Ubuntu
docker.io package

whitelist 64-bit time syscalls

Bug #1886831 reported by xantares
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
docker.io (Ubuntu)
New
Undecided
Unassigned

Bug Description

following up the libseccomp SRU to handle newer syscalls:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1876055

docker needs to be updated to support newer syscalls including:
403: clock_gettime64
404: clock_settime64
405: clock_adjtime64
406: clock_getres_time64
407: clock_nanosleep_time64
408: timer_gettime64
409: timer_settime64
410: timerfd_gettime64
411: timerfd_settime64
412: utimensat_time64
413: pselect6_time64
414: ppoll_time64

here are the relevant changes to backport:
https://github.com/docker/docker-ce/commit/3c5d28f12ba6f3839ae77837633372993a073f57

here is a testcase that ends up calling utimensat_time64 via docker:
cd /tmp && git clone https://github.com/xantares/test-seccomp-time64.git && docker build test-seccomp-time64

this affects bionic, but also focal as the same version 19.03 is used

See original description
Tags: patch
xantares (xantares09)
description: updated
xantares (xantares09)
description: updated
Revision history for this message
xantares (xantares09) wrote :

I ran more tests, and the first version to work is 19.03.9, I wonder if an update would be possible:

bionic: 19.03.6 => 19.03.9
focal: 19.03.8 => 19.03.9
groovy: 19.03.11 ok

xantares (xantares09)
summary: - whitelist 64-bit time_t syscalls
+ whitelist 64-bit time syscalls
Revision history for this message
Alex Murray (alexmurray) wrote :

It is not clear to me whether this is a request for a feature addition to docker.io to support these syscalls, or whether it is a report of a regression that has occurred as a result of the SRU - can you please clarify?

Revision history for this message
xantares (xantares09) wrote :

this is a feature request for the docker version in bionic/focal to pick up a commit from v19.03.9
to allow these syscalls (or update these packages to 19.03.9)

the libseccomp SRU was a necessary condition to allow such a backport
(in other words the syscalls were blocked at the libseccomp level, now they're only blocked at the docker level)

Revision history for this message
xantares (xantares09) wrote :

I just rebuilt docker-doc_19.03.6-0ubuntu1~18.04.1_all.deb (in bionic) with this patch:
apt-get source docker.io && cd docker.io-19.03.6/ && curl -L https://github.com/docker/docker-ce/commit/3c5d28f12ba6f3839ae77837633372993a073f57.patch | patch -p1 && dpkg-source --commit && debuild -us -uc

I can confirm this patch applies cleanly and fixes the issue:
https://github.com/docker/docker-ce/commit/3c5d28f12ba6f3839ae77837633372993a073f57

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "engine-seccomp-add-64-bit-time_t-syscalls.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
xantares (xantares09) wrote :

is there a git repository for ubuntu's docker.io package where I could submit the update ?

Revision history for this message
xantares (xantares09) wrote :

hello, could someone help get that patch get merged ?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.