upgpkg: snapd 2.52-3

Cherry pick seccomp clone3 patch from upstream Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
author: Maciek Borzecki 2021-09-29 08:57:03 +0200
committer: Maciek Borzecki 2021-09-29 08:57:03 +0200
commit: 16d957062658d571fcdc9d07a12b04ef63a0fdf6 (patch)
tree: 53cc0a091de1ee969073ed2bf8129b923b12f9bc
parent: 955b2637a72b2a89aa8eaf896c82571c1ebd965f (diff)
download: aur-16d957062658d571fcdc9d07a12b04ef63a0fdf6.tar.gz
3 files changed, 58 insertions, 4 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 7ca88742f324..91a4c1acd936 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = snapd
 	pkgdesc = Service and tools for management of snap packages.
 	pkgver = 2.52
-	pkgrel = 2
+	pkgrel = 3
 	url = https://github.com/snapcore/snapd
 	install = snapd.install
 	arch = x86_64
@@ -29,7 +29,9 @@ pkgbase = snapd
 	options = emptydirs
 	source = snapd-2.52.tar.xz::https://github.com/snapcore/snapd/releases/download/2.52/snapd_2.52.vendor.tar.xz
 	source = 0001-cmd-libsnap-confine-private-g_spawn_check_exit_statu.patch
+	source = 0002-interfaces-seccomp-add-clone3-to-default-template.patch
 	sha256sums = a686a071251f8853c5c6789023091510332a49063334c9af29d48b066f8726c4
 	sha256sums = fb2bece54758fd167b4e7d8df71786a204617ccbed241457ee30d27ab0048f77
+	sha256sums = f7a48d5d30858c0c033563ae9cfdea75ac2e7c45503760bf3cc336688e970e50
 
 pkgname = snapd
diff --git a/0002-interfaces-seccomp-add-clone3-to-default-template.patch b/0002-interfaces-seccomp-add-clone3-to-default-template.patch
new file mode 100644
index 000000000000..0487bd9dfa02
--- /dev/null
+++ b/0002-interfaces-seccomp-add-clone3-to-default-template.patch
@@ -0,0 +1,48 @@
+From 999c2e61f07e18081916936665291834770a2ee1 Mon Sep 17 00:00:00 2001
+Message-Id: <999c2e61f07e18081916936665291834770a2ee1.1632894658.git.maciej.zenon.borzecki@canonical.com>
+From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
+Date: Mon, 27 Sep 2021 12:00:53 +0200
+Subject: [PATCH] interfaces/seccomp: add clone3 to default template
+
+Recent combinations of Go 1.17, glibc 2.34 and Linux 5.14 ended up triggering
+pthread_create() code paths that try to use clone3() syscall when executing
+snap-exec. Since snap-exec runs under the seccomp profile of the application,
+make sure that clone3 is allowed in the default template. Also, applications may
+trigger this code path themselves anyway.
+
+The strace output when this fails looks like this:
+
+mprotect(0x7f4ad3ea2000, 8388608, PROT_READ|PROT_WRITE) = 0
+rt_sigprocmask(SIG_BLOCK, ~[], ~[KILL STOP RTMIN RT_1], 8) = 0
+syscall_435(0x7ffc466b4c60, 0x58, 0x58b300, 0x8, 0x7f4ad46a1640, 0x7ffc466b4d4f) = -1 (errno 1)
+rt_sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN RT_1], NULL, 8) = 0
+rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
+write(2, "runtime/cgo: ", 13runtime/cgo: )           = 13
+write(2, "pthread_create failed: Operation not permitted", 46pthread_create
+failed: Operation not permitted) = 46
+
+Where syscall 435 is also known as clone3:
+
+$ scmp_sys_resolver 435
+clone3
+
+Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
+---
+ interfaces/seccomp/template.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go
+index a84de18a819a5bd3e6323242952633087cfbfd81..583f8cd9fdff1044459127c6db056a7bbc3a1b21 100644
+--- a/interfaces/seccomp/template.go
++++ b/interfaces/seccomp/template.go
+@@ -103,6 +103,7 @@ clock_gettime64
+ clock_nanosleep
+ clock_nanosleep_time64
+ clone
++clone3
+ close
+ 
+ # needed by ls -l
+-- 
+2.33.0
+
diff --git a/PKGBUILD b/PKGBUILD
index 80a0808f5f0e..8483ec72ac0c 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -9,7 +9,7 @@ depends=('squashfs-tools' 'libseccomp' 'libsystemd' 'apparmor')
 optdepends=('bash-completion: bash completion support'
             'xdg-desktop-portal: desktop integration')
 pkgver=2.52
-pkgrel=2
+pkgrel=3
 arch=('x86_64' 'i686' 'armv7h' 'aarch64')
 url="https://github.com/snapcore/snapd"
 license=('GPL3')
@@ -20,9 +20,13 @@ install=snapd.install
 source=(
     "$pkgname-$pkgver.tar.xz::https://github.com/snapcore/${pkgname}/releases/download/${pkgver}/${pkgname}_${pkgver}.vendor.tar.xz"
     "0001-cmd-libsnap-confine-private-g_spawn_check_exit_statu.patch"
+    "0002-interfaces-seccomp-add-clone3-to-default-template.patch"
+)
+sha256sums=(
+    'a686a071251f8853c5c6789023091510332a49063334c9af29d48b066f8726c4'
+    'fb2bece54758fd167b4e7d8df71786a204617ccbed241457ee30d27ab0048f77'
+    'f7a48d5d30858c0c033563ae9cfdea75ac2e7c45503760bf3cc336688e970e50'
 )
-sha256sums=('a686a071251f8853c5c6789023091510332a49063334c9af29d48b066f8726c4'
-            'fb2bece54758fd167b4e7d8df71786a204617ccbed241457ee30d27ab0048f77')
 
 _gourl=github.com/snapcore/snapd
author	Maciek Borzecki	2021-09-29 08:57:03 +0200
committer	Maciek Borzecki	2021-09-29 08:57:03 +0200
commit	16d957062658d571fcdc9d07a12b04ef63a0fdf6 (patch)
tree	53cc0a091de1ee969073ed2bf8129b923b12f9bc
parent	955b2637a72b2a89aa8eaf896c82571c1ebd965f (diff)
download	aur-16d957062658d571fcdc9d07a12b04ef63a0fdf6.tar.gz