-
Notifications
You must be signed in to change notification settings - Fork 379
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed to fdwalk: Operation not permitted (close_range syscall / seccomp issue) #346
Comments
This is odd. It seems zsh wants to do some privileged setup. x11docker drops all capabilities with Edit: Just tried with xfce 4.16 on debian testing and could not reproduce. Works as expected. |
Ok this is now resolved. See https://gitlab.xfce.org/apps/xfce4-terminal/-/issues/116#note_30805. The problem seems to be coming from I will make a PR to fix the problem once I fully understand what is causing it. As for now, I will rebuild the image to use vte3==0.62.3, which does not seem to affect the terminal.
I tried an Ubuntu image built from source, and that one worked, but when I checked which version of vte3 they use, I saw they are using 0.60.3, so this is probably the same version you have on debian. |
That's the deceptive part about that message that led me on a chase for privileges to add to the container. I added all the privileges I could, but none of them was enough to get past the issue. I finally arrived to the actual line in vte's source code which produces that error. I don't want to bore you with how I got to it, but the call to open the terminal starts somewhere here (from xfce4-terminal): And makes its way into vte3 which leads to: and... https://github.com/GNOME/vte/blob/109a6cf6e05ef55b79f768a30fdf95723ebba0d3/src/spawn.cc#L352-L353 ^ that's where everything blows up. The syscall to #define _GNU_SOURCE
#include <fcntl.h>
#include <linux/close_range.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/syscall.h>
#include <string.h>
#include <unistd.h>
#include <dirent.h>
/* Show the contents of the symbolic links in /proc/self/fd */
static void
show_fds(void)
{
DIR *dirp = opendir("/proc/self/fd");
if (dirp == NULL) {
perror("opendir");
exit(EXIT_FAILURE);
}
for (;;) {
struct dirent *dp = readdir(dirp);
if (dp == NULL)
break;
if (dp->d_type == DT_LNK) {
char path[PATH_MAX], target[PATH_MAX];
snprintf(path, sizeof(path), "/proc/self/fd/%s",
dp->d_name);
ssize_t len = readlink(path, target, sizeof(target));
printf("%s ==> %.*s\n", path, (int) len, target);
}
}
closedir(dirp);
}
int
main(int argc, char *argv[])
{
for (int j = 1; j < argc; j++) {
int fd = open(argv[j], O_RDONLY);
if (fd == -1) {
perror(argv[j]);
exit(EXIT_FAILURE);
}
printf("%s opened as FD %d\n", argv[j], fd);
}
show_fds();
printf("========= About to call close_range() =======\n");
if (syscall(__NR_close_range, 3, ~0U, 0) == -1) {
perror("close_range");
exit(EXIT_FAILURE);
}
show_fds();
exit(EXIT_SUCCESS);
} Run it by supplying a bunch of files as arguments. All it does is open all the files, then use This code runs fine on my host machine, but in a container, it fails with (you guessed it!) "Permission denied". |
In conclusion, the problem is not with zsh (I actually tried it with bash login shell, and the same problem occurred), or x11docker, but rather with a |
Issue reported here: https://github.com/containers/podman/issues/10130 I assume this is related to seccomp profiles, but I'm not sure yet |
Thank you for the detailed report!
|
Yep. I can confirm that does in fact fix the problem. Do you know why this works? I was under the impression that docker's default seccomp profile should not have interfered with that syscall, because I even downloaded that json file and used it to run the container, and it was still blocking Do you know the difference between |
Found the answer here:
So I guess security-wise, it may not be all that bad using just |
That is odd.
I think so, too. My debian system does not use SELinux at all. |
I've confused SELinux and seccomp here. They are different security layers. I am not familiar with both of them.
Edit: |
I use podman, and their default profile also whitelists
I doubt it too. In the bug report I created at containers/podman#10337, I was able to reproduce the issue with a simple image built with buildah bud --no-cache --platform linux/amd64 -f - /tmp <<'EOF'
FROM alpine:edge
RUN apk update && apk add --upgrade build-base libc-dev linux-headers
COPY walk.c /app/walk.c
RUN gcc -o /app/walk /app/walk.c
ENTRYPOINT ["/app/walk"]
EOF Running the above container gives the same |
This seems to be fixed in podman now: containers/podman#10337 (comment) docker seems to be affected, too, not fixed yet: docker/for-linux#1262 |
This happened for me while trying to run Ubuntu MATE 21.10 inside x11docker 6.6.2 with usual command So I have reported bug 1935995 to launchpad. Currently I'm running x11docker version 6.9.0 and Docker CE version 20.10.7 |
Put the image name to the end of the command.
This follows the syntax for custom
|
Thanks! Now it works. I will document it somewhere. |
Found elsewhere:
If the issue still occurs with (default) |
I just assume that this issue is meanwhile fixed in most distributions. |
@mviereck I just ran into this on Debian 12, maybe they’ve updated the |
Coming from #345
@smac89 wrote:
I am currently in the middle of reporting a bug with the terminal running inside the container.
You wouldn't happen to have an idea of why this might be happening inside the container? 😄
The text was updated successfully, but these errors were encountered: