diff options
author | Maciek Borzecki | 2021-09-29 08:57:03 +0200 |
---|---|---|
committer | Maciek Borzecki | 2021-09-29 08:57:03 +0200 |
commit | 16d957062658d571fcdc9d07a12b04ef63a0fdf6 (patch) | |
tree | 53cc0a091de1ee969073ed2bf8129b923b12f9bc | |
parent | 955b2637a72b2a89aa8eaf896c82571c1ebd965f (diff) | |
download | aur-16d957062658d571fcdc9d07a12b04ef63a0fdf6.tar.gz |
upgpkg: snapd 2.52-3
Cherry pick seccomp clone3 patch from upstream
Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | 0002-interfaces-seccomp-add-clone3-to-default-template.patch | 48 | ||||
-rw-r--r-- | PKGBUILD | 10 |
3 files changed, 58 insertions, 4 deletions
@@ -1,7 +1,7 @@ pkgbase = snapd pkgdesc = Service and tools for management of snap packages. pkgver = 2.52 - pkgrel = 2 + pkgrel = 3 url = https://github.com/snapcore/snapd install = snapd.install arch = x86_64 @@ -29,7 +29,9 @@ pkgbase = snapd options = emptydirs source = snapd-2.52.tar.xz::https://github.com/snapcore/snapd/releases/download/2.52/snapd_2.52.vendor.tar.xz source = 0001-cmd-libsnap-confine-private-g_spawn_check_exit_statu.patch + source = 0002-interfaces-seccomp-add-clone3-to-default-template.patch sha256sums = a686a071251f8853c5c6789023091510332a49063334c9af29d48b066f8726c4 sha256sums = fb2bece54758fd167b4e7d8df71786a204617ccbed241457ee30d27ab0048f77 + sha256sums = f7a48d5d30858c0c033563ae9cfdea75ac2e7c45503760bf3cc336688e970e50 pkgname = snapd diff --git a/0002-interfaces-seccomp-add-clone3-to-default-template.patch b/0002-interfaces-seccomp-add-clone3-to-default-template.patch new file mode 100644 index 000000000000..0487bd9dfa02 --- /dev/null +++ b/0002-interfaces-seccomp-add-clone3-to-default-template.patch @@ -0,0 +1,48 @@ +From 999c2e61f07e18081916936665291834770a2ee1 Mon Sep 17 00:00:00 2001 +Message-Id: <999c2e61f07e18081916936665291834770a2ee1.1632894658.git.maciej.zenon.borzecki@canonical.com> +From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> +Date: Mon, 27 Sep 2021 12:00:53 +0200 +Subject: [PATCH] interfaces/seccomp: add clone3 to default template + +Recent combinations of Go 1.17, glibc 2.34 and Linux 5.14 ended up triggering +pthread_create() code paths that try to use clone3() syscall when executing +snap-exec. Since snap-exec runs under the seccomp profile of the application, +make sure that clone3 is allowed in the default template. Also, applications may +trigger this code path themselves anyway. + +The strace output when this fails looks like this: + +mprotect(0x7f4ad3ea2000, 8388608, PROT_READ|PROT_WRITE) = 0 +rt_sigprocmask(SIG_BLOCK, ~[], ~[KILL STOP RTMIN RT_1], 8) = 0 +syscall_435(0x7ffc466b4c60, 0x58, 0x58b300, 0x8, 0x7f4ad46a1640, 0x7ffc466b4d4f) = -1 (errno 1) +rt_sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN RT_1], NULL, 8) = 0 +rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 +write(2, "runtime/cgo: ", 13runtime/cgo: ) = 13 +write(2, "pthread_create failed: Operation not permitted", 46pthread_create +failed: Operation not permitted) = 46 + +Where syscall 435 is also known as clone3: + +$ scmp_sys_resolver 435 +clone3 + +Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> +--- + interfaces/seccomp/template.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go +index a84de18a819a5bd3e6323242952633087cfbfd81..583f8cd9fdff1044459127c6db056a7bbc3a1b21 100644 +--- a/interfaces/seccomp/template.go ++++ b/interfaces/seccomp/template.go +@@ -103,6 +103,7 @@ clock_gettime64 + clock_nanosleep + clock_nanosleep_time64 + clone ++clone3 + close + + # needed by ls -l +-- +2.33.0 + @@ -9,7 +9,7 @@ depends=('squashfs-tools' 'libseccomp' 'libsystemd' 'apparmor') optdepends=('bash-completion: bash completion support' 'xdg-desktop-portal: desktop integration') pkgver=2.52 -pkgrel=2 +pkgrel=3 arch=('x86_64' 'i686' 'armv7h' 'aarch64') url="https://github.com/snapcore/snapd" license=('GPL3') @@ -20,9 +20,13 @@ install=snapd.install source=( "$pkgname-$pkgver.tar.xz::https://github.com/snapcore/${pkgname}/releases/download/${pkgver}/${pkgname}_${pkgver}.vendor.tar.xz" "0001-cmd-libsnap-confine-private-g_spawn_check_exit_statu.patch" + "0002-interfaces-seccomp-add-clone3-to-default-template.patch" +) +sha256sums=( + 'a686a071251f8853c5c6789023091510332a49063334c9af29d48b066f8726c4' + 'fb2bece54758fd167b4e7d8df71786a204617ccbed241457ee30d27ab0048f77' + 'f7a48d5d30858c0c033563ae9cfdea75ac2e7c45503760bf3cc336688e970e50' ) -sha256sums=('a686a071251f8853c5c6789023091510332a49063334c9af29d48b066f8726c4' - 'fb2bece54758fd167b4e7d8df71786a204617ccbed241457ee30d27ab0048f77') _gourl=github.com/snapcore/snapd |