reassign -1 docker.io
retitle -1 docker.io: docker seccomp filter does not allow faccessat2
affect -1 src:glibc
Hi,
On 2022-02-18 11:58, David Eccles (gringer) wrote:
> rt_sigaction(SIGINT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8)
> = 0
> rt_sigaction(SIGINT, {sa_handler=0x562a34911a20, sa_mask=~[RTMIN RT_1],
> sa_flags=SA_RESTORER, sa_restorer=0x7f0a2ff79910}, NULL, 8) = 0
> rt_sigaction(SIGQUIT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8)
> = 0
> rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1],
> sa_flags=SA_RESTORER, sa_restorer=0x7f0a2ff79910}, NULL, 8) = 0
> rt_sigaction(SIGTERM, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8)
> = 0
> rt_sigaction(SIGTERM, {sa_handler=SIG_DFL, sa_mask=~[RTMIN RT_1],
> sa_flags=SA_RESTORER, sa_restorer=0x7f0a2ff79910}, NULL, 8) = 0
> read(10, "#!/bin/sh\nif test -x /usr/bin/he"..., 8192) = 103
> syscall_0xffffffffffffffff(0xffffff9c, 0x562a3655e490, 0x1, 0x200,
> 0x562a3655e4b0, 0x7f0a300f9c00) = -1 EPERM (Operation not permitted)
The problem is there. The above syscall that is not recognized and
forbidden by docker is faccessat2, which is used since glibc 2.33.
I am therefore reassigning the bug to the docker.io package.
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net
