On Thu, 2020-09-10 at 15:02 +0300, Heikkinen, Ville (Nokia - FI/Espoo)
wrote:
> On 9/9/20 10:35 PM, Jeff Layton wrote:
> > On Tue, 2020-09-08 at 10:56 +0300, Ville Heikkinen wrote:
> >
> > Does this actually work around the seccomp bugs? What we found here was
> > that once you tried to use statx with the broken seccomp code all
> > syscalls issued by the task would get back -ENOSYS afterward.
> >
> > See:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1762578
> >
> > Is there a different bug you're trying to fix?
>
> The outcome of this bug report
> https://bugzilla.redhat.com/show_bug.cgi?id=1760300
> led to a situation where in Fedora 32, the use of statx is disabled
> when building coreutils.
>
> After this change, the "Birth Date" in not available in stat output as
> it was before.
>
> I tested this in podman with creating seccomp filter profile without
> having statx in the list - but I see now that this was perhaps not
> the right way to test this, if the original problem really breaks all
> the future syscalls.
>
I may be wrong there, actually. Looking over the bug again, the repeated
errors seemed to have been due to a bug in strace:
https://bugzilla.redhat.com/show_bug.cgi?id=1762578#c12
Still though, I'm not a huge fan of a runtime fallback like this. In
principle, once the seccomp fixes trickle out into the field, we
shouldn't have need for this any longer.
--
Jeff Layton <jlay...@kernel.org>
