rpms / systemd

Clone
Source Code
GIT

Blame SOURCES/0061-nspawn-allow-sched_rr_get_interval_time64-through-se.patch

c10s-sig-hyperscale c10s-sig-hyperscale-v255 c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-v255
  1.   c9-beta
  2.   SOURCES
  3.   0061-nspawn-allow-sched_rr_get_interval_time64-through-se.patch
Blob History Raw
ac3a84 
From b2d259a82329e37b0f369e9951f19a067cb8bfb4 Mon Sep 17 00:00:00 2001
ac3a84 
From: Sam James <sam@gentoo.org>
ac3a84 
Date: Fri, 18 Nov 2022 07:18:18 +0000
ac3a84 
Subject: [PATCH] nspawn: allow sched_rr_get_interval_time64 through seccomp
ac3a84 
 filter
ac3a84
ac3a84 
We only allow a selected subset of syscalls from nspawn containers
ac3a84 
and don't list any time64 variants (needed for 32-bit arches when
ac3a84 
built using TIME_BITS=64, which is relatively new).
ac3a84
ac3a84 
We allow sched_rr_get_interval which cpython's test suite makes
ac3a84 
use of, but we don't allow sched_rr_get_interval_time64.
ac3a84
ac3a84 
The test failures when run in an arm32 nspawn container on an arm64 host
ac3a84 
were as follows:
ac3a84 
```
ac3a84 
======================================================================
ac3a84 
ERROR: test_sched_rr_get_interval (test.test_posix.PosixTester.test_sched_rr_get_interval)
ac3a84 
----------------------------------------------------------------------
ac3a84 
Traceback (most recent call last):
ac3a84 
  File "/var/tmp/portage/dev-lang/python-3.11.0_p1/work/Python-3.11.0/Lib/test/test_posix.py", line 1180, in test_sched_rr_get_interval
ac3a84 
    interval = posix.sched_rr_get_interval(0)
ac3a84 
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ac3a84 
PermissionError: [Errno 1] Operation not permitted
ac3a84 
```
ac3a84
ac3a84 
Then strace showed:
ac3a84 
```
ac3a84 
sched_rr_get_interval_time64(0, 0xffbbd4a0) = -1 EPERM (Operation not permitted)
ac3a84 
```
ac3a84
ac3a84 
This appears to be the only time64 syscall that isn't already included one of
ac3a84 
the sets listed in nspawn-seccomp.c that has a non-time64 variant. Checked
ac3a84 
over each of the time64 syscalls known to systemd and verified that none
ac3a84 
of the others had a non-time64-variant whitelisted in nspawn other than
ac3a84 
sched_rr_get_interval.
ac3a84
ac3a84 
Bug: https://bugs.gentoo.org/880131
ac3a84 
(cherry picked from commit b9e7f22c2d80930cad36ae53e66e42a2996dca4a)
ac3a84
ac3a84 
Related: #2138081
ac3a84 
---
ac3a84 
 src/nspawn/nspawn-seccomp.c | 1 +
ac3a84 
 1 file changed, 1 insertion(+)
ac3a84
ac3a84 
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
ac3a84 
index 77f4c2ac88..27044fadd2 100644
ac3a84 
--- a/src/nspawn/nspawn-seccomp.c
ac3a84 
+++ b/src/nspawn/nspawn-seccomp.c
ac3a84 
@@ -88,6 +88,7 @@ static int add_syscall_filters(
ac3a84 
                 { 0,                  "sched_getparam"         },
ac3a84 
                 { 0,                  "sched_getscheduler"     },
ac3a84 
                 { 0,                  "sched_rr_get_interval"  },
ac3a84 
+                { 0,                  "sched_rr_get_interval_time64" },
ac3a84 
                 { 0,                  "sched_yield"            },
ac3a84 
                 { 0,                  "seccomp"                },
ac3a84 
                 { 0,                  "sendfile"               },

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation