New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

seccomp: Allow personality with UNAME26 bit set. #32965

Merged
merged 1 commit into from May 3, 2017

Conversation

Projects
None yet
5 participants
@ijc
Contributor

ijc commented May 2, 2017

From personality(2):

Have uname(2) report a 2.6.40+ version number rather than a 3.x version
number.  Added as a stopgap measure to support broken applications that
could not handle the  kernel  version-numbering  switch  from 2.6.x to 3.x.

This allows both "UNAME26|PER_LINUX" and "UNAME26|PER_LINUX32".

Fixes: #32839

Signed-off-by: Ian Campbell ian.campbell@docker.com

- What I did

Added UNAME26 to allowable calls to personality(2)

- How I did it

Editing the seccomp profile then running go generate github.com/moby/moby/profiles/seccomp

- How to verify it

docker run -t --rm debian setarch $(arch) --uname-2.6 uname -a should return a 2.6.X instead of 4.x. For me it returns 2.6.69-2-amd64 rather than 4.9.0-2-amd64.

- Description for the changelog

Support use of setarch --uname-2.6 in containers.

- A picture of a cute animal (not mandatory but encouraged)
Spider Kitten:
Spider Kitten

seccomp: Allow personality with UNAME26 bit set.
From personality(2):

    Have uname(2) report a 2.6.40+ version number rather than a 3.x version
    number.  Added as a stopgap measure to support broken applications that
    could not handle the  kernel  version-numbering  switch  from 2.6.x to 3.x.

This allows both "UNAME26|PER_LINUX" and "UNAME26|PER_LINUX32".

Fixes: #32839

Signed-off-by: Ian Campbell <ian.campbell@docker.com>
@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah
Member

thaJeztah commented May 2, 2017

ping @justincormack PTAL

@ijc

This comment has been minimized.

Show comment
Hide comment
@ijc

ijc May 3, 2017

Contributor

powerpc failure is:

15:17:45 FAIL: check_test.go:355: DockerSwarmSuite.TearDownTest
15:17:45 
15:17:45 unmount of /tmp/docker-execroot/d2e5d1f5ff906/netns failed: invalid argument
15:17:45 unmount of /tmp/docker-execroot/d2e5d1f5ff906/netns failed: no such file or directory
15:17:45 check_test.go:360:
15:17:45     d.Stop(c)
15:17:45 daemon/daemon.go:392:
15:17:45     t.Fatalf("Error while stopping the daemon %s : %v", d.id, err)
15:17:45 ... Error: Error while stopping the daemon dc4fe119054cc : exit status 2
15:17:45 
15:17:45 
15:17:45 ----------------------------------------------------------------------
15:17:45 PANIC: docker_cli_swarm_test.go:1371: DockerSwarmSuite.TestSwarmClusterRotateUnlockKey

Unlikely to be due to this change I think.

Contributor

ijc commented May 3, 2017

powerpc failure is:

15:17:45 FAIL: check_test.go:355: DockerSwarmSuite.TearDownTest
15:17:45 
15:17:45 unmount of /tmp/docker-execroot/d2e5d1f5ff906/netns failed: invalid argument
15:17:45 unmount of /tmp/docker-execroot/d2e5d1f5ff906/netns failed: no such file or directory
15:17:45 check_test.go:360:
15:17:45     d.Stop(c)
15:17:45 daemon/daemon.go:392:
15:17:45     t.Fatalf("Error while stopping the daemon %s : %v", d.id, err)
15:17:45 ... Error: Error while stopping the daemon dc4fe119054cc : exit status 2
15:17:45 
15:17:45 
15:17:45 ----------------------------------------------------------------------
15:17:45 PANIC: docker_cli_swarm_test.go:1371: DockerSwarmSuite.TestSwarmClusterRotateUnlockKey

Unlikely to be due to this change I think.

@justincormack

This comment has been minimized.

Show comment
Hide comment
@justincormack

justincormack May 3, 2017

Contributor

Why? And does this do any other kind of emulation?

Contributor

justincormack commented May 3, 2017

Why? And does this do any other kind of emulation?

@justincormack

This comment has been minimized.

Show comment
Hide comment
@justincormack

justincormack May 3, 2017

Contributor

Why does stretch suddenly want to do this? kernel 2.6 is ancient...

Contributor

justincormack commented May 3, 2017

Why does stretch suddenly want to do this? kernel 2.6 is ancient...

@ijc

This comment has been minimized.

Show comment
Hide comment
@ijc

ijc May 3, 2017

Contributor

Why?

User was tripping over this in #32839, I suppose they only just upgraded from Jessie to Stretch now that Stretch is deeply frozen. In Jessie AIUI seccomp is not enabled in our packages so they wouldn't have noticed this.

And does this do any other kind of emulation?

I checked in 4.9.25 and it is used solely to fudge the result of uname.

Why does stretch suddenly want to do this? kernel 2.6 is ancient...

It's not stretch but the user's containerised application which (presumably) wants this. Running old (even ancient) crufty stuff in a container seems like a valid usecase.

Contributor

ijc commented May 3, 2017

Why?

User was tripping over this in #32839, I suppose they only just upgraded from Jessie to Stretch now that Stretch is deeply frozen. In Jessie AIUI seccomp is not enabled in our packages so they wouldn't have noticed this.

And does this do any other kind of emulation?

I checked in 4.9.25 and it is used solely to fudge the result of uname.

Why does stretch suddenly want to do this? kernel 2.6 is ancient...

It's not stretch but the user's containerised application which (presumably) wants this. Running old (even ancient) crufty stuff in a container seems like a valid usecase.

@tophj-ibm

This comment has been minimized.

Show comment
Hide comment
@tophj-ibm

tophj-ibm May 3, 2017

Contributor

@ijc25 yeah powerpc failure not related, issue with swarm/etcd.

Contributor

tophj-ibm commented May 3, 2017

@ijc25 yeah powerpc failure not related, issue with swarm/etcd.

@justincormack

This comment has been minimized.

Show comment
Hide comment
@justincormack

justincormack May 3, 2017

Contributor

ok, LGTM

Contributor

justincormack commented May 3, 2017

ok, LGTM

@thaJeztah

LGTM

@thaJeztah thaJeztah merged commit bf5cf84 into moby:master May 3, 2017

5 of 6 checks passed

powerpc Jenkins build Docker-PRs-powerpc 2508 has failed
Details
dco-signed All commits are signed
experimental Jenkins build Docker-PRs-experimental 33517 has succeeded
Details
janky Jenkins build Docker-PRs 42121 has succeeded
Details
windowsRS1 Jenkins build Docker-PRs-WoW-RS1 13316 has succeeded
Details
z Jenkins build Docker-PRs-s390x 2197 has succeeded
Details

@GordonTheTurtle GordonTheTurtle added this to the 17.06.0 milestone May 3, 2017

@ijc ijc deleted the ijc:setarch-2.6 branch May 4, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment