32 lines
1.4 KiB
Diff
32 lines
1.4 KiB
Diff
Older seccomp-based filters used in container frameworks will block faccessat2
|
|
calls as it's a relatively new syscall. This isn't a big problem with
|
|
glibc <2.33 but 2.33 will call faccessat2 itself, get EPERM, and thenn be confused
|
|
about what to do as EPERM isn't an expected error code.
|
|
|
|
This manifests itself as mysterious errors, for example a kernel failing to link.
|
|
|
|
The root cause of bad seccomp filters is mostly fixed (systemd 247, Docker 20.10.0)
|
|
but we can't expect everyone to upgrade, so add a workaound (originally from
|
|
Red Hat) to handle EPERM like ENOSYS and fallback to faccessat().
|
|
|
|
Upstream-Status: Inappropriate
|
|
Signed-off-by: Ross Burton <ross.burton@arm.com>
|
|
|
|
diff --git a/sysdeps/unix/sysv/linux/faccessat.c b/sysdeps/unix/sysv/linux/faccessat.c
|
|
index 56cb6dcc8b4d58d3..5de75032bbc93a2c 100644
|
|
--- a/sysdeps/unix/sysv/linux/faccessat.c
|
|
+++ b/sysdeps/unix/sysv/linux/faccessat.c
|
|
@@ -34,7 +34,11 @@ faccessat (int fd, const char *file, int mode, int flag)
|
|
#if __ASSUME_FACCESSAT2
|
|
return ret;
|
|
#else
|
|
- if (ret == 0 || errno != ENOSYS)
|
|
+ /* Fedora-specific workaround:
|
|
+ As a workround for a broken systemd-nspawn that returns
|
|
+ EPERM when a syscall is not allowed instead of ENOSYS
|
|
+ we must check for EPERM here and fall back to faccessat. */
|
|
+ if (ret == 0 || !(errno == ENOSYS || errno == EPERM))
|
|
return ret;
|
|
|
|
if (flag & ~(AT_SYMLINK_NOFOLLOW | AT_EACCESS))
|