Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 771096 - sys-apps/file-5.39-r4: stabilisation (was: sys-apps/file-5.39-r3: Invalid system call error (futex) with USE="seccomp -lzma")
Summary: sys-apps/file-5.39-r4: stabilisation (was: sys-apps/file-5.39-r3: Invalid sys...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Stabilization (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL: https://bugs.astron.com/view.php?id=241
Whiteboard:
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2021-02-17 14:30 UTC by Ivo Šmerek
Modified: 2021-04-04 05:55 UTC (History)
3 users (show)

See Also:
Package list:
sys-apps/file-5.39-r4
Runtime testing required: ---
nattka: sanity-check+


Attachments
emerge --info output (emerge-info.txt,7.69 KB, text/plain)
2021-02-17 14:51 UTC, Ivo Šmerek
no flags Details
strace output (strace-output.txt,15.18 KB, text/plain)
2021-02-17 14:51 UTC, Ivo Šmerek
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ivo Šmerek 2021-02-17 14:30:52 UTC
When I emerge sys-apps/file with USE="seccomp", I always get an invalid system call error when executing `file` command as a regular user.

The only way to avoid this error is to run the command as root or emerge sys-apps/file with USE="seccomp lzma"

strace output: https://pastebin.com/ZWJJbY09
emerge --info: https://pastebin.com/EvTDY5ue
Comment 1 Ivo Šmerek 2021-02-17 14:51:03 UTC
Created attachment 687285 [details]
emerge --info output
Comment 2 Ivo Šmerek 2021-02-17 14:51:33 UTC
Created attachment 687288 [details]
strace output
Comment 3 Sam James archtester gentoo-dev Security 2021-02-17 15:00:54 UTC
Note that upstream allow futex() [0] when XZLIBSUPPORT is defined (i.e. lzma support):
>#ifdef XZLIBSUPPORT
>	ALLOW_RULE(futex);
>#endif

We probably need upstream to tell us whether futex is expected in general use, but it's not exactly a controversial syscall. It's easy for us to add it to the general whitelist for now.

[0] https://github.com/file/file/blob/ec05878d72180287d84397819c5e3e127551ce46/src/seccomp.c#L179
Comment 4 Jaakko Perttilä 2021-02-17 18:04:31 UTC
Here the command with the -z parameter fails (also as root) with the seccomp use flag: "file -L -z ebook.epub"
ebook.epub: Bad system call

Seems to work otherwise.

sys-apps/file-5.39-r3 (bzip2 seccomp zlib -lzma -python -static-libs ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="32 64 -x32" PYTHON_TARGETS="python3_8 -python3_7 -python3_9")

Building with USE="-seccomp" fixes the issue with -z parameter. The -z is used by default by app-misc/mc.
Comment 5 Sam James archtester gentoo-dev Security 2021-02-17 18:10:14 UTC
(In reply to Jaakko Perttilä from comment #4)
> Here the command with the -z parameter fails (also as root) with the seccomp
> use flag: "file -L -z ebook.epub"
> ebook.epub: Bad system call
> 
> Seems to work otherwise.
> 
> sys-apps/file-5.39-r3 (bzip2 seccomp zlib -lzma -python -static-libs
> ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="32 64 -x32"
> PYTHON_TARGETS="python3_8 -python3_7 -python3_9")
> 
> Building with USE="-seccomp" fixes the issue with -z parameter. The -z is
> used by default by app-misc/mc.

We'll need strace from you too on that command:
strace file -L -z ebook.epub.

It is possible we will need a separat
Comment 6 Sam James archtester gentoo-dev Security 2021-03-02 05:03:36 UTC
Reported upstream. Will apply workaround in Gentoo soon.
Comment 7 Larry the Git Cow gentoo-dev 2021-03-11 16:46:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b30e5f884f0602a68780d2c4d9c3ebe9e418a5c

commit 5b30e5f884f0602a68780d2c4d9c3ebe9e418a5c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-03-11 16:45:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-03-11 16:46:41 +0000

    sys-apps/file: allow futex() syscall unconditionally
    
    In some cases, the futex() syscall is emitted even
    if lzma support is not compiled in. Allow it
    unconditionally for now.
    
    Bug: https://bugs.gentoo.org/771096
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/file/file-5.39-r4.ebuild                  | 147 +++++++++++++++++++++
 .../file/files/file-5.39-allow-futex-seccomp.patch |  18 +++
 2 files changed, 165 insertions(+)
Comment 8 Ivo Šmerek 2021-03-12 10:10:47 UTC
r4 seems to work without a problem for me.
Comment 9 Sam James archtester gentoo-dev Security 2021-03-16 22:32:54 UTC
x86 done
Comment 10 Sam James archtester gentoo-dev Security 2021-03-16 22:33:29 UTC
amd64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-03-17 09:00:17 UTC
sparc done
Comment 12 Sam James archtester gentoo-dev Security 2021-03-17 09:00:48 UTC
ppc64 done
Comment 13 Sam James archtester gentoo-dev Security 2021-03-17 09:00:52 UTC
ppc done
Comment 14 Rolf Eike Beer archtester 2021-03-18 19:01:18 UTC
hppa stable
Comment 15 Sam James archtester gentoo-dev Security 2021-03-19 08:55:57 UTC
arm64 done
Comment 16 Agostino Sarubbo gentoo-dev 2021-03-26 12:01:47 UTC
s390 stable
Comment 17 Sam James archtester gentoo-dev Security 2021-03-27 16:05:19 UTC
arm done

all arches done
Comment 18 Sam James archtester gentoo-dev Security 2021-04-04 05:55:15 UTC
*** Bug 779940 has been marked as a duplicate of this bug. ***