Description of problem: seccomp denies every personality(2) flag except PER_LINUX, PER_LINUX32, and -1. This makes containers with OS userlands exhibiting https://bugzilla.redhat.com/show_bug.cgi?id=1690102 (such as RHEL 7) fail in this awesome way: [root@daf23c28d8db build]# setarch linux32 -B uname -m x86_64 [root@daf23c28d8db build]# setarch linux32 uname -m i686 Version-Release number of selected component (if applicable): 0.1.35-1.git404c5bd.fc29.x86_64 How reproducible: 100% Steps to Reproduce: 1. build an image with a rhel 7 (or centos 7) root 2. run "setarch linux32 -B uname -m" in it 3. observe the wrong answer, which would be right if ADDR_LIMIT_3G worked Actual results: personality(2) gives -EPERM instead of working Expected results: personality(2) works normally without error Additional info: I'm not really sure what the point of limiting personality(2) flags is - it could really just go on the allowed system calls list.
Peter what exactly does the personality call do? If you add the syscall to /usr/share/containers/seccomp.json does the rest of the code work correctly?
It's the syscall that switches out (among other things) what uname returns, limits how much address space you have to 32-bits (or 3 gig in this case), and things of that nature. If I add more values to its arguments in seccomp.json it does work, or if I add it to the list of calls that are just allowed, it also works.
Could you send me or attach your modified seccomp.json file. Then I can make the modifications. If you don't see this is a possible security escallation, then I am willing to take in the changes.
FEDORA-2019-96f06abcec has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-96f06abcec
skopeo-0.1.37-0.gite079f9d.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e2637b6f18
skopeo-0.1.37-0.gite079f9d.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-96f06abcec
skopeo-0.1.37-0.gite079f9d.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
skopeo-0.1.37-0.gite079f9d.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.