Failed to fdwalk: Operation not permitted (close_range syscall / seccomp issue) #346
Comments
|
This is odd. It seems zsh wants to do some privileged setup. x11docker drops all capabilities with Edit: Just tried with xfce 4.16 on debian testing and could not reproduce. Works as expected. |
|
Ok this is now resolved. See https://gitlab.xfce.org/apps/xfce4-terminal/-/issues/116#note_30805. The problem seems to be coming from I will make a PR to fix the problem once I fully understand what is causing it. As for now, I will rebuild the image to use vte3==0.62.3, which does not seem to affect the terminal.
I tried an Ubuntu image built from source, and that one worked, but when I checked which version of vte3 they use, I saw they are using 0.60.3, so this is probably the same version you have on debian. |
That's the deceptive part about that message that led me on a chase for privileges to add to the container. I added all the privileges I could, but none of them was enough to get past the issue. I finally arrived to the actual line in vte's source code which produces that error. I don't want to bore you with how I got to it, but the call to open the terminal starts somewhere here (from xfce4-terminal): And makes its way into vte3 which leads to: and... https://github.com/GNOME/vte/blob/109a6cf6e05ef55b79f768a30fdf95723ebba0d3/src/spawn.cc#L352-L353 ^ that's where everything blows up. The syscall to #define _GNU_SOURCE
#include <fcntl.h>
#include <linux/close_range.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/syscall.h>
#include <string.h>
#include <unistd.h>
#include <dirent.h>
/* Show the contents of the symbolic links in /proc/self/fd */
static void
show_fds(void)
{
DIR *dirp = opendir("/proc/self/fd");
if (dirp == NULL) {
perror("opendir");
exit(EXIT_FAILURE);
}
for (;;) {
struct dirent *dp = readdir(dirp);
if (dp == NULL)
break;
if (dp->d_type == DT_LNK) {
char path[PATH_MAX], target[PATH_MAX];
snprintf(path, sizeof(path), "/proc/self/fd/%s",
dp->d_name);
ssize_t len = readlink(path, target, sizeof(target));
printf("%s ==> %.*s\n", path, (int) len, target);
}
}
closedir(dirp);
}
int
main(int argc, char *argv[])
{
for (int j = 1; j < argc; j++) {
int fd = open(argv[j], O_RDONLY);
if (fd == -1) {
perror(argv[j]);
exit(EXIT_FAILURE);
}
printf("%s opened as FD %d\n", argv[j], fd);
}
show_fds();
printf("========= About to call close_range() =======\n");
if (syscall(__NR_close_range, 3, ~0U, 0) == -1) {
perror("close_range");
exit(EXIT_FAILURE);
}
show_fds();
exit(EXIT_SUCCESS);
}Run it by supplying a bunch of files as arguments. All it does is open all the files, then use This code runs fine on my host machine, but in a container, it fails with (you guessed it!) "Permission denied". |
|
In conclusion, the problem is not with zsh (I actually tried it with bash login shell, and the same problem occurred), or x11docker, but rather with a |
|
Issue reported here: https://github.com/containers/podman/issues/10130 I assume this is related to seccomp profiles, but I'm not sure yet |
Thank you for the detailed report! |
|
Yep. I can confirm that does in fact fix the problem. Do you know why this works? I was under the impression that docker's default seccomp profile should not have interfered with that syscall, because I even downloaded that json file and used it to run the container, and it was still blocking Do you know the difference between |
Found the answer here:
So I guess security-wise, it may not be all that bad using just |
That is odd.
I think so, too. My debian system does not use SELinux at all. |
|
I've confused SELinux and seccomp here. They are different security layers. I am not familiar with both of them.
Edit: |
|
I use podman, and their default profile also whitelists
I doubt it too. In the bug report I created at containers/podman#10337, I was able to reproduce the issue with a simple image built with buildah bud --no-cache --platform linux/amd64 -f - /tmp <<'EOF'
FROM alpine:edge
RUN apk update && apk add --upgrade build-base libc-dev linux-headers
COPY walk.c /app/walk.c
RUN gcc -o /app/walk /app/walk.c
ENTRYPOINT ["/app/walk"]
EOFRunning the above container gives the same |
mviereck
changed the title
|
This seems to be fixed in podman now: containers/podman#10337 (comment) docker seems to be affected, too, not fixed yet: docker/for-linux#1262 |
|
This happened for me while trying to run Ubuntu MATE 21.10 inside x11docker 6.6.2 with usual command
So I have reported bug 1935995 to launchpad. Currently I'm running x11docker version 6.9.0 and Docker CE version 20.10.7 |
Put the image name to the end of the command. This follows the syntax for custom |
|
Thanks! Now it works. I will document it somewhere. |
|
Found elsewhere:
If the issue still occurs with (default) |
mviereck
changed the title
|
I just assume that this issue is meanwhile fixed in most distributions. |
|
@mviereck I just ran into this on Debian 12, maybe they’ve updated the |
Coming from #345
@smac89 wrote:
I am currently in the middle of reporting a bug with the terminal running inside the container.
You wouldn't happen to have an idea of why this might be happening inside the container? 😄
The text was updated successfully, but these errors were encountered: