From: Szabolcs Nagy <Szabolcs.Nagy@arm.com>
To: Adhemerval Zanella <adhemerval.zanella@linaro.org>,
"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>
Cc: nd <nd@arm.com>, linux-man <linux-man@vger.kernel.org>
Subject: Re: glibc in master is incompatible with systemd-nspawn
Date: Fri, 8 Nov 2019 16:01:58 +0000 [thread overview]
Message-ID: <e3486649-58fa-c1b5-7913-9e9f098972db@arm.com> (raw)
In-Reply-To: <c4001320-2d3f-9523-c93f-60f799545654@linaro.org>
On 08/11/2019 15:33, Adhemerval Zanella wrote:
> Since when systemd-nspawn has this behaviour? What was the rationale to
> use EPERM instead of ENOSYS? IMHO ENOSYS it the expected error in this
> case, since filtering is essentially blocking the syscall usage altogether.
docker does the same, but at least you can disable it
with --security-opt seccomp:unconfined
i think the original sin was committed by chromium
which uses EPERM in its sandbox.
it's of course broken whenever the application is
run on a newer kernel+libc than what was used for
creating the filter, may be the seccomp manual should
warn against the use of EPERM (there is already a
caveats section)?
next parent reply other threads:[~2019-11-08 16:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87k18a62xe.fsf@oldenburg2.str.redhat.com>
[not found] ` <20191108141149.GB20533@altlinux.org>
[not found] ` <87v9ru1l6d.fsf@oldenburg2.str.redhat.com>
[not found] ` <c4001320-2d3f-9523-c93f-60f799545654@linaro.org>
2019-11-08 16:01 ` Szabolcs Nagy [this message]
2019-11-08 16:19 ` glibc in master is incompatible with systemd-nspawn Florian Weimer
2019-11-08 16:23 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e3486649-58fa-c1b5-7913-9e9f098972db@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=adhemerval.zanella@linaro.org \
--cc=libc-alpha@sourceware.org \
--cc=linux-man@vger.kernel.org \
--cc=nd@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).