ./test-statx test-file ---> Running in 6e60a82409e6 test-file: Operation not permitted statx(test-file) = -1 The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1 With the fix applied it would work and look like: Step 8/8 : RUN ./test-statx test-file ---> Running in a83bc043e7bd statx(test-file) = 0 results=fff Size: 0 Blocks: 0 IO Block: 4096regular file Device: 00:32 Inode: 261994 Links: 1 Access: (0644/-rw-r--r--) Uid: 0 Gid: 0 Access: 2019-02-08 07:57:42.0+ Modify: 2019-02-08 07:57:42.0+ Change: 2019-02-08 07:57:43.076507007+ Birth: 2019-02-08 07:57:43.076507007+ Attributes: ( -...
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Hi I polished your patch a bit and I'm currently testing it in PPA [1]. If you can give it a try as well. I have created an SRU Teamplate and more detailed test steps and will add them once they hopefully succeed on the prepare PPA. Otherwise I'll ping here for you to revisit the change. [1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3640 ** Also affects: libseccomp (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: docker.io (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: libseccomp (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: docker.io (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: libseccomp (Ubuntu Cosmic) Status: New => Fix Released ** Changed in: libseccomp (Ubuntu) Status: Confirmed => Fix Released ** Changed in: libseccomp (Ubuntu Bionic) Status: New => Triaged ** Changed in: docker.io (Ubuntu Cosmic) Status: New => Invalid ** Changed in: docker.io (Ubuntu Bionic) Status: New => Invalid ** Changed in: docker.io (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Invalid Status in libseccomp package in Ubuntu: Fix Released Status in docker.io source package in Bionic: Invalid Status in libseccomp source package in Bionic: Triaged Status in docker.io source package in Cosmic: Invalid Status in libseccomp source package in Cosmic: Fix Released Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
The attachment "libsecomp231-statx.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Confirmed Status in libseccomp package in Ubuntu: Confirmed Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
here is a patch against libseccomp 2.3.1 in bionic (on top of the debian risc port patch) I manually applied changes from libseccomp 2.3.3 that reference the statx syscalls for the risc part i used the diff from https://github.com/seccomp/libseccomp/blob/2a70ad4f3e8ab80e88f0662a760f4ef1d9219205/src /arch-parisc-syscalls.c successfully rebuilt the package and tested it on x86_64 please apply for ubuntu bionic to test it in a docker container you can do: WORKDIR /tmp RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c RUN gcc test-statx.c -o test-statx RUN touch test-file RUN ./test-statx test-file ** Patch added: "libsecomp231-statx.patch" https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1755250/+attachment/5236693/+files/libsecomp231-statx.patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Confirmed Status in libseccomp package in Ubuntu: Confirmed Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
I can confirm that this bug is solved in Ubuntu Cosmic (18.10) with Docker 18.06.1 and libseccomp 2.3.3. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Confirmed Status in libseccomp package in Ubuntu: Confirmed Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: docker.io (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Confirmed Status in libseccomp package in Ubuntu: Confirmed Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: libseccomp (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: Confirmed Status in libseccomp package in Ubuntu: Confirmed Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
This is indeed pretty important for some use-cases so we should try to come up with a reasonable solution. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: New Status in libseccomp package in Ubuntu: New Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
Tianon is right, runc silently discards syscalls it doesn't know about: https://github.com/opencontainers/runc/blob/ecd55a4135e0a26de884ce436442914f945b1e76/libcontainer/seccomp/seccomp_linux.go#L168-L173 This affects other syscalls, like preadv2: https://github.com/opencontainers/runtime-spec/issues/972 Failing to whitelist a syscall than the kernel does support is safe, but failing to *blacklist* a syscall could be more problematic. But failing to whitelist could also impact functionality/performance compared to a non-containerized application. I couldn't find if anything is backported in "2.3.1-2.1ubuntu4", but the upstream "2.3.1" limits us to syscalls up to Linux 4.5-rc4. Summoning Christian to help in bumping the priority of this issue. ** Bug watch added: github.com/opencontainers/runtime-spec/issues #972 https://github.com/opencontainers/runtime-spec/issues/972 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: New Status in libseccomp package in Ubuntu: New Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1755250] Re: backport statx syscall whitelist fix
** Also affects: libseccomp (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1755250 Title: backport statx syscall whitelist fix Status in docker.io package in Ubuntu: New Status in libseccomp package in Ubuntu: New Bug description: Hello maintainer, The docker version 17.03 (bionic) in ubuntu doesn't allow the statx syscall which is needed to build qt >=5.10 applications: https://github.com/docker/for-linux/issues/208#issuecomment-372400859 Could this fix be backported in the ubuntu package ? https://github.com/moby/moby/pull/36417 regards, xan. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
