FS#73680 - faccessat2 still blocked - podman

Attached to Project: Community Packages
Opened by Alexander von Gluck (kallisti5) - Tuesday, 08 February 2022, 08:16 GMT
Last edited by David Runge (dvzrv) - Saturday, 19 February 2022, 20:18 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To David Runge (dvzrv)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
I've seemingly met the requirements listed here:
https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0


However, faccessat2 syscalls are still blocked :-|

Additional info:

[kallisti5@eris Code]$ runc -v
runc version 1.1.0
commit: v1.1.0-0-g067aaf85
spec: 1.0.2-dev
go: go1.17.6
libseccomp: 2.5.3

[kallisti5@eris Code]$ podman version
Version: 3.4.4
API Version: 3.4.4
Go Version: go1.17.4
Git Commit: f6526ada1025c2e3f88745ba83b8b461ca659933
Built: Thu Dec 9 12:30:40 2021



Steps to reproduce:

$ podman run -it --cap-add SYS_PTRACE -v /home/kallisti5/Code:/Code docker.io/alpine /bin/sh -l


9404f02982c1:/Code/buildtools/jam# strace -vvFf make 2>&1 | grep EPERM
faccessat2(AT_FDCWD, "/usr/local/sbin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
faccessat2(AT_FDCWD, "/usr/local/bin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
faccessat2(AT_FDCWD, "/usr/sbin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
faccessat2(AT_FDCWD, "/usr/bin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
faccessat2(AT_FDCWD, "/sbin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
faccessat2(AT_FDCWD, "/bin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
faccessat2(AT_FDCWD, "/bin/sh", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
This task depends upon

Closed by  David Runge (dvzrv)
Saturday, 19 February 2022, 20:18 GMT
Reason for closing:  Not a bug
Additional comments about closing:  User likely did not sync .pacnew files, as the entry clearly exists.
Comment by Alexander von Gluck (kallisti5) - Tuesday, 08 February 2022, 08:17 GMT
Per a bug report here:
https://github.com/containers/podman/issues/11455#issuecomment-927609738


It looks like the seccomp.json profile isn't getting updated by Arch?
Comment by Alexander von Gluck (kallisti5) - Tuesday, 08 February 2022, 08:24 GMT
https://raw.githubusercontent.com/containers/common/main/pkg/seccomp/seccomp.json
contains:
"faccessat",
"faccessat2",

my system contains:

cat /etc/containers/seccomp.json | grep faccessat
"faccessat",

It looks like seccomp.json comes from containers-common?

[kallisti5@eris Code]$ pkgfile -l containers-common | grep sec
community/containers-common /etc/containers/seccomp.json
community/containers-common /usr/share/containers/seccomp.json

https://archlinux.org/packages/community/any/containers-common/

flagged outdated.
Comment by Alexander von Gluck (kallisti5) - Tuesday, 08 February 2022, 08:28 GMT
Looks like containers-common v1.0.1 was retracted.
Latest version is v0.47.3

source: https://github.com/containers/common/tags
Comment by Alexander von Gluck (kallisti5) - Tuesday, 08 February 2022, 14:02 GMT
Looks like containers-common v1.0.1 was retracted.
Latest version is v0.47.3

source: https://github.com/containers/common/tags
Comment by David Runge (dvzrv) - Saturday, 12 February 2022, 09:07 GMT Comment by David Runge (dvzrv) - Saturday, 12 February 2022, 09:49 GMT Comment by David Runge (dvzrv) - Saturday, 12 February 2022, 11:41 GMT
@kallisti5: As mentioned upstream: Have you made sure to synchronize your .pacnew files?

Because:

```
rg faccessat2 /etc/containers/seccomp.json
142: "faccessat2",
```

Loading...