Summary: | app-misc/pax-utils-1.3[seccomp]: seccomp allowlist don't contain writev which is used by musl | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | 12101111 <w12101111> |
Component: | Current packages | Assignee: | SpanKY <vapier> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sam, toolchain |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Do you want to write a patch? I'll apply it with 'git am' and push a release out. New syscall could be added at around https://gitweb.gentoo.org/proj/pax-utils.git/tree/seccomp-bpf.c#n107 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=9a5ca4976b17d1ef8210ca6323020d5050b4d374 commit 9a5ca4976b17d1ef8210ca6323020d5050b4d374 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2021-04-18 18:28:17 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2021-04-18 18:28:17 +0000 security: restore syscalls accidentally dropped The original precompile work was done against an old version of pax-utils and I forgot to resync the list before finalizing. Restore all the syscalls that were in here before. Bug: https://bugs.gentoo.org/783459 Signed-off-by: Mike Frysinger <vapier@gentoo.org> seccomp-bpf.c | 13 ++++++++++ seccomp-bpf.h | 76 +++++++++++++++++++++++++++++------------------------------ 2 files changed, 51 insertions(+), 38 deletions(-) The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fb10c0f8f71e70e590880ea3bac9009418e5eb5 commit 2fb10c0f8f71e70e590880ea3bac9009418e5eb5 Author: Mike Frysinger <vapier@gentoo.org> AuthorDate: 2021-04-18 18:32:29 +0000 Commit: Mike Frysinger <vapier@gentoo.org> CommitDate: 2021-04-18 18:33:35 +0000 app-misc/pax-utils: restore missing seccomp syscalls Closes: https://bugs.gentoo.org/783459 Signed-off-by: Mike Frysinger <vapier@gentoo.org> app-misc/pax-utils/Manifest | 2 +- app-misc/pax-utils/{pax-utils-1.3.ebuild => pax-utils-1.3.1.ebuild} | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) > >>> Downloading 'https://dev.gentoo.org/~vapier/distfiles/pax-utils-1.3.1.tar.xz'
> --2021-04-18 22:03:38-- https://dev.gentoo.org/~vapier/distfiles/pax-utils-1.3.1.tar.xz
> Resolving dev.gentoo.org (dev.gentoo.org)... 2001:470:ea4a:1:5054:ff:fec7:86e4, 140.211.166.183
> Connecting to dev.gentoo.org (dev.gentoo.org)|2001:470:ea4a:1:5054:ff:fec7:86e4|:443... connected.
> HTTP request sent, awaiting response... 404 Not Found
> 2021-04-18 22:03:38 ERROR 404: Not Found.
>
|
On musl: > strace -k scanelf execve("/usr/bin/scanelf", ["scanelf"], 0x7fff2b47f5e8 /* 104 vars */) = 0 > /usr/lib/libc.so(_dlstart+0x0) [0xbb430] > no matching address range arch_prctl(ARCH_SET_FS, 0x7fecfadf9c48) = 0 > /usr/lib/libc.so(__set_thread_area+0xf) [0xb5f27] > /usr/lib/libc.so(__init_tp+0xb) [0x5918b] > /usr/lib/libc.so(__dls2b+0x71) [0xbc951] > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1] > /usr/lib/libc.so(_dlstart+0x15) [0xbb445] > no matching address range set_tid_address(0x7fecfadf76a8) = 1929 > /usr/lib/libc.so(__init_tp+0x2e) [0x591ae] > /usr/lib/libc.so(__dls2b+0x71) [0xbc951] > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1] > /usr/lib/libc.so(_dlstart+0x15) [0xbb445] > no matching address range brk(NULL) = 0x560979a41000 > /usr/lib/libc.so(__malloc_alloc_meta+0x136) [0x657f6] > /usr/lib/libc.so(__malloc_donate+0x80) [0x64f40] > /usr/lib/libc.so(reclaim_gaps+0x74) [0xbdef4] > /usr/lib/libc.so(__dls3+0x7a9) [0xbd149] > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1] > /usr/lib/libc.so(_dlstart+0x15) [0xbb445] > no matching address range brk(0x560979a43000) = 0x560979a43000 > /usr/lib/libc.so(__malloc_alloc_meta+0x161) [0x65821] > /usr/lib/libc.so(__malloc_donate+0x80) [0x64f40] > /usr/lib/libc.so(reclaim_gaps+0x74) [0xbdef4] > /usr/lib/libc.so(__dls3+0x7a9) [0xbd149] > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1] > /usr/lib/libc.so(_dlstart+0x15) [0xbb445] > no matching address range mmap(0x560979a41000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x560979a41000 > /usr/lib/libc.so(mmap+0x94) [0x7d514] > /usr/lib/libc.so(__malloc_alloc_meta+0x187) [0x65847] > /usr/lib/libc.so(__malloc_donate+0x80) [0x64f40] > /usr/lib/libc.so(reclaim_gaps+0x74) [0xbdef4] > /usr/lib/libc.so(__dls3+0x7a9) [0xbd149] > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1] > /usr/lib/libc.so(_dlstart+0x15) [0xbb445] > no matching address range mprotect(0x7fecfadf5000, 8192, PROT_READ) = 0 > /usr/lib/libc.so(mprotect+0x25) [0x7d585] > /usr/lib/libc.so(reloc_all+0x191) [0xbc3f1] > /usr/lib/libc.so(__dls3+0xb2d) [0xbd4cd] > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1] > /usr/lib/libc.so(_dlstart+0x15) [0xbb445] > no matching address range mprotect(0x560978885000, 12288, PROT_READ) = 0 > /usr/lib/libc.so(mprotect+0x25) [0x7d585] > /usr/lib/libc.so(reloc_all+0x191) [0xbc3f1] > /usr/lib/libc.so(__dls3+0xb35) [0xbd4d5] > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1] > /usr/lib/libc.so(_dlstart+0x15) [0xbb445] > no matching address range prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0 > /usr/lib/libc.so(prctl+0x147) [0x5f0a7] > /usr/bin/scanelf(security_init+0x1a) [0xa72a] > /usr/bin/scanelf(main+0x11) [0xab71] > /usr/lib/libc.so(libc_start_main_stage2+0x28) [0x59588] > /usr/bin/scanelf(_start+0x15) [0x8ed5] > no matching address range prctl(PR_SET_SECUREBITS, SECBIT_NOROOT|SECBIT_NOROOT_LOCKED|SECBIT_NO_SETUID_FIXUP|SECBIT_NO_SETUID_FIXUP_LOCKED|SECBIT_KEEP_CAPS_LOCKED) = -1 EPERM (Operation not permitted) > /usr/lib/libc.so(prctl+0x147) [0x5f0a7] > /usr/bin/scanelf(security_init+0x32) [0xa742] > /usr/bin/scanelf(main+0x11) [0xab71] > /usr/lib/libc.so(libc_start_main_stage2+0x28) [0x59588] > /usr/bin/scanelf(_start+0x15) [0x8ed5] > no matching address range unshare(CLONE_NEWUTS|CLONE_NEWIPC) = -1 EPERM (Operation not permitted) > /usr/lib/libc.so(unshare+0xa) [0x5f6ca] > /usr/bin/scanelf(ns_unshare+0x9) [0xa6c9] > /usr/bin/scanelf(security_init+0x47) [0xa757] > /usr/bin/scanelf(main+0x11) [0xab71] > /usr/lib/libc.so(libc_start_main_stage2+0x28) [0x59588] > /usr/bin/scanelf(_start+0x15) [0x8ed5] > no matching address range prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=53, filter=0x560978876d90}) = 0 > /usr/lib/libc.so(prctl+0x147) [0x5f0a7] > /usr/bin/scanelf(security_init+0x6c) [0xa77c] > /usr/bin/scanelf(main+0x11) [0xab71] > /usr/lib/libc.so(libc_start_main_stage2+0x28) [0x59588] > /usr/bin/scanelf(_start+0x15) [0x8ed5] > no matching address range ioctl(1, TIOCGWINSZ, {ws_row=25, ws_col=119, ws_xpixel=952, ws_ypixel=500}) = 0 > /usr/lib/libc.so(__stdout_write+0x2d) [0x9f6cd] > /usr/lib/libc.so(__fwritex+0xbb) [0xa1bdb] > /usr/lib/libc.so(printf_core+0x258) [0xa42d8] > /usr/lib/libc.so(vfprintf+0x114) [0xa3fd4] > /usr/lib/libc.so(printf+0x9c) [0xa2fbc] > /usr/bin/scanelf(usage+0x4b) [0xabfb] > /usr/bin/scanelf(main+0x49) [0xaba9] > /usr/lib/libc.so(libc_start_main_stage2+0x28) [0x59588] > /usr/bin/scanelf(_start+0x15) [0x8ed5] > no matching address range writev(1, [{iov_base="", iov_len=0}, {iov_base="* Scan ELF binaries for stuff\n\n", iov_len=31}], 2) = ? +++ killed by SIGSYS (core dumped) +++ zsh: invalid system call strace -k scanelf musl implement printf using writev, which is blcok by seccomp. This break estrip of portage. Reproducible: Always