Closed fishilico closed 3 years ago
Well, we can't set seccomp filters from the command line on the main.yml. One way to go around this is to separate the container from the Dockerfile we have, and use GH Actions container commands as this thread suggests: https://bugzilla.redhat.com/show_bug.cgi?id=1900021
I'll see if I can make this work, but I really wouldn't want to touch the Dockerfile we have...
When trying to reproduce an issue (https://github.com/archlinuxhardened/selinux/issues/81) on my fork, I encountered an issue with Docker in https://github.com/fishilico/arch-selinux/actions/runs/545045259 :
I reproduced locally this issue, and an
strace
shows (among other things):These syscalls come from https://git.archlinux.org/pacman.git/tree/lib/libalpm/handle.c?h=v5.2.2#n391 :
The fact that
faccessat2
returnsEPERM
(in the call torealpath
) even though the directory/var/lib/pacman
exists, is due to the default SECCOMP filter: addingfaccessat2
to the whitelist of system calls is quite "recent" (https://github.com/moby/moby/commit/a18139111d8a203bd211b0861c281ebe77daccd9 in August 2020 for Docker, https://github.com/containers/common/commit/313a3251c223e223944ff73e706339574c99e0d7 in September 2020 for podman & cie.)Locally, I managed to reproduce the issue with
podman 2.2.1-1
(on Arch Linux):With the default configuration:
ls -ld /var/lib/pacman drwxr-xr-x 4 root root 4096 Feb 7 09:25 /var/lib/pacman
pacman -Syu error: failed to initialize alpm library (could not find or read directory: /var/lib/pacman/)
Without SECCOMP:
ls -ld /var/lib/pacman
drwxr-xr-x 4 root root 4096 Feb 7 09:25 /var/lib/pacman
pacman -Syu :: Synchronizing package databases... downloading core.db... downloading extra.db... downloading community.db... :: Starting full system upgrade... there is nothing to do
TL;DR: the default SECCOMP filter used by
docker build
preventspacman
from running because it callsfaccessat2
(probably inglibc
's implementation ofrealpath
) and this syscall is not (yet) allowed in the default Docker profile used by GitHub Action runners (on Ubuntu 18.04 and Ubuntu 20.04).How should this issue be fixed? I am open to suggestions :)