Summary: | app-misc/pax-utils-1.1[seccomp]: Bad system call (core dumped) scanelf -yqRBF '#k%F' -k '.symtab' "$@" when using FEATURES=fakeroot | ||
---|---|---|---|
Product: | Portage Development | Reporter: | Justin Lecher (RETIRED) <jlec> |
Component: | Core | Assignee: | SpanKY <vapier> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dark.shadow, floppym, kumba, slashbeast, zmedico |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
pycparser-2.14:20150823-135804.log.xz
config.gz signal log patch pax-utils-fakeroot.patch |
Description
Justin Lecher (RETIRED)
2015-08-23 13:57:57 UTC
Created attachment 409934 [details]
pycparser-2.14:20150823-135804.log.xz
debug build lgo
Just a guess: Did you recently switch from app-misc/pax-utils[-seccomp] to app-misc/pax-utils[seccomp]? Linux profiles were recently changed to enable seccomp by default, so that may have happened through no action on your part. (In reply to Mike Gilbert from comment #2) > Just a guess: Did you recently switch from app-misc/pax-utils[-seccomp] to > app-misc/pax-utils[seccomp]? > > Linux profiles were recently changed to enable seccomp by default, so that > may have happened through no action on your part. yes, confirmed. This happens with app-misc/pax-utils[seccomp]. Can you provide your running kernel config? Created attachment 409946 [details, diff]
config.gz
kernel config
*** Bug 558414 has been marked as a duplicate of this bug. *** if you run scanelf by hand, does it work ? might be the sandbox triggering syscalls that normally scanelf itself doesn't. i might have to add a debug flag so that it'll report the actual failing syscall ... (In reply to SpanKY from comment #7) > if you run scanelf by hand, does it work ? might be the sandbox triggering > syscalls that normally scanelf itself doesn't. i might have to add a debug > flag so that it'll report the actual failing syscall ... It is failing only inside the ebuild/sanbox scope. Also adding it to src_install() makes it fail. Running it manually is fine. How do I add some debugging flags? I don't see anything in the manual. Okay, FEATURES=fakeroot is triggering this [I] sys-apps/fakeroot Available versions: 1.18.4 1.19 (~)1.20 1.20.2 {acl debug static-libs test} Installed versions: 1.20.2(16:06:31 23/10/14)(acl -debug -static-libs -test) Homepage: http://packages.qa.debian.org/f/fakeroot.html Description: A fake root environment by means of LD_PRELOAD and SysV IPC (or TCP) trickery (In reply to Justin Lecher from comment #9) > Okay, FEATURES=fakeroot is triggering this > > [I] sys-apps/fakeroot > Available versions: 1.18.4 1.19 (~)1.20 1.20.2 {acl debug static-libs > test} > Installed versions: 1.20.2(16:06:31 23/10/14)(acl -debug -static-libs > -test) > Homepage: http://packages.qa.debian.org/f/fakeroot.html > Description: A fake root environment by means of LD_PRELOAD and > SysV IPC (or TCP) trickery Unlike Justin, I can reproduce by running it manually on my SGI Octane (MIPS): # scanelf Bad system call Only odd bit is, my Octane is running MIPS n32 userland...though I thought sys_seccomp was implemented in N32. Think this is a kernel problem I need to address with upstream? For now, I'll rebuild with USE="-seccomp" as a workaround, which fixes the problem. Doubt it's needed on this class of systems anyways. (In reply to Joshua Kinard from comment #10) > > Unlike Justin, I can reproduce by running it manually on my SGI Octane > (MIPS): > > # scanelf > Bad system call > > Only odd bit is, my Octane is running MIPS n32 userland...though I thought > sys_seccomp was implemented in N32. Think this is a kernel problem I need > to address with upstream? For now, I'll rebuild with USE="-seccomp" as a > workaround, which fixes the problem. Doubt it's needed on this class of > systems anyways. Forgot the small strace output: execve("/usr/bin/scanelf", ["scanelf"], [/* 28 vars */]) = 0 brk(0) = 0x10100000 uname({sysname="Linux", nodename="<REDACTED>", ...}) = 0 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=34651, ...}) = 0 mmap(NULL, 34651, PROT_READ, MAP_PRIVATE, 3, 0) = 0x771e0000 close(3) = 0 open("/usr/lib32/libseccomp.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\0r\0\0\0\0004"..., 512) = 512 fstat(3, {st_mode=S_IFREG|0755, st_size=107688, ...}) = 0 mmap(NULL, 168416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x771b0000 mmap(0x771d0000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x771d0000 close(3) = 0 open("/lib32/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\10\0\0\0\1\0\1\235\330\0\0\0004"..., 512) = 512 lseek(3, 800, SEEK_SET) = 800 read(3, "\0\0\0\4\0\0\0\20\0\0\0\1GNU\0\0\0\0\0\0\0\0\2\0\0\0\6\0\0\0 ", 32) = 32 fstat(3, {st_mode=S_IFREG|0755, st_size=1625524, ...}) = 0 mmap(NULL, 1605344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x77020000 mprotect(0x77190000, 65536, PROT_NONE) = 0 mmap(0x771a0000, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x170000) = 0x771a0000 close(3) = 0 set_thread_area(0x7723c5a0) = 0 munmap(0x771e0000, 34651) = 0 prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0 prctl(PR_SET_SECUREBITS, SECBIT_NOROOT|SECBIT_NOROOT_LOCKED|SECBIT_NO_SETUID_FIXUP|SECBIT_NO_SETUID_FIXUP_LOCKED|SECBIT_KEEP_CAPS_LOCKED) = 0 unshare(CLONE_NEWUTS|CLONE_NEWIPC) = 0 brk(0) = 0x10100000 brk(0x10130000) = 0x10130000 prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len = 44, filter = 0x10103570}) = 0 fstat(1, <unfinished ...> --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_pid=0, si_uid=1997537564} --- +++ killed by SIGSYS +++ Bad system call Created attachment 410026 [details, diff]
signal log patch
try using this patch to get a log of what syscall is failing
scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget scanelf: seccomp violated: syscall 68 scanelf: syscall = msgget (In reply to SpanKY from comment #12) > Created attachment 410026 [details, diff] [details, diff] > signal log patch > > try using this patch to get a log of what syscall is failing Won't compile on MIPS: In file included from security.c:8:0: security.c: In function 'pax_seccomp_sigal': security.c:47:43: error: 'siginfo_t' has no member named 'si_syscall' warn("seccomp violated: syscall %i", info->si_syscall); ^ paxinc.h:113:61: note: in definition of macro 'warn' fprintf(stderr, "%s%s%s: " fmt "\n", RED, argv0, NORM , ## args) ^ security.c:50:68: error: 'siginfo_t' has no member named 'si_syscall' warn(" syscall = %s", seccomp_syscall_resolve_num_arch(arch, info->si_syscall)); ^ (In reply to Justin Lecher from comment #13) i guess fakeroot utilizes Sys V IPC. i wonder if there's a way to detect that fakeroot is active in the processes' VM space. (In reply to Joshua Kinard from comment #14) glibc is broken. clone that into a diff bug. (In reply to SpanKY from comment #15) > (In reply to Joshua Kinard from comment #14) i've moved that upstream actually: https://sourceware.org/bugzilla/show_bug.cgi?id=18863 Comment on attachment 410026 [details, diff] signal log patch i've pushed a cleaned up version of this: http://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=9d0a60f489c17e47e08aa5ec09da8d7049e402ea http://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=bcb6683c56d9646e12881a6b59bc740e6004e663 Created attachment 410172 [details, diff]
pax-utils-fakeroot.patch
try this for the fakeroot failures
(In reply to SpanKY from comment #18) > Created attachment 410172 [details, diff] [details, diff] > pax-utils-fakeroot.patch > > try this for the fakeroot failures Same problem as before. (In reply to Justin Lecher from comment #19) you still get bad syscall for msgget ? or you get a different syscall error ? please post the log. (In reply to SpanKY from comment #20) > (In reply to Justin Lecher from comment #19) > > you still get bad syscall for msgget ? or you get a different syscall error > ? please post the log. You are right: scanelf: seccomp violated: syscall 64 scanelf: syscall = semget It is another one now. (In reply to Justin Lecher from comment #21) so keep adding syscalls like in my patch until it works and then let me know which ones those were. no point in me adding one at a time in new patches. (In reply to SpanKY from comment #16) > (In reply to SpanKY from comment #15) > > (In reply to Joshua Kinard from comment #14) > > i've moved that upstream actually: > https://sourceware.org/bugzilla/show_bug.cgi?id=18863 I am assuming this upstream glibc bug is specific to the missing si_syscall bits, and not related to the fact that MIPS N32 appears to not support the SYS_SECCOMP syscall correctly. Do you want me to file a separate Gentoo bug for the MIPS case? Recompiling pax-utils with -seccomp did workaround the problem, but I suspect it's a bug that needs fixing somewhere, be it kernel or glibc. I'm updating my old O32 chroot right now, so in a few days (yes, it's that far behind), I'll re-check pax-utils on O32 to see if it is an O32 vs N32 problem. (In reply to Joshua Kinard from comment #23) yes, file a sep bug for mips/seccomp runtime failures please That's the full list for fakeroot @@ -118,6 +138,13 @@ static void pax_seccomp_init(bool allow_forking) /* Syscalls listed because of sandbox. */ SCMP_SYS(readlink), + + /* Syscalls listed because of fakeroot. */ + SCMP_SYS(msgget), + SCMP_SYS(semget), + SCMP_SYS(semop), + SCMP_SYS(msgsnd), + SCMP_SYS(msgrcv), }; int fork_syscalls[] = { SCMP_SYS(clone), (In reply to Justin Lecher from comment #25) thanks, i've whitelisted those for now: http://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=c39a557a2b53f6fea61117d9b0d90ea51a738d6b (In reply to Justin Lecher from comment #25) thanks, i've whitelisted those for now: http://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=c39a557a2b53f6fea61117d9b0d90ea51a738d6b Same here, fakeroot patch does not help. I also get scanelf scanelf: seccomp_load failed: Invalid argument * Scan ELF binaries for stuff ... when simply calling scanelf (AMD64). (In reply to Small_Penguin from comment #28) that's an unrelated issue. please file a new bug. Created new bug: https://bugs.gentoo.org/show_bug.cgi?id=558954 |