mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-21 12:32:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

glibc: add workaround for faccessat2 being blocked by seccomp filters

Browse Source 
Older seccomp-based filters used in container frameworks will block faccessat2
calls as it's a relatively new syscall.  This isn't a big problem with
glibc <2.33 but 2.33 will call faccessat2 itself, get EPERM, and thenn be confused
about what to do as EPERM isn't an expected error code.

(From OE-Core rev: 4d6ad6d611834c2648d6bf9791cb8140967e2529)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ross Burton
2021-02-11 14:46:45 +00:00
committed by Richard Purdie
parent f13c22358a
commit 0ba0a534a3
2 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
meta/recipes-core/glibc/glibc/faccessat2-perm.patch Normal file
View File

@@ -0,0 +1,31 @@
Older seccomp-based filters used in container frameworks will block faccessat2
calls as it's a relatively new syscall. This isn't a big problem with
glibc <2.33 but 2.33 will call faccessat2 itself, get EPERM, and thenn be confused
about what to do as EPERM isn't an expected error code.
This manifests itself as mysterious errors, for example a kernel failing to link.
The root cause of bad seccomp filters is mostly fixed (systemd 247, Docker 20.10.0)
but we can't expect everyone to upgrade, so add a workaound (originally from
Red Hat) to handle EPERM like ENOSYS and fallback to faccessat().
Upstream-Status: Inappropriate
Signed-off-by: Ross Burton <ross.burton@arm.com>
diff --git a/sysdeps/unix/sysv/linux/faccessat.c b/sysdeps/unix/sysv/linux/faccessat.c
index 56cb6dcc8b4d58d3..5de75032bbc93a2c 100644
--- a/sysdeps/unix/sysv/linux/faccessat.c
+++ b/sysdeps/unix/sysv/linux/faccessat.c
@@ -34,7 +34,11 @@ faccessat (int fd, const char *file, int mode, int flag)
#if __ASSUME_FACCESSAT2
return ret;
#else
- if (ret == 0 || errno != ENOSYS)
+ /* Fedora-specific workaround:
+ As a workround for a broken systemd-nspawn that returns
+ EPERM when a syscall is not allowed instead of ENOSYS
+ we must check for EPERM here and fall back to faccessat. */
+ if (ret == 0 || !(errno == ENOSYS || errno == EPERM))
return ret;
if (flag & ~(AT_SYMLINK_NOFOLLOW | AT_EACCESS))

1
meta/recipes-core/glibc/glibc_2.33.bb
View File

@@ -12,6 +12,7 @@ NATIVESDKFIXES_class-nativesdk = "\
file://0005-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch \
file://0006-nativesdk-glibc-Allow-64-bit-atomics-for-x86.patch \
file://0007-nativesdk-glibc-Make-relocatable-install-for-locales.patch \
file://faccessat2-perm.patch \
"
SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \