Hi Ghadi, I reviewed this patch today. Thanks for the work on this.
> this time I only back ported the fchmodat2 syscall and only for arm, aarch64, and powerpc platforms The upstream patch is applying the value 452 to all arches in syscalls.csv, and that's what's in noble+. Would you help me understand the motivation to deviate from this value for the arches not yet known to be affected, but only in SRU? Is this a trying-to-limit-regressions thing? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2059734 Title: Tar fails to extract archives that include folders with certain permissions on armhf Status in libseccomp package in Ubuntu: New Status in tar package in Ubuntu: Invalid Status in libseccomp source package in Jammy: In Progress Status in libseccomp source package in Mantic: Won't Fix Status in tar source package in Mantic: Won't Fix Status in libseccomp source package in Noble: Invalid Status in tar source package in Noble: Invalid Bug description: Thank you @loganbussell-msft for the bug report! [Impact] Currently running containers using modern versions of glibc such as the one available in noble on older hosts causes permissions issues inside the container. This is due to newer versions of glibc expecting the fchmodat2 syscall to be available and to return ENOSYS in case it is not. However docker seccomp profile defaults to returning EPERM for all non defined syscalls and writing an entry for fchmodat2 in the docker seccomp profile to return ENOSYS does not work on systems where libseccomp does not have support for fchmodat2. Running armhf noble docker containers on arm64 jammy hosts has been seen to exhibit this behavior and a patch to libseccomp for jammy is required to fix the issue. Other architectures may also be affected by this issue that such as ppc64le as reported by @mark-elvers. I have backported a fix from upstream that adds the missing syscalls to libseccomp and verified it on an ampere arm machine as well as on a raspberry pi 4 [Test Plan] 1- On an ARM 64 machine install the latest version of docker on a jammy host by following the official docker documentation. [https://docs.docker.com/engine/install/ubuntu/] 2- Create an armhf noble docker container: $ docker run --rm -it --platform linux/arm/v7 --entrypoint bash ubuntu.azurecr.io/ubuntu:noble 3- inside the docker container execute the following commands to create a new tar file and then extract it: mkdir /test \ && chmod 775 /test \ && cd /test \ && mkdir 775 \ && chmod 775 775 \ && touch 775/test.txt \ && chmod 644 775/test.txt \ && tar -czvf /test.tar.gz . mkdir -p /test2 \ && tar -tzvf /test.tar.gz \ && tar -oxzf /test.tar.gz -C /test2 4- you will see the following errors: tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted tar: Exiting with failure status due to previous errors 5- When libseccomp is patched the command will run with no permission issues [Where problems could occur] * the issue might still occur on other platforms * if using an older version of docker the issue will still occur [Original Description] When running Ubuntu Noble in an arm32 Docker container, on certain hosts (Azure VM CI agents), tar fails to extract certain archives that include folders with specific permissions set. Here's a concise repro. The error occurs in when building the Dockerfile. I can only get this to work on Azure VMs, but can't find out why. ```Dockerfile FROM ubuntu.azurecr.io/ubuntu:noble # Create the problematic archive RUN mkdir /test \ && chmod 775 /test \ && cd /test \ && mkdir 775 \ && chmod 775 775 \ && touch 775/test.txt \ && chmod 644 775/test.txt \ && tar -czvf /test.tar.gz . # Extracting it gives an error RUN mkdir -p /test2 \ && tar -tzvf /test.tar.gz \ && tar -oxzf /test.tar.gz -C /test2 ``` What I expected to happen: The test.tar.gz archive should be successfully extracted to the /test2 directory. What happened instead: Tar throws the following error: ``` tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted tar: Exiting with failure status due to previous errors ``` The Ubuntu container is running as root so there shouldn't be any permission errors. Since this is running in a container, I observed this happening on the following kernel: `Linux version 5.15.148.2-2.cm2 (root@CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) #1 SMP Fri Feb 23 23:38:33 UTC 2024` As well as `Linux <hostname> 6.5.0-1017-azure #17~22.04.1-Ubuntu SMP Sat Mar 9 10:04:07 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux` I was not able to reproduce it using Ubuntu 22.04 Jammy (ubuntu.azurecr.io/ubuntu:jammy), using the same kernel as above. Additionally I was not able to reproduce this on the kernel `Linux cb0507859b24 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux`, which is running on my work machine, using Docker qemu emulation for the arm32 image. Ubuntu version: Ubuntu Noble Numbat (development branch) 24.04 (from ubuntu.azurecr.io/ubuntu:noble) tar version: `1.35+dfsg-3` To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/2059734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
