Skip to content

seccomp: Allow personality with UNAME26 bit set. #32965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thaJeztah merged 1 commit into from
May 3, 2017
Merged

seccomp: Allow personality with UNAME26 bit set. #32965

thaJeztah merged 1 commit into from
May 3, 2017

Conversation

@ijc
Copy link
Contributor

@ijc ijc commented May 2, 2017

From personality(2):

Have uname(2) report a 2.6.40+ version number rather than a 3.x version
number.  Added as a stopgap measure to support broken applications that
could not handle the  kernel  version-numbering  switch  from 2.6.x to 3.x.

This allows both "UNAME26|PER_LINUX" and "UNAME26|PER_LINUX32".

Fixes: #32839

Signed-off-by: Ian Campbell [email protected]

- What I did

Added UNAME26 to allowable calls to personality(2)

- How I did it

Editing the seccomp profile then running go generate github.com/moby/moby/profiles/seccomp

- How to verify it

docker run -t --rm debian setarch $(arch) --uname-2.6 uname -a should return a 2.6.X instead of 4.x. For me it returns 2.6.69-2-amd64 rather than 4.9.0-2-amd64.

- Description for the changelog

Support use of setarch --uname-2.6 in containers.

- A picture of a cute animal (not mandatory but encouraged)
Spider Kitten:
Spider Kitten

seccomp: Allow personality with UNAME26 bit set.
cd45643 
From personality(2):

    Have uname(2) report a 2.6.40+ version number rather than a 3.x version
    number.  Added as a stopgap measure to support broken applications that
    could not handle the  kernel  version-numbering  switch  from 2.6.x to 3.x.

This allows both "UNAME26|PER_LINUX" and "UNAME26|PER_LINUX32".

Fixes: moby#32839

Signed-off-by: Ian Campbell <[email protected]>
@ijc ijc mentioned this pull request May 2, 2017
Closed
@thaJeztah
Copy link
Member

thaJeztah commented May 2, 2017

ping @justincormack PTAL

@ijc
Copy link
Contributor Author

ijc commented May 3, 2017

powerpc failure is:

15:17:45 FAIL: check_test.go:355: DockerSwarmSuite.TearDownTest
15:17:45 
15:17:45 unmount of /tmp/docker-execroot/d2e5d1f5ff906/netns failed: invalid argument
15:17:45 unmount of /tmp/docker-execroot/d2e5d1f5ff906/netns failed: no such file or directory
15:17:45 check_test.go:360:
15:17:45     d.Stop(c)
15:17:45 daemon/daemon.go:392:
15:17:45     t.Fatalf("Error while stopping the daemon %s : %v", d.id, err)
15:17:45 ... Error: Error while stopping the daemon dc4fe119054cc : exit status 2
15:17:45 
15:17:45 
15:17:45 ----------------------------------------------------------------------
15:17:45 PANIC: docker_cli_swarm_test.go:1371: DockerSwarmSuite.TestSwarmClusterRotateUnlockKey

Unlikely to be due to this change I think.

@justincormack
Copy link
Contributor

justincormack commented May 3, 2017

Why? And does this do any other kind of emulation?

@justincormack
Copy link
Contributor

justincormack commented May 3, 2017

Why does stretch suddenly want to do this? kernel 2.6 is ancient...

@ijc
Copy link
Contributor Author

ijc commented May 3, 2017

Why?

User was tripping over this in #32839, I suppose they only just upgraded from Jessie to Stretch now that Stretch is deeply frozen. In Jessie AIUI seccomp is not enabled in our packages so they wouldn't have noticed this.

And does this do any other kind of emulation?

I checked in 4.9.25 and it is used solely to fudge the result of uname.

Why does stretch suddenly want to do this? kernel 2.6 is ancient...

It's not stretch but the user's containerised application which (presumably) wants this. Running old (even ancient) crufty stuff in a container seems like a valid usecase.

@tophj-ibm
Copy link
Contributor

tophj-ibm commented May 3, 2017

@ijc25 yeah powerpc failure not related, issue with swarm/etcd.

@justincormack
Copy link
Contributor

justincormack commented May 3, 2017

ok, LGTM

thaJeztah
thaJeztah approved these changes May 3, 2017
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit bf5cf84 into moby:master May 3, 2017
@GordonTheTurtle GordonTheTurtle added this to the 17.06.0 milestone May 3, 2017
@ijc ijc deleted the setarch-2.6 branch May 4, 2017 09:16
@thaJeztah thaJeztah mentioned this pull request Aug 24, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees

No one assigned

Labels

impact/changelog status/2-code-review

Projects

None yet

Milestone

17.06.0

Development

Successfully merging this pull request may close these issues.

setarch broken in docker packages from Debian stretch

5 participants

@ijc @thaJeztah @justincormack @tophj-ibm @GordonTheTurtle