We probbaly need to add 'statx' to sandbox: # strace -f scanelf -T /usr/bin/ execve("/usr/bin/scanelf", ["scanelf", "-T", "/usr/bin/"], 0xffe0e7ec /* 32 vars */) = 0 ... statx(AT_FDCWD, "/usr/bin/", AT_STATX_SYNC_AS_STAT|AT_SYMLINK_NOFOLLOW, STATX_BASIC_STATS, <unfinished ...>) = ? +++ killed by SIGSYS (core dumped) +++ Bad system call
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=686bd1cb140fa13652b4a0a209d616865b9265bc commit 686bd1cb140fa13652b4a0a209d616865b9265bc Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-04-13 10:36:13 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-04-13 10:36:13 +0000 security.c: allow 'statx' in seccomp sandbox (musl-1.1.24) musl-1.1.24 starting from dfc81828f7ab41da08f744c "implement fstatat with SYS_statx, conditional on undersized kstat time" changed fstatat() to use statx(). This caused scanelf to crash under seccomp sandbox. The change whitelists 'statx' syscall. Bug: https://bugs.gentoo.org/717300 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> security.c | 1 + 1 file changed, 1 insertion(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29577ded45b741d4233b837a6542b551c5f14f23 commit 29577ded45b741d4233b837a6542b551c5f14f23 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-04-13 10:48:38 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-04-13 10:49:29 +0000 app-misc/pax-utils: bump up to 1.2.6 A few new changes: Göktürk Yüksek (1): Add RISC-V to the list of architectures in ELF Manoj Gupta (1): lddtree: Put ldso interpreter library path at end Mike Frysinger (2): pylintrc: enable more warnings pylint: load python via $PATH Sergei Trofimovich (3): scanelf.c: don't srash in -v mode on non-functions scanelf.c: be more verbose at saying what all the addresses mean security.c: allow 'statx' in seccomp sandbox (musl-1.1.24) Closes: https://bugs.gentoo.org/717300 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> app-misc/pax-utils/Manifest | 1 + app-misc/pax-utils/pax-utils-1.2.6.ebuild | 72 +++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+)