[OE-core] [PATCH] file: explicitly disable seccomp

Martin Hundebøll martin at geanix.com
Mon Jan 20 12:53:23 UTC 2020


On 18/10/2019 23.28, Richard Purdie wrote:
> On Fri, 2019-10-18 at 18:03 +0530, Khem Raj wrote:
>>
>>
>> On Fri, Oct 18, 2019 at 4:58 PM Ross Burton <ross.burton at intel.com>
>> wrote:
>>> file will automatically enable seccomp if the seccomp headers are
>>> available, but
>>> the build will fail on Opensuse Tumbleweed because the include
>>> paths are wrong.
>>>
>>> Enabling seccomp is a bad idea because it interacts badly with
>>> pseudo (causing
>>> build failures), so explicitly and globally disable seccomp.
>>>
>>> Signed-off-by: Ross Burton <ross.burton at intel.com>
>>> ---
>>>   meta/recipes-devtools/file/file_5.37.bb | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/meta/recipes-devtools/file/file_5.37.bb
>>> b/meta/recipes-devtools/file/file_5.37.bb
>>> index a840dbc012b..c53a120b840 100644
>>> --- a/meta/recipes-devtools/file/file_5.37.bb
>>> +++ b/meta/recipes-devtools/file/file_5.37.bb
>>> @@ -21,6 +21,8 @@ S = "${WORKDIR}/git"
>>>
>>>   inherit autotools update-alternatives
>>>
>>> +EXTRA_OECONF += "--disable-libseccomp"
>>> +
>>
>> On host it makes sense but how about for target recipe ? We do have
>> libseccomp support
>> Perhaps it’s best to disable it for native and native sdk alone ?
> 
> Given the problem reports in the media and the decisions made by most
> other distros I think disabling this is probably safest until its been
> make more usable (no other distro is shipping this enabled now).

Arch Linux enabled libseccomp as of today:

https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/file&id=a52fa0a37bad1f4ab67a934a4e0025e70aa1fd0e

This breaks the use of `file` in do_package():

ERROR: base-files-3.0.14-r89 do_package: Fatal errors occurred in 
subprocesses:

Command '['file', '-b', 
'/home/martin/clients/connectedcars/yocto/build/tmp-glibc/work/iwg26-oe-linux-gnueabi/base-files/3.0.14-r89/package/etc/skel/.profile']' 
died with <Signals.SIGSYS: 31>.: Traceback (most recent call last):

   File 
"/home/martin/clients/connectedcars/yocto/poky/meta/lib/oe/utils.py", 
line 272, in run

     ret = self._target(*self._args, **self._kwargs)

   File 
"/home/martin/clients/connectedcars/yocto/poky/meta/lib/oe/package.py", 
line 70, in is_elf

     result = subprocess.check_output(["file", "-b", path], 
stderr=subprocess.STDOUT).decode("utf-8")

   File "/usr/lib/python3.8/subprocess.py", line 411, in check_output

     return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,

   File "/usr/lib/python3.8/subprocess.py", line 512, in run 


     raise CalledProcessError(retcode, process.args,

subprocess.CalledProcessError: Command '['file', '-b', 
'/home/martin/clients/connectedcars/yocto/build/tmp-glibc/work/iwg26-oe-linux-gnueabi/base-files/3.0.14-r89/package/etc/skel/.profile']' 
died with <Signals.SIGSYS: 31>.

Disabling libseccomp sandboxing at runtime fixes it for me:

diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py

index efd36b3758..bc46d7c27c 100644

--- a/meta/lib/oe/package.py

+++ b/meta/lib/oe/package.py

@@ -67,7 +67,7 @@ def is_kernel_module_signed(path):

  # 16 - kernel module

  def is_elf(path):

      exec_type = 0

-    result = subprocess.check_output(["file", "-b", path], 
stderr=subprocess.STDOUT).decode("utf-8")

+    result = subprocess.check_output(["file", "-S", "-b", path], 
stderr=subprocess.STDOUT).decode("utf-8")



      if "ELF" in result:

          exec_type |= 1




More information about the Openembedded-core mailing list