powerpc has SYS_ipc instead of individual syscalls for the IPC methods used by fakeroot. This causes scanelf to crash when the seccomp sandbox is enabled. The following patch fixes the issue: --- pax-utils-1.2.3/security.c +++ pax-utils-1.2.3/security.c @@ -157,6 +157,7 @@ static void pax_seccomp_init(bool allow_forking) SCMP_SYS(getcwd), /* Syscalls listed because of fakeroot. */ + SCMP_SYS(ipc), SCMP_SYS(msgget), SCMP_SYS(msgrcv), SCMP_SYS(msgsnd),
Patch looks ok. I would expect it not to be ppc64-specific though. Yet I don't seem to be able to reproduce in on ppc64 or on amd64. Can you provide a few more details on on package versions and the setup you are using? 1. What does 'emerge --info' show 2. What fakeroot version you are using 3. What package you are trying to build that exhibits the failure?
Oh, reproduced locally by running fakeroot directly: # LANG=C fakeroot scanelf -t /bin/bash /usr/bin/fakeroot: line 178: 27373 Bad system call FAKEROOTKEY=$FAKEROOTKEY LD_LIBRARY_PATH="$PATHS" LD_PRELOAD="$LIB" "$@" I wonder why FEATURES=fakeroot is not enough for me.
And to clarify the case of why amd64 works as opposed to ppc64 (mostly for myself): https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/msgget.c;h=7ad1ac696530fe82d8a2822082f11bd496993c34;hb=HEAD#l27 27 int 28 msgget (key_t key, int msgflg) 29 { 30 #ifdef __ASSUME_DIRECT_SYSVIPC_SYSCALLS 31 return INLINE_SYSCALL_CALL (msgget, key, msgflg); 32 #else 33 return INLINE_SYSCALL_CALL (ipc, IPCOP_msgget, key, msgflg, 0, NULL); 34 #endif 35 } msgget() is defined over ipc() wrapper in platforms without __ASSUME_DIRECT_SYSVIPC_SYSCALLS defined. These are: glibc.git $ git grep -l -F '#undef __ASSUME_DIRECT_SYSVIPC_SYSCALLS' | cat sysdeps/unix/sysv/linux/i386/kernel-features.h sysdeps/unix/sysv/linux/m68k/kernel-features.h sysdeps/unix/sysv/linux/powerpc/kernel-features.h sysdeps/unix/sysv/linux/s390/kernel-features.h sysdeps/unix/sysv/linux/sh/kernel-features.h sysdeps/unix/sysv/linux/sparc/kernel-features.h
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc commit 519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2019-01-14 22:35:29 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2019-01-14 22:35:29 +0000 security.c: whitelist ipc() syscall for fakeroot on ppc64 and friends On amd64 and friends msgget() and similar syscalls are standalone syscalls. On i386 and friends msgget() is a subcall of ipc() syscall. This makes fakechroot break 'scanelf' as: $ LANG=C fakeroot scanelf -t /bin/bash /usr/bin/fakeroot: line 178: 6820 Bad system call (core dumped) The change whitelists ipc() call which allows all sysv syscalls, namely: - semop, semget, semctl, semtimedop - msgsnd, msgrcv, msgget, msgctl - shmat, shmdt, shmget, shmctl Reported-and-fixed-by: Samuel Holland Bug: https://bugs.gentoo.org/675378 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> security.c | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0f669f55fce79532270330064564c65c4e6d378 commit e0f669f55fce79532270330064564c65c4e6d378 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2019-01-14 23:05:49 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2019-01-14 23:07:04 +0000 app-misc/pax-utils: bump up to 1.2.4 Two main fixes since main release: - Python 3.7 support - better fakeroot cooperation on powerpc and others Bug: https://bugs.gentoo.org/671522 Bug: https://bugs.gentoo.org/675378 Package-Manager: Portage-2.3.55, Repoman-2.3.12 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> app-misc/pax-utils/Manifest | 1 + app-misc/pax-utils/pax-utils-1.2.4.ebuild | 70 +++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+)
Pushed 1.2.4 bump with your fix. Please check if it works for you. Thank you!