Bug#1004533: bullseye-pu: package golang-github-opencontainers-specs/1.0.2.41.g7413a7f-1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: siretart@tauware.de
[ Reason ]
podman (produced by src:libpod) allows users to run docker-compatible
container images. Because of recent changes in syscall wrappers, the version
of podman in bullseye will not be able to run container images that ship
glibc 2.34, which is currently in experimental and present in recent versions
of ubuntu and fedora.
[ Impact ]
Without these patches, containers will crash at least on arm (cf. #994451) and
amd64 at runtime.
[ Tests ]
The changes have been verified with manual testing.
[ Risks ]
I've attempted to keep the changes as minimal as possible.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
There are three packages that need updating in order:
diff --git a/debian/changelog b/debian/changelog
index f644f7e..d06dbd5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+golang-github-opencontainers-specs (1.0.2.41.g7413a7f-1+deb11u1) bullseye; urgency=medium
+
+ * Backport seccomp patches from upstream to allow execution of newer
+ syscalls, Closes: #994451
+
+ -- Reinhard Tartler <siretart@tauware.de> Mon, 27 Sep 2021 12:12:47 -0400
+
golang-github-opencontainers-specs (1.0.2.41.g7413a7f-1) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/override-default-errno-code.patch b/debian/patches/override-default-errno-code.patch
new file mode 100644
index 0000000..de4f589
--- /dev/null
+++ b/debian/patches/override-default-errno-code.patch
@@ -0,0 +1,66 @@
+From f7ef278d1bbaa6f97b8ef511fad478a31e953290 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Thu, 21 Jan 2021 13:20:57 +0100
+Subject: [PATCH] seccomp: allow to override default errno return code
+
+the specs already support overriding the errno code for the syscalls
+but the default value is hardcoded to EPERM.
+
+Add a new attribute to override the default value.
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ config-linux.md | 4 ++++
+ schema/config-linux.json | 3 +++
+ specs-go/config.go | 9 +++++----
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/config-linux.md b/config-linux.md
+index 3c9d77f5..9a515fbf 100644
+--- a/config-linux.md
++++ b/config-linux.md
+@@ -594,6 +594,10 @@ The actions, architectures, and operators are strings that match the definitions
+ The following parameters can be specified to set up seccomp:
+
+ * **`defaultAction`** *(string, REQUIRED)* - the default action for seccomp. Allowed values are the same as `syscalls[].action`.
++* **`defaultErrnoRet`** *(uint, OPTIONAL)* - the errno return code to use.
++ Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno code to return.
++ When the action doesn't support an errno, the runtime MUST print and error and fail.
++ If not specified then its default value is `EPERM`.
+ * **`architectures`** *(array of strings, OPTIONAL)* - the architecture used for system calls.
+ A valid list of constants as of libseccomp v2.5.0 is shown below.
+
+diff --git a/schema/config-linux.json b/schema/config-linux.json
+index 83478cc9..61468b9c 100644
+--- a/schema/config-linux.json
++++ b/schema/config-linux.json
+@@ -203,6 +203,9 @@
+ "defaultAction": {
+ "$ref": "defs-linux.json#/definitions/SeccompAction"
+ },
++ "defaultErrnoRet": {
++ "$ref": "defs.json#/definitions/uint32"
++ },
+ "flags": {
+ "type": "array",
+ "items": {
+diff --git a/specs-go/config.go b/specs-go/config.go
+index 40955144..16eac6dd 100644
+--- a/specs-go/config.go
++++ b/specs-go/config.go
+@@ -598,10 +598,11 @@ type VMImage struct {
+
+ // LinuxSeccomp represents syscall restrictions
+ type LinuxSeccomp struct {
+- DefaultAction LinuxSeccompAction `json:"defaultAction"`
+- Architectures []Arch `json:"architectures,omitempty"`
+- Flags []LinuxSeccompFlag `json:"flags,omitempty"`
+- Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
++ DefaultAction LinuxSeccompAction `json:"defaultAction"`
++ DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"`
++ Architectures []Arch `json:"architectures,omitempty"`
++ Flags []LinuxSeccompFlag `json:"flags,omitempty"`
++ Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
+ }
+
+ // Arch used for additional architectures
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..cd75fd3
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+override-default-errno-code.patch
Next, the package golang-github-containers-common needs to be updated with
some policies to recognize the new syscalls:
diff --git a/debian/changelog b/debian/changelog
index a44c701e..2520a025 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+golang-github-containers-common (0.33.4+ds1-1+deb11u1) bullseye; urgency=medium
+
+ * Backport seccomp patches from upstream to allow execution of newer
+ syscalls. Closes: #994451
+
+ -- Reinhard Tartler <siretart@tauware.de> Sun, 26 Sep 2021 18:29:08 -0400
+
golang-github-containers-common (0.33.4+ds1-1) unstable; urgency=medium
* New upstream point release, only focused changes for podman 3.0
diff --git a/debian/control b/debian/control
index 8277c714..bfaffc6f 100644
--- a/debian/control
+++ b/debian/control
@@ -15,6 +15,7 @@ Build-Depends: debhelper-compat (= 12),
golang-github-onsi-ginkgo-dev,
golang-github-opencontainers-runc-dev (>> 1.0.0~rc92),
golang-github-opencontainers-selinux-dev (>> 1.8.0),
+ golang-github-opencontainers-specs-dev (>= 1.0.2.41.g7413a7f-1+deb11u1),
golang-github-pkg-errors-dev,
golang-github-stretchr-testify-dev,
golang-gocapability-dev,
@@ -47,6 +48,7 @@ Depends: golang-github-containers-image-dev (>> 5.10~~),
golang-github-onsi-ginkgo-dev,
golang-github-opencontainers-runc-dev (>> 1.0.0~rc92),
golang-github-opencontainers-selinux-dev (>> 1.8.0),
+ golang-github-opencontainers-specs-dev (>= 1.0.2.41.g7413a7f-1deb11u1),
golang-github-pkg-errors-dev,
golang-github-stretchr-testify-dev,
golang-gocapability-dev,
diff --git a/debian/patches/08bbb0dfae71da36afd3be1ca104701e6cfa4406.patch b/debian/patches/08bbb0dfae71da36afd3be1ca104701e6cfa4406.patch
new file mode 100644
index 00000000..6a6972c3
--- /dev/null
+++ b/debian/patches/08bbb0dfae71da36afd3be1ca104701e6cfa4406.patch
@@ -0,0 +1,47 @@
+From 08bbb0dfae71da36afd3be1ca104701e6cfa4406 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Wed, 16 Jun 2021 12:17:23 +0200
+Subject: [PATCH] seccomp: allow rseq
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ pkg/seccomp/default_linux.go | 2 +-
+ pkg/seccomp/seccomp.json | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/pkg/seccomp/default_linux.go
++++ b/pkg/seccomp/default_linux.go
+@@ -69,7 +69,6 @@
+ "pciconfig_iobase",
+ "pciconfig_read",
+ "pciconfig_write",
+- "rseq",
+ "sgetmask",
+ "ssetmask",
+ "swapcontext",
+@@ -313,6 +312,7 @@
+ "renameat2",
+ "restart_syscall",
+ "rmdir",
++ "rseq",
+ "rt_sigaction",
+ "rt_sigpending",
+ "rt_sigprocmask",
+--- a/pkg/seccomp/seccomp.json
++++ b/pkg/seccomp/seccomp.json
+@@ -70,7 +70,6 @@
+ "pciconfig_iobase",
+ "pciconfig_read",
+ "pciconfig_write",
+- "rseq",
+ "sgetmask",
+ "ssetmask",
+ "swapcontext",
+@@ -316,6 +315,7 @@
+ "renameat2",
+ "restart_syscall",
+ "rmdir",
++ "rseq",
+ "rt_sigaction",
+ "rt_sigpending",
+ "rt_sigprocmask",
diff --git a/debian/patches/0f242ca74bd16175bc55013ed457c88137bec0cf.patch b/debian/patches/0f242ca74bd16175bc55013ed457c88137bec0cf.patch
new file mode 100644
index 00000000..5708a4c2
--- /dev/null
+++ b/debian/patches/0f242ca74bd16175bc55013ed457c88137bec0cf.patch
@@ -0,0 +1,31 @@
+From 0f242ca74bd16175bc55013ed457c88137bec0cf Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Wed, 16 Jun 2021 12:18:01 +0200
+Subject: [PATCH] seccomp: let membarrier fail with ENOSYS
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ pkg/seccomp/default_linux.go | 1 -
+ pkg/seccomp/seccomp.json | 1 -
+ 2 files changed, 2 deletions(-)
+
+--- a/pkg/seccomp/default_linux.go
++++ b/pkg/seccomp/default_linux.go
+@@ -56,7 +56,6 @@
+ "io_pgetevents",
+ "kexec_file_load",
+ "kexec_load",
+- "membarrier",
+ "migrate_pages",
+ "move_pages",
+ "nfsservctl",
+--- a/pkg/seccomp/seccomp.json
++++ b/pkg/seccomp/seccomp.json
+@@ -57,7 +57,6 @@
+ "io_pgetevents",
+ "kexec_file_load",
+ "kexec_load",
+- "membarrier",
+ "migrate_pages",
+ "move_pages",
+ "nfsservctl",
diff --git a/debian/patches/399bd59e0d0d3e3845d59a7fe197d08371b061b0.patch b/debian/patches/399bd59e0d0d3e3845d59a7fe197d08371b061b0.patch
new file mode 100644
index 00000000..5ca195c2
--- /dev/null
+++ b/debian/patches/399bd59e0d0d3e3845d59a7fe197d08371b061b0.patch
@@ -0,0 +1,35 @@
+From 399bd59e0d0d3e3845d59a7fe197d08371b061b0 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Wed, 16 Jun 2021 12:15:02 +0200
+Subject: [PATCH] seccomp: let io_uring_* fail with ENOSYS
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ pkg/seccomp/default_linux.go | 3 ---
+ pkg/seccomp/seccomp.json | 3 ---
+ 2 files changed, 6 deletions(-)
+
+--- a/pkg/seccomp/default_linux.go
++++ b/pkg/seccomp/default_linux.go
+@@ -54,9 +54,6 @@
+ Names: []string{
+ "bdflush",
+ "io_pgetevents",
+- "io_uring_enter",
+- "io_uring_register",
+- "io_uring_setup",
+ "kexec_file_load",
+ "kexec_load",
+ "membarrier",
+--- a/pkg/seccomp/seccomp.json
++++ b/pkg/seccomp/seccomp.json
+@@ -55,9 +55,6 @@
+ "names": [
+ "bdflush",
+ "io_pgetevents",
+- "io_uring_enter",
+- "io_uring_register",
+- "io_uring_setup",
+ "kexec_file_load",
+ "kexec_load",
+ "membarrier",
diff --git a/debian/patches/4d1476ba87c2d73c7e83d56cabbd9181e34c589f.patch b/debian/patches/4d1476ba87c2d73c7e83d56cabbd9181e34c589f.patch
new file mode 100644
index 00000000..5b8f06e0
--- /dev/null
+++ b/debian/patches/4d1476ba87c2d73c7e83d56cabbd9181e34c589f.patch
@@ -0,0 +1,55 @@
+From 4d1476ba87c2d73c7e83d56cabbd9181e34c589f Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Wed, 16 Jun 2021 12:16:41 +0200
+Subject: [PATCH] seccomp: allow pkey_*
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ pkg/seccomp/default_linux.go | 6 +++---
+ pkg/seccomp/seccomp.json | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/pkg/seccomp/default_linux.go
++++ b/pkg/seccomp/default_linux.go
+@@ -69,9 +69,6 @@
+ "pciconfig_iobase",
+ "pciconfig_read",
+ "pciconfig_write",
+- "pkey_alloc",
+- "pkey_free",
+- "pkey_mprotect",
+ "rseq",
+ "sgetmask",
+ "ssetmask",
+@@ -282,6 +279,9 @@
+ "pipe",
+ "pipe2",
+ "pivot_root",
++ "pkey_alloc",
++ "pkey_free",
++ "pkey_mprotect",
+ "poll",
+ "ppoll",
+ "ppoll_time64",
+--- a/pkg/seccomp/seccomp.json
++++ b/pkg/seccomp/seccomp.json
+@@ -70,9 +70,6 @@
+ "pciconfig_iobase",
+ "pciconfig_read",
+ "pciconfig_write",
+- "pkey_alloc",
+- "pkey_free",
+- "pkey_mprotect",
+ "rseq",
+ "sgetmask",
+ "ssetmask",
+@@ -285,6 +282,9 @@
+ "pipe",
+ "pipe2",
+ "pivot_root",
++ "pkey_alloc",
++ "pkey_free",
++ "pkey_mprotect",
+ "poll",
+ "ppoll",
+ "ppoll_time64",
diff --git a/debian/patches/689e5b074454da5228bb05604f89b7a876baa8fe.patch b/debian/patches/689e5b074454da5228bb05604f89b7a876baa8fe.patch
new file mode 100644
index 00000000..db76c799
--- /dev/null
+++ b/debian/patches/689e5b074454da5228bb05604f89b7a876baa8fe.patch
@@ -0,0 +1,63 @@
+From 689e5b074454da5228bb05604f89b7a876baa8fe Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Wed, 16 Jun 2021 13:17:26 +0200
+Subject: [PATCH] seccomp: always allow get_mempolicy, set_mempolicy, mbind
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ pkg/seccomp/default_linux.go | 28 +++-------------------------
+ pkg/seccomp/seccomp.json | 36 +++---------------------------------
+ 2 files changed, 6 insertions(+), 58 deletions(-)
+
+--- a/pkg/seccomp/default_linux.go
++++ b/pkg/seccomp/default_linux.go
+@@ -184,6 +184,7 @@
+ "getgroups",
+ "getgroups32",
+ "getitimer",
++ "get_mempolicy",
+ "getpeername",
+ "getpgid",
+ "getpgrp",
+@@ -234,6 +235,7 @@
+ "lstat",
+ "lstat64",
+ "madvise",
++ "mbind",
+ "memfd_create",
+ "mincore",
+ "mkdir",
+@@ -345,6 +347,7 @@
+ "sendmsg",
+ "sendto",
+ "setns",
++ "set_mempolicy",
+ "set_robust_list",
+ "set_thread_area",
+ "set_tid_address",
+--- a/pkg/seccomp/seccomp.json
++++ b/pkg/seccomp/seccomp.json
+@@ -188,6 +188,7 @@
+ "getgroups",
+ "getgroups32",
+ "getitimer",
++ "get_mempolicy",
+ "getpeername",
+ "getpgid",
+ "getpgrp",
+@@ -237,6 +238,7 @@
+ "lstat",
+ "lstat64",
+ "madvise",
++ "mbind",
+ "memfd_create",
+ "mincore",
+ "mkdir",
+@@ -348,6 +350,7 @@
+ "sendmsg",
+ "sendto",
+ "setns",
++ "set_mempolicy",
+ "set_robust_list",
+ "set_thread_area",
+ "set_tid_address",
diff --git a/debian/patches/78ac839f6d4dd0cf6dd44a67201e16ee3e890c1d.patch b/debian/patches/78ac839f6d4dd0cf6dd44a67201e16ee3e890c1d.patch
new file mode 100644
index 00000000..fc14874d
--- /dev/null
+++ b/debian/patches/78ac839f6d4dd0cf6dd44a67201e16ee3e890c1d.patch
@@ -0,0 +1,47 @@
+From 78ac839f6d4dd0cf6dd44a67201e16ee3e890c1d Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Wed, 16 Jun 2021 12:14:26 +0200
+Subject: [PATCH] seccomp: allow clone3
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ pkg/seccomp/default_linux.go | 2 +-
+ pkg/seccomp/seccomp.json | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/pkg/seccomp/default_linux.go
++++ b/pkg/seccomp/default_linux.go
+@@ -53,7 +53,6 @@
+ {
+ Names: []string{
+ "bdflush",
+- "clone3",
+ "io_pgetevents",
+ "io_uring_enter",
+ "io_uring_register",
+@@ -120,6 +119,7 @@
+ "clock_nanosleep",
+ "clock_nanosleep_time64",
+ "clone",
++ "clone3",
+ "close",
+ "close_range",
+ "connect",
+--- a/pkg/seccomp/seccomp.json
++++ b/pkg/seccomp/seccomp.json
+@@ -54,7 +54,6 @@
+ {
+ "names": [
+ "bdflush",
+- "clone3",
+ "io_pgetevents",
+ "io_uring_enter",
+ "io_uring_register",
+@@ -124,6 +123,7 @@
+ "clock_nanosleep",
+ "clock_nanosleep_time64",
+ "clone",
++ "clone3",
+ "close",
+ "close_range",
+ "connect",
diff --git a/debian/patches/9d294ad50d6f12e2e34432d8f213937c2bee739b.patch b/debian/patches/9d294ad50d6f12e2e34432d8f213937c2bee739b.patch
new file mode 100644
index 00000000..89fd0a84
--- /dev/null
+++ b/debian/patches/9d294ad50d6f12e2e34432d8f213937c2bee739b.patch
@@ -0,0 +1,34 @@
+From 9d294ad50d6f12e2e34432d8f213937c2bee739b Mon Sep 17 00:00:00 2001
+From: Daniel J Walsh <dwalsh@redhat.com>
+Date: Tue, 6 Apr 2021 16:44:42 -0400
+Subject: [PATCH] Add setns to default seccomp.json
+
+In order to run containers within containers via podman
+and do a podman exec, we need to allow setns syscalls.
