fchmodat2 seccomp filter breaks sandboxed builds with glibc 2.38 #10585
Description
Describe the bug
The fchmodat2 seccomp stuff added in ba68045 seems to break builds altogether, at least on kernel 6.6.27.
Steps To Reproduce
- Trigger a build
- ???
- Profit:
error:
… while setting up the build environment
error: unable to add seccomp rule: Bad address
nix-env --version output
Relevant commit is ba68045
Additional context
strace log of nix-daemon
strace: Process 251786 attached
strace: Process 251787 attached
[pid 251787] seccomp(SECCOMP_SET_MODE_STRICT, 0x1, NULL) = -1 EINVAL (Invalid argument)
[pid 251787] seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, NULL) = -1 EFAULT (Bad address)
[pid 251787] seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, NULL) = -1 EFAULT (Bad address)
[pid 251787] seccomp(SECCOMP_GET_ACTION_AVAIL, 0, [SECCOMP_RET_LOG]) = 0
[pid 251787] seccomp(SECCOMP_GET_ACTION_AVAIL, 0, [SECCOMP_RET_KILL_PROCESS]) = 0
[pid 251787] seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_SPEC_ALLOW, NULL) = -1 EFAULT (Bad address)
[pid 251787] seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, NULL) = -1 EFAULT (Bad address)
[pid 251787] seccomp(SECCOMP_GET_NOTIF_SIZES, 0, {seccomp_notif=80, seccomp_notif_resp=24, seccomp_data=64}) = 0
[pid 251787] seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC_ESRCH, NULL) = -1 EFAULT (Bad address)
[pid 251786] +++ exited with 0 +++
[pid 251781] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=251786, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
[pid 251787] +++ exited with 1 +++
Priorities
Add 👍 to issues you find important.