Seccomp blocks install of "libc6" in Ubuntu 20.04 "focal" image on armhf (arm32v7)

[thaJeztah]

Opening a tracking issue for this for further investigation. More details can be found in:

• [do not merge] debug seccomp-related issues on armhf (arm32v7) docker/containerd-packaging#151 (which I'm using as a debugging environment for this)
• Focal ARM32 builds are failing due to libc6 package installation dotnet/dotnet-docker#1747
  • https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1867675
  • (probably unrelated) https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1867431

Summary

Ubuntu 20.04 ("focal") on armhf (arm32) currently has an issue where it looks like seccomp is blocking a syscall that's used when installing libc6:

docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'

...
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack):
 dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

With seccomp disabled, installing libc6 is succesfull

docker pull arm32v7/ubuntu:focal && docker run -e DEBIAN_FRONTEND=noninteractive --rm --security-opt seccomp=unconfined arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'

output of the above:

focal: Pulling from arm32v7/ubuntu
Digest: sha256:18100e418054ebe1be0fff4e514183f28088a0db409df081c3233dd22dcf4a15
Status: Image is up to date for arm32v7/ubuntu:focal
docker.io/arm32v7/ubuntu:focal

Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [255 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [79.7 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [79.7 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [79.7 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/restricted armhf Packages [10.8 kB]
Get:6 http://ports.ubuntu.com/ubuntu-ports focal/main armhf Packages [1236 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports focal/universe armhf Packages [11.0 MB]
Get:8 http://ports.ubuntu.com/ubuntu-ports focal/multiverse armhf Packages [141 kB]
Fetched 12.9 MB in 5s (2427 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  gcc-10-base libc-bin libcrypt1 libgcc-s1
Suggested packages:
  manpages glibc-doc locales
The following NEW packages will be installed:
  gcc-10-base libcrypt1 libgcc-s1
The following packages will be upgraded:
  libc-bin libc6
2 upgraded, 3 newly installed, 0 to remove and 55 not upgraded.
Need to get 2770 kB of archives.
After this operation, 618 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports focal/main armhf gcc-10-base armhf 10-20200324-1ubuntu1 [18.5 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libgcc-s1 armhf 10-20200324-1ubuntu1 [36.2 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libcrypt1 armhf 1:4.4.10-10ubuntu4 [93.5 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc6 armhf 2.31-0ubuntu6 [2133 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc-bin armhf 2.31-0ubuntu6 [489 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 2770 kB in 0s (10.7 MB/s)
Selecting previously unselected package gcc-10-base:armhf.
(Reading database ... 4126 files and directories currently installed.)
Preparing to unpack .../gcc-10-base_10-20200324-1ubuntu1_armhf.deb ...
Unpacking gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Setting up gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Selecting previously unselected package libgcc-s1:armhf.
(Reading database ... 4132 files and directories currently installed.)
Preparing to unpack .../libgcc-s1_10-20200324-1ubuntu1_armhf.deb ...
Unpacking libgcc-s1:armhf (10-20200324-1ubuntu1) ...
Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ...
Setting up libgcc-s1:armhf (10-20200324-1ubuntu1) ...
(Reading database ... 4134 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
Selecting previously unselected package libcrypt1:armhf.
Preparing to unpack .../libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb ...
Unpacking libcrypt1:armhf (1:4.4.10-10ubuntu4) ...
Setting up libcrypt1:armhf (1:4.4.10-10ubuntu4) ...
Setting up libc6:armhf (2.31-0ubuntu6) ...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
(Reading database ... 4137 files and directories currently installed.)
Preparing to unpack .../libc-bin_2.31-0ubuntu6_armhf.deb ...
Unpacking libc-bin (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
Setting up libc-bin (2.31-0ubuntu6) ...

With seccomp enabled, installation fails:

docker pull arm32v7/ubuntu:focal && docker run -e DEBIAN_FRONTEND=noninteractive --rm arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6'

output of the above:

focal: Pulling from arm32v7/ubuntu
Digest: sha256:18100e418054ebe1be0fff4e514183f28088a0db409df081c3233dd22dcf4a15
Status: Image is up to date for arm32v7/ubuntu:focal
docker.io/arm32v7/ubuntu:focal

Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [255 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [79.7 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [79.7 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [79.7 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/universe armhf Packages [11.0 MB]
Get:6 http://ports.ubuntu.com/ubuntu-ports focal/restricted armhf Packages [10.8 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports focal/main armhf Packages [1236 kB]
Get:8 http://ports.ubuntu.com/ubuntu-ports focal/multiverse armhf Packages [141 kB]
Fetched 12.9 MB in 6s (2183 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  gcc-10-base libc-bin libcrypt1 libgcc-s1
Suggested packages:
  manpages glibc-doc locales
The following NEW packages will be installed:
  gcc-10-base libcrypt1 libgcc-s1
The following packages will be upgraded:
  libc-bin libc6
2 upgraded, 3 newly installed, 0 to remove and 55 not upgraded.
Need to get 2770 kB of archives.
After this operation, 618 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports focal/main armhf gcc-10-base armhf 10-20200324-1ubuntu1 [18.5 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libgcc-s1 armhf 10-20200324-1ubuntu1 [36.2 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libcrypt1 armhf 1:4.4.10-10ubuntu4 [93.5 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc6 armhf 2.31-0ubuntu6 [2133 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports focal/main armhf libc-bin armhf 2.31-0ubuntu6 [489 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 2770 kB in 1s (5278 kB/s)
Selecting previously unselected package gcc-10-base:armhf.
(Reading database ... 4126 files and directories currently installed.)
Preparing to unpack .../gcc-10-base_10-20200324-1ubuntu1_armhf.deb ...
Unpacking gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Setting up gcc-10-base:armhf (10-20200324-1ubuntu1) ...
Selecting previously unselected package libgcc-s1:armhf.
(Reading database ... 4132 files and directories currently installed.)
Preparing to unpack .../libgcc-s1_10-20200324-1ubuntu1_armhf.deb ...
Unpacking libgcc-s1:armhf (10-20200324-1ubuntu1) ...
Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ...
Setting up libgcc-s1:armhf (10-20200324-1ubuntu1) ...
(Reading database ... 4134 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu6_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu6) over (2.30-0ubuntu3) ...
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack):
 dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
 /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Information about the environment

docker version

Client: Docker Engine - Community
 Version:           19.03.5
 API version:       1.40
 Go version:        go1.12.12
 Git commit:        633a0ea
 Built:             Wed Nov 13 07:38:47 2019
 OS/Arch:           linux/arm
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.5
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.12
  Git commit:       633a0ea
  Built:            Wed Nov 13 07:32:48 2019
  OS/Arch:          linux/arm
  Experimental:     true
 containerd:
  Version:          1.2.10
  GitCommit:        b34a5c8af56e510852c35414db4c1f4fa6172339
 runc:
  Version:          1.0.0-rc8+dev
  GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

docker info

Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 19.03.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.4.127-mainline-rev1
 Operating System: Ubuntu 16.04.5 LTS
 OSType: linux
 Architecture: armv7l
 CPUs: 4
 Total Memory: 1.974GiB
 Name: arm32v7-ubuntu-03
 ID: W2ZP:3XMC:TH2A:OMPM:V542:GKAR:S6Q3:YKZC:QQHT:ERP2:LNHR:427E
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Output of `check-config.sh`:

curl -fsSL https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh | bash
info: reading kernel config from /proc/config.gz ...

Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_NF_NAT_IPV4: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_NF_NAT_NEEDED: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_DEVPTS_MULTIPLE_INSTANCES: enabled

Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: enabled
- CONFIG_MEMCG_SWAP_ENABLED: enabled
    �[1;30m(cgroup swap accounting is currently enabled)
- CONFIG_MEMCG_KMEM: enabled
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_IOSCHED_CFQ: enabled
- CONFIG_CFQ_GROUP_IOSCHED: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: missing
- CONFIG_NET_CLS_CGROUP: enabled (as module)
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: enabled
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
  - "overlay":
    - CONFIG_VXLAN: enabled (as module)
    - CONFIG_BRIDGE_VLAN_FILTERING: enabled
      Optional (for encrypted networks):
      - CONFIG_CRYPTO: enabled
      - CONFIG_CRYPTO_AEAD: enabled (as module)
      - CONFIG_CRYPTO_GCM: enabled (as module)
      - CONFIG_CRYPTO_SEQIV: enabled (as module)
      - CONFIG_CRYPTO_GHASH: enabled (as module)
      - CONFIG_XFRM: enabled
      - CONFIG_XFRM_USER: enabled (as module)
      - CONFIG_XFRM_ALGO: enabled
      - CONFIG_INET_ESP: enabled (as module)
      - CONFIG_INET_XFRM_MODE_TRANSPORT: enabled
  - "ipvlan":
    - CONFIG_IPVLAN: enabled (as module)
  - "macvlan":
    - CONFIG_MACVLAN: enabled (as module)
    - CONFIG_DUMMY: enabled (as module)
  - "ftp,tftp client in container":
    - CONFIG_NF_NAT_FTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_FTP: enabled (as module)
    - CONFIG_NF_NAT_TFTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_TFTP: enabled (as module)
- Storage Drivers:
  - "aufs":
    - CONFIG_AUFS_FS: enabled (as module)
  - "btrfs":
    - CONFIG_BTRFS_FS: enabled (as module)
    - CONFIG_BTRFS_FS_POSIX_ACL: enabled
  - "devicemapper":
    - CONFIG_BLK_DEV_DM: enabled (as module)
    - CONFIG_DM_THIN_PROVISIONING: enabled (as module)
  - "overlay":
    - CONFIG_OVERLAY_FS: enabled (as module)
  - "zfs":
    - /dev/zfs: missing
    - zfs command: missing
    - zpool command: missing

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

[thaJeztah]

Mentioned by @DeeDeeG on docker/containerd-packaging#151 (comment)

Not sure if this is helpful, but there are things here that sound related. From the changelog for libc6 in Focal:

glibc (2.31-0ubuntu1) focal; urgency=medium

• Merge with current Debian git glibc-2.31.
• debian/patches/git-updates.diff: update from upstream stable branch.
• Ignore test failures for sysvipc/test-sysvmsg, sysvipc/test-sysvsem and
  sysvipc/test-sysvshm on 32bit architectures, failing on the xenial kernel,
  succeeding on the bionic and focal kernels.
• Restore the __glibc_has_include macro, needed until GCC is rebuilt
  to not include this in the fixed-include headers.
• Backport 5828bc4523230685ac29a4a882967913255f5666, making the clone3
  syscall known on arm64, fixing misc/tst-glibcsyscalls.
• Ignore some float tests for the non-default armel multilib variant.
  https://sourceware.org/ml/libc-alpha/2020-03/msg00074.html

-- Matthias Klose <doko [at] ubuntu.com> Fri, 06 Mar 2020 12:06:42 +0100

Particularly the point about changing syscalls on ARM.

• Backport 5828bc4523230685ac29a4a882967913255f5666, making the clone3
  syscall known on arm64, fixing misc/tst-glibcsyscalls.

[thaJeztah]

@AkihiroSuda @justincormack @cpuguy83 @tiborvass I could use some help on this to investigate what needs to be changed (does our default profile needs changing? does libsecomp itself needs a change to understand a new syscall? is this a bug in the package?)

[thaJeztah]

Oh, and perhaps @kolyshkin (as you like working on low-level stuff 😂)

[thaJeztah]

If it's indeed related to the clone3 syscall, I see that was added to libseccomp master in seccomp/libseccomp@bf747eb, and backported to the 2.4 release branch in seccomp/libseccomp#179, which is included in libseccomp 2.4.2 and up; https://github.com/seccomp/libseccomp/blob/v2.4.2/include/seccomp-syscalls.h#L251

[thaJeztah]

I guess the default profile may need to have some of the new syscalls (added in seccomp/libseccomp@bf747eb) added to the whitelist

[thaJeztah]

Opened a PR to add the 64-bit time_t syscalls to the seccomp profile: #40739

To be looked at:

These syscalls are also new (and added to libseccomp in seccomp/libseccomp@bf747eb), but need to be looked at separately

• clone3 (equivalent of clone? which was not whitelisted)
• fsconfig
• fsmount
• fsopen
• fspick
• move_mount
• open_tree
• pidfd_open
• pidfd_send_signal

[thaJeztah]

Changing the profile unfortunately didn't solve the problem: the problem looks to be the libseccomp version. When installing libseccomp 2.4.3, the problem does not reproduce.

Unfortunately, that version is not available on Ubuntu versions < 20.03 (https://packages.ubuntu.com/search?keywords=libseccomp2).

So for debugging, I installed the package from the ubuntu 20.03 repository.

What it comes down to;

The container we're running (ubuntu:20.03) makes a syscall that's introduced in Linux 5.x, but docker in this case is running on a 4.x kernel (the host is Ubuntu 16.04). The version of libseccomp installed on the host is not taking kernel 5.x syscalls into account, receives an error, and (likely) in that case blocks the syscall.

Solutions for this would be to;

• ask Ubuntu and Debian package maintainers to provide libseccomp 2.4.3 packages for older (LTS) releases. It's a patch release, so possibly acceptable for them. On the other hand; it's adding "features" for a kernel version that's not used by those versions of Ubuntu / Debian.
• somehow make libseccomp handle "unknown" syscalls, and perhaps allow them (instead of blocking)? (not exactly sure how it's handling these, so I'd have to read up on that); probably that's the same (similar) as changing our "whitelist" to a "blacklist" (which could weaken security)

[DeeDeeG]

To reach out to Ubuntu, one can try the ubuntu-devel-discuss mailing list: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss (must subscribe to the list before sending mail in, or else your opst will sit in a moderation queue for who knows how long...)

I'm not sure where the best point of contact would be for debian... They have this: https://lists.debian.org/debian-devel/ (Seems pretty busy, IMO. But at least most threads get a response.)

Edit to add: The individual debian package maintainers for libseccomp2, and their email addresses, are listed here: https://packages.debian.org/unstable/libseccomp2

[tianon]

Given the goal is to get it into both Debian and Ubuntu's stable releases, I'd suggest starting with the Debian package maintainers. They're probably not going to want to do the minor patch bump in stable unless it's just the minimal patch (and the release team will be the final deciders anyhow, and they're typically pretty strict about wanting patches to be minimal unless you've got a really compelling reason to do otherwise), so I'd suggest creating a patch of the absolute bare minimum (which I guess would be either https://github.com/seccomp/libseccomp/commit/bf747eb21e428c2b3ead6ebcca27951b681963a0.patch or more likely https://github.com/seccomp/libseccomp/commit/be65b26b67099be2b2b4890d736dbd1ad15adf36.patch since that's the exact 2.4-backport comimt) and including in your communication that upstream backported it to 2.4 in v2.4.2 (which is where your patch comes from).

As for contacting the maintainers, you could try emailing libseccomp@tracker.debian.org, but you're likely to have better luck via a proper bug (and I'd suggest using the reportbug tool from an up-to-date Buster system to file that so it can include useful metadata for the maintainers).

Concurrently, I'd suggest contacting the Ubuntu libseccomp maintainers in the same way, although via https://bugs.launchpad.net/ubuntu/+source/libseccomp (I believe reportbug on an Ubuntu system will work there as well, but I don't think it's quite as strongly preferred in Ubuntu, especially since you've got plenty of detail you can provide about the issue and your proposed fix, including a patch).

[thelamer]

@thaJeztah
At Linuxserver we cannot update our focal base or really install much of anything due to libc needing to be upgraded to match deps, with qemu(https://github.com/multiarch/qemu-user-static) armhf everything works as it should, but on native hardware you get back denied on everything from tar to gnupg and really anything that refs libc.
On my native hardware I am running a 5.4.28 kernel with seccomp enabled:

root@odroidxu4-3:~# cat /boot/config-5.4.28-odroidxu4 |grep -i secc
CONFIG_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
root@odroidxu4-3:~# uname -a
Linux odroidxu4-3 5.4.28-odroidxu4 #20.02.7 SMP PREEMPT Thu Mar 26 23:36:03 CET 2020 armv7l armv7l armv7l GNU/Linux

Focal repos have been purged of 2.30 libc6 and the base image used to build ubuntu images comes default with 2.31 now https://partner-images.canonical.com/core/focal/current/ubuntu-focal-core-cloudimg-armhf-root.tar.gz .

Now I am running Docker version 19.03.8, build afacb8b and this does pre-date your backport I believe, just thought you would want to know that for some reason this works in qemu but on native armhf hardware with a host running a 5.x series Kernel still getting perm denied. The host is Bionic but I have manually installed this deb https://launchpad.net/ubuntu/+source/libseccomp/2.4.3-1ubuntu1/+build/19122021/+files/libseccomp2_2.4.3-1ubuntu1_armhf.deb .

Edit: if you need me to do any testing let me know.

[iamthebot]

@thaJeztah Actually, I can reproduce this on a host running Ubuntu Focal (20.04) building an Ubuntu Focal docker image with up to date libsseccomp2 (2.4.3-1) on ARMHF.

uname -a
Linux ubuntu 5.4.0-1008-raspi #8-Ubuntu SMP Wed Apr 8 11:17:03 UTC 2020 armv7l armv7l armv7l GNU/Linux

sudo apt-get upgrade libseccomp2
Reading package lists... Done
Building dependency tree
Reading state information... Done
libseccomp2 is already the newest version (2.4.3-1ubuntu1).
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Now, let's try and build the following Dockerfile...

FROM arm32v7/ubuntu:focal AS add-apt-repositories

RUN apt-get update \
 && DEBIAN_FRONTEND=noninteractive apt-get install -y gnupg \
 && apt-key adv --fetch-keys http://www.webmin.com/jcameron-key.asc \
 && echo "deb http://download.webmin.com/download/repository sarge contrib" >> /etc/apt/sources.list

FROM arm32v7/ubuntu:focal

LABEL maintainer="sameer@damagehead.com"

ENV BIND_USER=bind \
    BIND_VERSION=9.11.3 \
    WEBMIN_VERSION=1.9 \
    DATA_DIR=/data

COPY --from=add-apt-repositories /etc/apt/trusted.gpg /etc/apt/trusted.gpg

COPY --from=add-apt-repositories /etc/apt/sources.list /etc/apt/sources.list

RUN rm -rf /etc/apt/apt.conf.d/docker-gzip-indexes \
 && apt-get update \
 && apt-get update \
 && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-upgrade \
      bind9=1:${BIND_VERSION}* bind9-host=1:${BIND_VERSION}* dnsutils \
      webmin=${WEBMIN_VERSION}* \
 && rm -rf /var/lib/apt/lists/*

COPY entrypoint.sh /sbin/entrypoint.sh

RUN chmod 755 /sbin/entrypoint.sh

EXPOSE 53/udp 53/tcp 10000/tcp

ENTRYPOINT ["/sbin/entrypoint.sh"]

CMD ["/usr/sbin/named"]

Indeed, during the apt-get install we see the utime error:

ebconf: delaying package configuration, since apt-utils is not installed
Fetched 7814 kB in 29s (272 kB/s)
Selecting previously unselected package gcc-10-base:armhf.
(Reading database ... 4126 files and directories currently installed.)
Preparing to unpack .../gcc-10-base_10-20200411-0ubuntu1_armhf.deb ...
Unpacking gcc-10-base:armhf (10-20200411-0ubuntu1) ...
Setting up gcc-10-base:armhf (10-20200411-0ubuntu1) ...
Selecting previously unselected package libgcc-s1:armhf.
(Reading database ... 4131 files and directories currently installed.)
Preparing to unpack .../libgcc-s1_10-20200411-0ubuntu1_armhf.deb ...
Unpacking libgcc-s1:armhf (10-20200411-0ubuntu1) ...
Replacing files in old package libgcc1:armhf (1:9.2.1-21ubuntu1) ...
Setting up libgcc-s1:armhf (10-20200411-0ubuntu1) ...
(Reading database ... 4133 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu9_armhf.deb ...
Checking for services that may need to be restarted...
Checking init scripts...
Checking for services that may need to be restarted...
Checking init scripts...
Nothing to restart.
Unpacking libc6:armhf (2.31-0ubuntu9) over (2.30-0ubuntu3) ...
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors

It's not easy to work around because unfortunately --security-opt is not supported for builds in the current stable docker daemon.

[rhastie]

@thaJeztah Actually, I can reproduce this on a host running Ubuntu Focal (20.04) building an Ubuntu Focal docker image with up to date libsseccomp2 (2.4.3-1) on ARMHF.

@thaJeztah @iamthebot Agreed - I also have been able to reproduce this on a Raspi 4B+ running Ubuntu Focal (20.04) building an Ubuntu Focal docker image with up to date libsseccomp2 (2.4.3-1) - kernel was running in 32-bit mode ie. ARMHF.

Nothing to restart. Unpacking libc6:armhf (2.31-0ubuntu9) over (2.30-0ubuntu3) ... tar: ./control: Cannot utime: Operation not permitted tar: ./md5sums: Cannot utime: Operation not permitted tar: ./shlibs: Cannot utime: Operation not permitted tar: ./symbols: Cannot utime: Operation not permitted tar: ./triggers: Cannot utime: Operation not permitted tar: .: Cannot utime: Operation not permitted tar: Exiting with failure status due to previous errors dpkg-deb: error: tar subprocess returned error exit status 2 dpkg: error processing archive /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb (--unpack): dpkg-deb --control subprocess returned error exit status 2 Errors were encountered while processing: /var/cache/apt/archives/libcrypt1_1%3a4.4.10-10ubuntu4_armhf.deb E: Sub-process /usr/bin/dpkg returned an error code (1)

[iav]

docker run -e DEBIAN_FRONTEND=noninteractive --rm --privileged arm32v7/ubuntu:focal sh -c 'apt-get -q update && apt-get install -y libc6' works.
Add --privileged if you can.

[rhastie]

@iav Unfortunately, I can't - I'm building using a new Dockerfile and ubuntu:focal as my base image. I'm using docker build/buildx. IIRC --privileged isn't supported with docker build or buildx.

[thelamer]

It looks like with the release of Docker 19.03.11 this has been addressed, at least on native hardware running a 5.x kernel.
We are still looping internally to see if the same is true for older kernels will update this post.

Any notes on the fixes implemented ?

Edit: It looks like this fix is comprehensive with this new version of Docker this is no longer an issue even on a host running an old 4.x series kernel.
I think this issue can be closed out.

[thaJeztah]

Add --privileged if you can.

@iav running with --privileged is not a solution; the reason it works with --privileged is that it disables all (or at least most) security measures that containers provide (among which, disabling seccomp).

@thelamer thanks! I think the problem occurred when running a ubuntu:20.04 container on an older version of ubuntu (16.04), which has a 4.x kernel, so the issue in that case was that the container is making syscalls that the host didn't understand (or at least libseccomp on the host)

[bdruth]

For anyone else coming here and trying to figure out how to add seccomp-profile in daemon.json - I couldn't find that in the Raspbian buster install of docker - nor could I find docs on setting this up anywhere. I ended up just adding --seccomp-profile=/path/to/default.json in /etc/systemd/system/multi-user.target.wants/docker.service in the ExecStart line, as the first arg to /usr/bin/dockerd. You'll need to also run:

sudo systemctl daemon-reload
sudo systemctl restart docker

Enjoy!