FS#73680 - faccessat2 still blocked - podman
Attached to Project:
Community Packages
Opened by Alexander von Gluck (kallisti5) - Tuesday, 08 February 2022, 08:16 GMT
Last edited by David Runge (dvzrv) - Saturday, 19 February 2022, 20:18 GMT
Opened by Alexander von Gluck (kallisti5) - Tuesday, 08 February 2022, 08:16 GMT
Last edited by David Runge (dvzrv) - Saturday, 19 February 2022, 20:18 GMT
|
Details
Description:
I've seemingly met the requirements listed here: https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0 However, faccessat2 syscalls are still blocked :-| Additional info: [kallisti5@eris Code]$ runc -v runc version 1.1.0 commit: v1.1.0-0-g067aaf85 spec: 1.0.2-dev go: go1.17.6 libseccomp: 2.5.3 [kallisti5@eris Code]$ podman version Version: 3.4.4 API Version: 3.4.4 Go Version: go1.17.4 Git Commit: f6526ada1025c2e3f88745ba83b8b461ca659933 Built: Thu Dec 9 12:30:40 2021 Steps to reproduce: $ podman run -it --cap-add SYS_PTRACE -v /home/kallisti5/Code:/Code docker.io/alpine /bin/sh -l 9404f02982c1:/Code/buildtools/jam# strace -vvFf make 2>&1 | grep EPERM faccessat2(AT_FDCWD, "/usr/local/sbin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted) faccessat2(AT_FDCWD, "/usr/local/bin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted) faccessat2(AT_FDCWD, "/usr/sbin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted) faccessat2(AT_FDCWD, "/usr/bin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted) faccessat2(AT_FDCWD, "/sbin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted) faccessat2(AT_FDCWD, "/bin/uname", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted) faccessat2(AT_FDCWD, "/bin/sh", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted) |
This task depends upon
Closed by David Runge (dvzrv)
Saturday, 19 February 2022, 20:18 GMT
Reason for closing: Not a bug
Additional comments about closing: User likely did not sync .pacnew files, as the entry clearly exists.
Saturday, 19 February 2022, 20:18 GMT
Reason for closing: Not a bug
Additional comments about closing: User likely did not sync .pacnew files, as the entry clearly exists.
https://github.com/containers/podman/issues/11455#issuecomment-927609738
It looks like the seccomp.json profile isn't getting updated by Arch?
contains:
"faccessat",
"faccessat2",
my system contains:
cat /etc/containers/seccomp.json | grep faccessat
"faccessat",
It looks like seccomp.json comes from containers-common?
[kallisti5@eris Code]$ pkgfile -l containers-common | grep sec
community/containers-common /etc/containers/seccomp.json
community/containers-common /usr/share/containers/seccomp.json
https://archlinux.org/packages/community/any/containers-common/
flagged outdated.
Latest version is v0.47.3
source: https://github.com/containers/common/tags
Latest version is v0.47.3
source: https://github.com/containers/common/tags
Yes, that's because of https://github.com/archlinux/svntogit-community/blob/18c94809e3ddeb2e0a6abe6fc36c225405884c42/trunk/PKGBUILD#L93-L106
0.44.x is what podman 3.4.4 uses, which is upstream's recommendation
https://github.com/containers/common/issues/923#issuecomment-1032383749
Because:
```
rg faccessat2 /etc/containers/seccomp.json
142: "faccessat2",
```