This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: glibc in master is incompatible with systemd-nspawn
- From: Szabolcs Nagy <Szabolcs dot Nagy at arm dot com>
- To: Adhemerval Zanella <adhemerval dot zanella at linaro dot org>, "libc-alpha at sourceware dot org" <libc-alpha at sourceware dot org>
- Cc: nd <nd at arm dot com>, linux-man <linux-man at vger dot kernel dot org>
- Date: Fri, 8 Nov 2019 16:01:58 +0000
- Subject: Re: glibc in master is incompatible with systemd-nspawn
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8ZfFR8//TRQuD6kuUGkCgCXipdUD1PuOGmlE8V2yiUs=; b=H7VDchPJrCv4vwlkIhrXGHZJXMDvT20+1ovT1pjSqGBpypTk4ijyyZBALDoQPsSaAP0lMDWEfi6i7tYyjXGnF0cHu3voiA0visXrWywuAr5T/rqXvZp/Qif03FDbrsOsDe0zTsUjAuJhjeVZz2OzottohC5Djw1SyD572QUJxqUlnKR1gNgvLc5Jib53DQaGXCq335UxxYDSvvyTdCuYV1j9eSCJodOZhhMvrmOO3DlmOQG5SCo/i3hin1UyjVYV285RNHsMOJrRTP5Zi63ilxXUty6befuw3aio6ON4PzFnjGX3KekgmzOF8nUpTQZX+gJTC6bkivsHl4iwv23KFg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g4/Kvj7EFIoFhj2rsaPTjTo5W0GXdUerS+zDyJyR6K9YcHRxjf++M2uFdw58K0d05qsltxpMpFIInw+9fnY4h0v2A9hPBiSout156Z9IE3j868qUoTLJ+1Ftvb8PnDTx3WBV+54ZZU+BUr9PKk27gbrLcxwHCd5tmJC1jL5MMIUHhYIv2MkFQl9KiAqLfoj1CzwI+PRusfHZglF82wJjbS3jUii4WGcFLkXyprgDQMPiPFF64YOG3tGbp6FIj2SvQG40iUPXuci/gEaW4H+a6Rko5lCydFyN1KpmuPlklWhxoBdi2POGX6mnxHjIR4NZy9/z0saYrd75Psom9liTPA==
- Original-authentication-results: spf=none (sender IP is ) smtp.mailfrom=Szabolcs dot Nagy at arm dot com;
- References: <87k18a62xe.fsf@oldenburg2.str.redhat.com> <20191108141149.GB20533@altlinux.org> <87v9ru1l6d.fsf@oldenburg2.str.redhat.com> <c4001320-2d3f-9523-c93f-60f799545654@linaro.org>
On 08/11/2019 15:33, Adhemerval Zanella wrote:
> Since when systemd-nspawn has this behaviour? What was the rationale to
> use EPERM instead of ENOSYS? IMHO ENOSYS it the expected error in this
> case, since filtering is essentially blocking the syscall usage altogether.
docker does the same, but at least you can disable it
with --security-opt seccomp:unconfined
i think the original sin was committed by chromium
which uses EPERM in its sandbox.
it's of course broken whenever the application is
run on a newer kernel+libc than what was used for
creating the filter, may be the seccomp manual should
warn against the use of EPERM (there is already a
caveats section)?