Re: Bug#964541: flatpak: Wrong argument order for clone syscall seccomp filter on s390x (Was: make: Regression on s390x, echo EPERM, caused by posix_spawn change)
- To: Christian Borntraeger <borntraeger@de.ibm.com>
- Cc: Adrian Bunk <bunk@debian.org>, 964541@bugs.debian.org, debian-s390@lists.debian.org, flatpak@packages.debian.org
- Subject: Re: Bug#964541: flatpak: Wrong argument order for clone syscall seccomp filter on s390x (Was: make: Regression on s390x, echo EPERM, caused by posix_spawn change)
- From: Julian Andres Klode <jak@debian.org>
- Date: Wed, 5 Aug 2020 16:28:50 +0200
- Message-id: <[🔎] 20200805155931.GA2877824@debian.org>
- Mail-followup-to: Julian Andres Klode <jak@debian.org>, Christian Borntraeger <borntraeger@de.ibm.com>, Adrian Bunk <bunk@debian.org>, 964541@bugs.debian.org, debian-s390@lists.debian.org, flatpak@packages.debian.org
- In-reply-to: <[🔎] ee2c1bdb-e9a0-f10e-c96f-47cb61427164@de.ibm.com>
- References: <20200708133955.GA760560@debian.org> <20200721081813.GA19488@localhost> <b4a3573b-8624-02b3-fe91-bb879e6929de@de.ibm.com> <20200721132340.GA2043481@debian.org> <[🔎] ee2c1bdb-e9a0-f10e-c96f-47cb61427164@de.ibm.com>
Control: reassign -1 flatpak
Control: retitle -1 flatpak: Wrong argument order for clone syscall seccomp filter on s390x
Hello flatpak maintainer!
On Wed, Aug 05, 2020 at 03:19:39PM +0200, Christian Borntraeger wrote:
>
> On 21.07.20 13:24, Julian Andres Klode wrote:
> > On Tue, Jul 21, 2020 at 12:49:59PM +0200, Christian Borntraeger wrote:
> >> On 21.07.20 10:18, Adrian Bunk wrote:
> >>> [ adding debian-s390 to Cc ]
> >>>
> >>> On Wed, Jul 08, 2020 at 01:42:33PM +0200, Julian Andres Klode wrote:
> >>>> Package: make-dfsg
> >>>> Version: 4.3-4
> >>>> Severity: serious
> >>>> Tags: patch
> >>>> User: ubuntu-devel@lists.ubuntu.com
> >>>> Usertags: origin-ubuntu groovy ubuntu-patch
> >>>>
> >>>> In Ubuntu, the attached patch was applied to achieve the following:
> >>>>
> >>>> The autopkgtests for flatpak-builder/s390x where failing with
> >>>>
> >>>> echo Building
> >>>> make: echo: Operation not permitted
> >>>> make: *** [Makefile:2: all] Error 127
> >>
> >> Julian,
> >>
> >> is there a launchpad entry for the Ubuntu bug that was fixed by this change?
> >
> > Yes, https://bugs.launchpad.net/ubuntu/+source/make-dfsg/+bug/1886814, it's also
> > in the IBM bugzilla thingy - you can see Andreas Krebbel is replying to that.
>
> FWIW, Stefan Liebler looked into this and this needs to be fixed in flatpak-build.
> See the bug for details.
flatpak has the wrong argument order in the seccomp filter for 390x, the
attached patch should fix it.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Description: Fix argument order of clone() for s390x in seccomp filter
clone() is a mad syscall with about 4 different argument orders. While
most of them agree that argument 0 is flags, s390 and s390x have the
flags argument second - A0 is the child stack pointer there.
Author: Julian Andres Klode <julian.klode@canonical.com>
Bug-Debian: https://bugs.debian.org/964541
Bug-Ubuntu: https://launchpad.net/bugs/1886814
Forwarded: no
Last-Update: 2020-08-05
--- flatpak-1.8.1.orig/common/flatpak-run.c
+++ flatpak-1.8.1/common/flatpak-run.c
@@ -2667,7 +2667,11 @@ setup_seccomp (FlatpakBwrap *bwrap,
{SCMP_SYS (unshare)},
{SCMP_SYS (mount)},
{SCMP_SYS (pivot_root)},
+#if defined(__s390__) || defined(__s390x__)
+ {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+#else
{SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+#endif
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
Reply to: