Summary: | app-misc/pax-utils[seccomp] Since updated to glibc-2.33 estrip (scanelf) does core dump (bad system call) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Cănărău Constantin <canarauc> |
Component: | Current packages | Assignee: | Sergei Trofimovich (RETIRED) <slyfox> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ionen, toolchain |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 768369 |
Description
Cănărău Constantin
2021-02-03 06:48:42 UTC
$ strace -f scanelf -T /usr/bin/ execve("/usr/bin/scanelf", ["scanelf", "-T", "/usr/bin/"], 0x7ffff75c4010 /* 44 vars */) = 0 ... faccessat2(AT_FDCWD, "/usr/bin/", F_OK, AT_EACCESS) = ? +++ killed by SIGSYS +++ Bad system call Yeah, noticed it locally too. We'll need to add faccessat2 to list of allowed syscalls. Somehow scanelf just works for me and fails only when ran under emerge. I wonder why. (In reply to Sergei Trofimovich from comment #2) > Yeah, noticed it locally too. We'll need to add faccessat2 to list of > allowed syscalls. > > > Somehow scanelf just works for me and fails only when ran under emerge. I > wonder why. Oh, it happens only under sandbox. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=e2378b8c6bef5d94805444797e7fe35c07f54783 commit e2378b8c6bef5d94805444797e7fe35c07f54783 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2021-02-03 19:44:37 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2021-02-03 19:44:37 +0000 security.c: allow faccessat2 syscall in seccomt filters Under glibc-2.33 sandox uses faccessat2 to stat symlinks. Reported-by: Cănărău Constantin Bug: https://bugs.gentoo.org/768435 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> security.c | 1 + 1 file changed, 1 insertion(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=e6bcbe9913d50e55c6208171778352eee6b6d399 commit e6bcbe9913d50e55c6208171778352eee6b6d399 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2021-02-03 20:11:49 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2021-02-03 20:16:43 +0000 Revert "security.c: allow faccessat2 syscall in seccomt filters" libseccomp does not yet provide faccessat2. I tested the commit without seccomp enabled. This reverts commit e2378b8c6bef5d94805444797e7fe35c07f54783. Bug: https://bugs.gentoo.org/768435 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> security.c | 1 - 1 file changed, 1 deletion(-) Filed https://github.com/seccomp/libseccomp/issues/314 to add `faccessat2` to libseccomp syscall list. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=3c57b08ca0d0e276c8ae93c9e0984ad60bd2ff69 commit 3c57b08ca0d0e276c8ae93c9e0984ad60bd2ff69 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2021-02-03 20:40:12 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2021-02-03 20:40:12 +0000 security.c: allow faccessat2 syscall in seccomt filters (take 2) Under glibc-2.33 sandox uses faccessat2 to stat symlinks. Unfortunately libseccomp does not yet provide syscall definition for faccessat2. Define it locally. Reported-by: Cănărău Constantin Bug: https://bugs.gentoo.org/768435 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> security.c | 5 +++++ 1 file changed, 5 insertions(+) The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33243f9ffe2824c7847062a50417762cabec508c commit 33243f9ffe2824c7847062a50417762cabec508c Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2021-02-03 20:46:23 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2021-02-03 20:49:15 +0000 app-misc/pax-utils: bump up to 1.2.9 Three new fixes: - security.c: allow faccessat2 syscall in seccomt filters - scanmacho: add support for dumping UUIDs - {,pax}macho: add support for arm64 arch Reported-by: Cănărău Constantin Closes: https://bugs.gentoo.org/768435 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> Package-Manager: Portage-3.0.14, Repoman-3.0.2 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> app-misc/pax-utils/Manifest | 1 + app-misc/pax-utils/pax-utils-1.2.9.ebuild | 78 +++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) |