emacs-diffs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

master 345de32a5d: Port bwrap/allows-stdout test to Ubuntu 22.04.1

From: Paul Eggert
Subject: master 345de32a5d: Port bwrap/allows-stdout test to Ubuntu 22.04.1
Date: Mon, 10 Oct 2022 15:36:47 -0400 (EDT) 
branch: master
commit 345de32a5db8ef165feeda77c99ce56e4d6e911c
Author: Paul Eggert <eggert@cs.ucla.edu>
Commit: Paul Eggert <eggert@cs.ucla.edu>

    Port bwrap/allows-stdout test to Ubuntu 22.04.1
    
    Without this patch, Ubuntu 22.04.1 x86-64 "make check" reports a
    failure in test/src/emacs-tests.el’s
    emacs-tests/bwrap/allows-stdout.  One can reproduce the bug
    without using the Emacs executable, by running this script:
    
      #!/bin/bash
      export LC_ALL=C
      exec strace -f -o /tmp/tr bwrap --ro-bind / / --seccomp 20 -- \
        cat /dev/null 20< lib-src/seccomp-filter-exec.bpf
    
    This script exits with status 159, because "cat" didn’t get
    started (it got a SIGSYS signal early on).
    
    The command "journalctl -g SECCOMP" indicated that rseq (syscall
    334) was the problem.  This syscall is issued by
    /lib64/ld-linux-x86-64.so.2 before ‘main’ is called.
    
    There’s another problem with the clone3 syscall, which is used by
    pthread_create starting in glibc 2.34.  pthread_create is called
    by g_child_watch_source_new, which is called by
    init_process_emacs.
    
    * lib-src/seccomp-filter.c (main): Allow rseq, clone3.  This
    causes the test to pass.  Perhaps a fancier, more accurate patch
    could be written by someone who has the time.
---
 lib-src/seccomp-filter.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib-src/seccomp-filter.c b/lib-src/seccomp-filter.c
index 041bf5c749..e45aa0c17f 100644
--- a/lib-src/seccomp-filter.c
+++ b/lib-src/seccomp-filter.c
@@ -206,6 +206,9 @@ main (int argc, char **argv)
         SCMP_A2_32 (SCMP_CMP_MASKED_EQ,
                     ~(PROT_NONE | PROT_READ | PROT_WRITE), 0));
 
+  /* Allow restartable sequences.  The dynamic linker uses them.  */
+  RULE (SCMP_ACT_ALLOW, SCMP_SYS (rseq));
+
   /* Futexes are used everywhere.  */
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (futex),
         SCMP_A1_32 (SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
@@ -324,6 +327,8 @@ main (int argc, char **argv)
                       | CLONE_SETTLS | CLONE_PARENT_SETTID
                       | CLONE_CHILD_CLEARTID),
                     0));
+  /* glibc 2.34+ pthread_create uses clone3.  */
+  RULE (SCMP_ACT_ALLOW, SCMP_SYS (clone3));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (sigaltstack));
   RULE (SCMP_ACT_ALLOW, SCMP_SYS (set_robust_list));
reply via email to
[Prev in Thread] Current Thread [Next in Thread]