+
+Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
+---
+ pkg/seccomp/default_linux.go | 1 +
+ pkg/seccomp/seccomp.json | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/pkg/seccomp/default_linux.go
++++ b/pkg/seccomp/default_linux.go
+@@ -348,6 +348,7 @@
+ "sendmmsg",
+ "sendmsg",
+ "sendto",
++ "setns",
+ "set_robust_list",
+ "set_thread_area",
+ "set_tid_address",
+--- a/pkg/seccomp/seccomp.json
++++ b/pkg/seccomp/seccomp.json
+@@ -351,6 +351,7 @@
+ "sendmmsg",
+ "sendmsg",
+ "sendto",
++ "setns",
+ "set_robust_list",
+ "set_thread_area",
+ "set_tid_address",
diff --git a/debian/patches/seccomp-fixup.patch b/debian/patches/seccomp-fixup.patch
new file mode 100644
index 00000000..d36b6861
--- /dev/null
+++ b/debian/patches/seccomp-fixup.patch
@@ -0,0 +1,652 @@
+From adee333df76c02d99c740cf82cdf6074cade49b9 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Mon, 24 May 2021 12:33:14 +0200
+Subject: [PATCH 1/2] seccomp: add support for defaultErrnoRet
+
+Add support to specify the default errno return value.
+
+The OCI runtime specs already have support for it, and both crun (>=
+0.19) and runc (>= 1.0-rc95) have support for it.
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+---
+ pkg/seccomp/conversion.go | 1 +
+ pkg/seccomp/filter.go | 2 +-
+ pkg/seccomp/seccomp_linux.go | 1 +
+ pkg/seccomp/types.go | 3 ++-
+ 4 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/pkg/seccomp/conversion.go
++++ b/pkg/seccomp/conversion.go
+@@ -118,6 +118,7 @@
+ return nil, errors.Wrap(err, "convert default action")
+ }
+ res.DefaultAction = newDefaultAction
++ res.DefaultErrnoRet = spec.DefaultErrnoRet
+
+ // Loop through all syscall blocks and convert them to the internal format
+ for _, call := range spec.Syscalls {
+--- a/pkg/seccomp/filter.go
++++ b/pkg/seccomp/filter.go
+@@ -41,7 +41,7 @@
+ return nil, errors.Wrap(err, "convert spec to seccomp profile")
+ }
+
+- defaultAction, err := toAction(profile.DefaultAction, nil)
++ defaultAction, err := toAction(profile.DefaultAction, profile.DefaultErrnoRet)
+ if err != nil {
+ return nil, errors.Wrapf(err, "convert default action %s", profile.DefaultAction)
+ }
+--- a/pkg/seccomp/seccomp_linux.go
++++ b/pkg/seccomp/seccomp_linux.go
+@@ -111,6 +111,7 @@
+ }
+
+ newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
++ newConfig.DefaultErrnoRet = config.DefaultErrnoRet
+
+ Loop:
+ // Loop through all syscall blocks and convert them to libcontainer format after filtering them
+--- a/pkg/seccomp/types.go
++++ b/pkg/seccomp/types.go
+@@ -6,7 +6,8 @@
+
+ // Seccomp represents the config for a seccomp profile for syscall restriction.
+ type Seccomp struct {
+- DefaultAction Action `json:"defaultAction"`
++ DefaultAction Action `json:"defaultAction"`
++ DefaultErrnoRet *uint `json:"defaultErrnoRet"`
+ // Architectures is kept to maintain backward compatibility with the old
+ // seccomp profile.
+ Architectures []Arch `json:"architectures,omitempty"`
+--- a/pkg/seccomp/default_linux.go
++++ b/pkg/seccomp/default_linux.go
+@@ -46,10 +46,56 @@
+ // DefaultProfile defines the allowlist for the default seccomp profile.
+ func DefaultProfile() *Seccomp {
+ einval := uint(syscall.EINVAL)
++ enosys := uint(unix.ENOSYS)
++ eperm := uint(unix.EPERM)
+
+ syscalls := []*Syscall{
+ {
+ Names: []string{
++ "bdflush",
++ "clone3",
++ "io_pgetevents",
++ "io_uring_enter",
++ "io_uring_register",
++ "io_uring_setup",
++ "kexec_file_load",
++ "kexec_load",
++ "membarrier",
++ "migrate_pages",
++ "move_pages",
++ "nfsservctl",
++ "nice",
++ "oldfstat",
++ "oldlstat",
++ "oldolduname",
++ "oldstat",
++ "olduname",
++ "pciconfig_iobase",
++ "pciconfig_read",
++ "pciconfig_write",
++ "pkey_alloc",
++ "pkey_free",
++ "pkey_mprotect",
++ "rseq",
++ "sgetmask",
++ "ssetmask",
++ "swapcontext",
++ "swapoff",
++ "swapon",
++ "sysfs",
++ "uselib",
++ "userfaultfd",
++ "ustat",
++ "vm86",
++ "vm86old",
++ "vmsplice",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ },
++ {
++ Names: []string{
+ "_llseek",
+ "_newselect",
+ "accept",
+@@ -254,6 +300,7 @@
+ "pwritev2",
+ "read",
+ "readahead",
++ "readdir",
+ "readlink",
+ "readlinkat",
+ "readv",
+@@ -518,6 +565,17 @@
+ },
+ {
+ Names: []string{
++ "open_by_handle_at",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ Excludes: Filter{
++ Caps: []string{"CAP_DAC_READ_SEARCH"},
++ },
++ },
++ {
++ Names: []string{
+ "bpf",
+ "clone",
+ "fanotify_init",
+@@ -590,6 +648,24 @@
+ },
+ {
+ Names: []string{
++ "bpf",
++ "fanotify_init",
++ "lookup_dcookie",
++ "perf_event_open",
++ "quotactl",
++ "setdomainname",
++ "sethostname",
++ "setns",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ Excludes: Filter{
++ Caps: []string{"CAP_SYS_ADMIN"},
++ },
++ },
++ {
++ Names: []string{
+ "chroot",
+ },
+ Action: ActAllow,
+@@ -600,6 +676,17 @@
+ },
+ {
+ Names: []string{
++ "chroot",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ Excludes: Filter{
++ Caps: []string{"CAP_SYS_CHROOT"},
++ },
++ },
++ {
++ Names: []string{
+ "delete_module",
+ "init_module",
+ "finit_module",
+@@ -613,6 +700,20 @@
+ },
+ {
+ Names: []string{
++ "delete_module",
++ "init_module",
++ "finit_module",
++ "query_module",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ Excludes: Filter{
++ Caps: []string{"CAP_SYS_MODULE"},
++ },
++ },
++ {
++ Names: []string{
+ "get_mempolicy",
+ "mbind",
+ "name_to_handle_at",
+@@ -626,6 +727,19 @@
+ },
+ {
+ Names: []string{
++ "get_mempolicy",
++ "mbind",
++ "set_mempolicy",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ Excludes: Filter{
++ Caps: []string{"CAP_SYS_NICE"},
++ },
++ },
++ {
++ Names: []string{
+ "acct",
+ },
+ Action: ActAllow,
+@@ -636,6 +750,17 @@
+ },
+ {
+ Names: []string{
++ "acct",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ Excludes: Filter{
++ Caps: []string{"CAP_SYS_PACCT"},
++ },
++ },
++ {
++ Names: []string{
+ "kcmp",
+ "process_madvise",
+ "process_vm_readv",
+@@ -650,6 +775,21 @@
+ },
+ {
+ Names: []string{
++ "kcmp",
++ "process_madvise",
++ "process_vm_readv",
++ "process_vm_writev",
++ "ptrace",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ Excludes: Filter{
++ Caps: []string{"CAP_SYS_PTRACE"},
++ },
++ },
++ {
++ Names: []string{
+ "iopl",
+ "ioperm",
+ },
+@@ -661,6 +801,18 @@
+ },
+ {
+ Names: []string{
++ "iopl",
++ "ioperm",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ Excludes: Filter{
++ Caps: []string{"CAP_SYS_RAWIO"},
++ },
++ },
++ {
++ Names: []string{
+ "settimeofday",
+ "stime",
+ "clock_settime",
+@@ -674,6 +826,20 @@
+ },
+ {
+ Names: []string{
++ "settimeofday",
++ "stime",
++ "clock_settime",
++ "clock_settime64",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ Excludes: Filter{
++ Caps: []string{"CAP_SYS_TIME"},
++ },
++ },
++ {
++ Names: []string{
+ "vhangup",
+ },
+ Action: ActAllow,
+@@ -684,6 +850,17 @@
+ },
+ {
+ Names: []string{
++ "vhangup",
++ },
++ Action: ActErrno,
++ ErrnoRet: &eperm,
++ Args: []*Arg{},
++ Excludes: Filter{
++ Caps: []string{"CAP_SYS_TTY_CONFIG"},
++ },
++ },
++ {
++ Names: []string{
+ "socket",
+ },
+ Action: ActErrno,
+@@ -764,8 +941,9 @@
+ }
+
+ return &Seccomp{
+- DefaultAction: ActErrno,
+- ArchMap: arches(),
+- Syscalls: syscalls,
++ DefaultAction: ActErrno,
++ DefaultErrnoRet: &enosys,
++ ArchMap: arches(),
++ Syscalls: syscalls,
+ }
+ }
+--- a/pkg/seccomp/seccomp.json
++++ b/pkg/seccomp/seccomp.json
+@@ -1,5 +1,6 @@
+ {
+ "defaultAction": "SCMP_ACT_ERRNO",
++ "defaultErrnoRet": 38,
+ "archMap": [
+ {
+ "architecture": "SCMP_ARCH_X86_64",
+@@ -52,6 +53,53 @@
+ "syscalls": [
+ {
+ "names": [
++ "bdflush",
++ "clone3",
++ "io_pgetevents",
++ "io_uring_enter",
++ "io_uring_register",
++ "io_uring_setup",
++ "kexec_file_load",
++ "kexec_load",
++ "membarrier",
++ "migrate_pages",
++ "move_pages",
++ "nfsservctl",
++ "nice",
++ "oldfstat",
++ "oldlstat",
++ "oldolduname",
++ "oldstat",
++ "olduname",
++ "pciconfig_iobase",
++ "pciconfig_read",
++ "pciconfig_write",
++ "pkey_alloc",
++ "pkey_free",
++ "pkey_mprotect",
++ "rseq",
++ "sgetmask",
++ "ssetmask",
++ "swapcontext",
++ "swapoff",
++ "swapon",
++ "sysfs",
++ "uselib",
++ "userfaultfd",
++ "ustat",
++ "vm86",
++ "vm86old",
++ "vmsplice"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {},
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "_llseek",
+ "_newselect",
+ "accept",
+@@ -255,6 +303,7 @@
+ "pwritev2",
+ "read",
+ "readahead",
++ "readdir",
+ "readlink",
+ "readlinkat",
+ "readv",
+@@ -580,6 +629,21 @@
+ },
+ {
+ "names": [
++ "open_by_handle_at"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {
++ "caps": [
++ "CAP_DAC_READ_SEARCH"
++ ]
++ },
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "bpf",
+ "clone",
+ "fanotify_init",
+@@ -672,6 +736,28 @@
+ },
+ {
+ "names": [
++ "bpf",
++ "fanotify_init",
++ "lookup_dcookie",
++ "perf_event_open",
++ "quotactl",
++ "setdomainname",
++ "sethostname",
++ "setns"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {
++ "caps": [
++ "CAP_SYS_ADMIN"
++ ]
++ },
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "chroot"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+@@ -686,6 +772,21 @@
+ },
+ {
+ "names": [
++ "chroot"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {
++ "caps": [
++ "CAP_SYS_CHROOT"
++ ]
++ },
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "delete_module",
+ "init_module",
+ "finit_module",
+@@ -703,6 +804,24 @@
+ },
+ {
+ "names": [
++ "delete_module",
++ "init_module",
++ "finit_module",
++ "query_module"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {
++ "caps": [
++ "CAP_SYS_MODULE"
++ ]
++ },
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "get_mempolicy",
+ "mbind",
+ "name_to_handle_at",
+@@ -720,6 +839,23 @@
+ },
+ {
+ "names": [
++ "get_mempolicy",
++ "mbind",
++ "set_mempolicy"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {
++ "caps": [
++ "CAP_SYS_NICE"
++ ]
++ },
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "acct"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+@@ -734,6 +870,21 @@
+ },
+ {
+ "names": [
++ "acct"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {
++ "caps": [
++ "CAP_SYS_PACCT"
++ ]
++ },
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "kcmp",
+ "process_madvise",
+ "process_vm_readv",
+@@ -752,6 +903,25 @@
+ },
+ {
+ "names": [
++ "kcmp",
++ "process_madvise",
++ "process_vm_readv",
++ "process_vm_writev",
++ "ptrace"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {
++ "caps": [
++ "CAP_SYS_PTRACE"
++ ]
++ },
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "iopl",
+ "ioperm"
+ ],
+@@ -767,6 +937,22 @@
+ },
+ {
+ "names": [
++ "iopl",
++ "ioperm"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {
++ "caps": [
++ "CAP_SYS_RAWIO"
++ ]
++ },
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "settimeofday",
+ "stime",
+ "clock_settime",
+@@ -784,6 +970,24 @@
+ },
+ {
+ "names": [
++ "settimeofday",
++ "stime",
++ "clock_settime",
++ "clock_settime64"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {
++ "caps": [
++ "CAP_SYS_TIME"
++ ]
++ },
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "vhangup"
+ ],
+ "action": "SCMP_ACT_ALLOW",
+@@ -798,6 +1002,21 @@
+ },
+ {
+ "names": [
++ "vhangup"
++ ],
++ "action": "SCMP_ACT_ERRNO",
++ "args": [],
++ "comment": "",
++ "includes": {},
++ "excludes": {
++ "caps": [
++ "CAP_SYS_TTY_CONFIG"
++ ]
++ },
++ "errnoRet": 1
++ },
++ {
++ "names": [
+ "socket"
+ ],
+ "action": "SCMP_ACT_ERRNO",
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 00000000..c2a2b119
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,8 @@
+seccomp-fixup.patch
+9d294ad50d6f12e2e34432d8f213937c2bee739b.patch
+78ac839f6d4dd0cf6dd44a67201e16ee3e890c1d.patch
+399bd59e0d0d3e3845d59a7fe197d08371b061b0.patch
+4d1476ba87c2d73c7e83d56cabbd9181e34c589f.patch
+08bbb0dfae71da36afd3be1ca104701e6cfa4406.patch
+0f242ca74bd16175bc55013ed457c88137bec0cf.patch
+689e5b074454da5228bb05604f89b7a876baa8fe.patch
Lastely, libpod needs to be simply rebuilt with this debdiff:
diff -Nru libpod-3.0.1+dfsg1/debian/changelog libpod-3.0.1+dfsg1/debian/changelog
--- libpod-3.0.1+dfsg1/debian/changelog 2021-06-13 18:28:49.000000000 -0400
+++ libpod-3.0.1+dfsg1/debian/changelog 2021-09-27 11:26:34.000000000 -0400
@@ -1,3 +1,10 @@
+libpod (3.0.1+dfsg1-3+deb11u1) bullseye; urgency=medium
+
+ * Rebuild against containers-common to pickup seccomp updates required
+ for newer kernels. Closes: #994451
+
+ -- Reinhard Tartler <siretart@tauware.de> Mon, 27 Sep 2021 11:26:34 -0400
+
libpod (3.0.1+dfsg1-3) unstable; urgency=medium
* Add networking-lookup-child-IP-in-networks.patch, fixes rootless
diff -Nru libpod-3.0.1+dfsg1/debian/control libpod-3.0.1+dfsg1/debian/control
--- libpod-3.0.1+dfsg1/debian/control 2021-06-13 18:28:49.000000000 -0400
+++ libpod-3.0.1+dfsg1/debian/control 2021-09-27 11:26:34.000000000 -0400
@@ -18,7 +18,7 @@
,golang-github-containerd-cgroups-dev
,golang-github-containernetworking-plugins-dev (>= 0.8.7)
,golang-github-containers-buildah-dev (>= 1.19.6)
- ,golang-github-containers-common-dev (>= 0.33.4)
+ ,golang-github-containers-common-dev (>= 0.33.4+ds1-1+deb11u1)
,golang-github-containers-image-dev (>= 5.10.2)
,golang-github-containers-ocicrypt-dev
,golang-github-containers-psgo-dev
@@ -93,7 +93,7 @@
Depends: ${misc:Depends}, ${shlibs:Depends}
,conmon (>= 2.0.18~)
,containernetworking-plugins (>= 0.8.7)
- ,golang-github-containers-common
+ ,golang-github-containers-common (>= 0.33.4+ds1-1+debu11u1)
,crun | runc (>= 1.0.0~rc92~)
,iptables
Breaks: buildah (<< 1.10.1-6), slirp4netns (<< 0.4.1), fuse-overlayfs (<< 0.7.1)
[ Other info ]
this is the first time I work on an update in a stable release of Debian, and I
am not very fimilar with this process. Any help, support and suggestions would be
greatly appreciated.
Reply to: