------- Comment From <email address hidden> 2021-04-22 07:23 EDT-------
Hi,
I've also run some tests on s390x:
On Ubuntu 18.04 (bionic) with libseccomp2 2.5.1-1ubuntu1~18.04.1 and linux 4.15.0.142.129:
In a systemd-nspawn hirsute container:
bash -c "test -x /bin/bash"
returns 1 and strace shows:
faccessat2(AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
and seccomp-tools dump showed that the seccomp-filter allows faccessat2(=0x1b7) syscall!
After upgrading to 4.15.0-143-generic #147+hf1916485v20210421b1 from your PPA, the command works fine:
faccessat2(AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 ENOSYS (Function not implemented)
faccessat(AT_FDCWD, "/bin/bash", X_OK) = 0
In a "docker run -it ubuntu:hirsute /bin/bash" container (runc-1.0.0~rc93-0ubuntu1~18.04.1), the command also works fine and the seccomp-filter applied by docker also allows faccessat2.
On Ubuntu 20.10 (groovy) with libseccomp2 2.5.1-1ubuntu1~20.10.1 and linux 5.8.0.51.56, both the tests in systemd-nspawn and in docker container are working fine and the dump of the seccomp-filter shows that faccessat2 is allowed.
(On the same system before updating libseccomp2 to the mentioned version, libseccomp2 2.4.3-1ubuntu4 was used. There the dump of the seccomp-filter showed that the faccessat2 syscall was not allowed and thus the test command failed.)
------- Comment From <email address hidden> 2021-04-22 07:23 EDT-------
Hi,
I've also run some tests on s390x:
On Ubuntu 18.04 (bionic) with libseccomp2 2.5.1-1ubuntu1~ 18.04.1 and linux 4.15.0.142.129: AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
In a systemd-nspawn hirsute container:
bash -c "test -x /bin/bash"
returns 1 and strace shows:
faccessat2(
and seccomp-tools dump showed that the seccomp-filter allows faccessat2(=0x1b7) syscall!
After upgrading to 4.15.0-143-generic #147+hf1916485v 20210421b1 from your PPA, the command works fine: AT_FDCWD, "/bin/bash", X_OK, AT_EACCESS) = -1 ENOSYS (Function not implemented)
faccessat2(
faccessat(AT_FDCWD, "/bin/bash", X_OK) = 0
In a "docker run -it ubuntu:hirsute /bin/bash" container (runc-1. 0.0~rc93- 0ubuntu1~ 18.04.1) , the command also works fine and the seccomp-filter applied by docker also allows faccessat2.
On Ubuntu 20.10 (groovy) with libseccomp2 2.5.1-1ubuntu1~ 20.10.1 and linux 5.8.0.51.56, both the tests in systemd-nspawn and in docker container are working fine and the dump of the seccomp-filter shows that faccessat2 is allowed.
(On the same system before updating libseccomp2 to the mentioned version, libseccomp2 2.4.3-1ubuntu4 was used. There the dump of the seccomp-filter showed that the faccessat2 syscall was not allowed and thus the test command failed.)
Thanks.