Bug#806542: liblinux-prctl-perl: autopkgtest failures: seccomp, capbset

Salvatore Bonaccorso carnil at debian.org
Sun Nov 29 18:53:55 UTC 2015 

Hi Niko, hi Antonio

On Sat, Nov 28, 2015 at 09:03:30PM +0200, Niko Tyni wrote:
> On Sat, Nov 28, 2015 at 07:22:01PM +0100, Salvatore Bonaccorso wrote:
> 
> > > Package: liblinux-prctl-perl
> > > Version: 1.6.0-2 
> 
> > > This package recently started failing its autopkgtest checks on ci.debian.net:
> 
> > Thanks for reporting this. I can reproduce the test failures if I
> > build in a LXC container (running sid) on a sid host.
> > 
> > As datapoint: Looks ci.d.n switched from schroot based test to LXC
> > based for at least liblinux-prctl-perl.
> 
> Yeah, that makes sense. I expect the failures are just caused
> by different defaults and/or restrictions inside lxc containers.

So indeed this seems the reason. First for the t/capbset.t failures.
The LXC configuration for the debian template contain:

 12 # Default capabilities
 13 lxc.cap.drop = sys_module mac_admin mac_override sys_time

and in same way for t/seccomp.t, this is caused by:

 63 # Blacklist some syscalls which are not safe in privileged
 64 # containers
 65 lxc.seccomp = /usr/share/lxc/config/common.seccomp

where in common.seccomp:

  1 2                                                                                             
  2 blacklist
  3 reject_force_umount  # comment this to allow umount -f;  not recommended
  4 [all]
  5 kexec_load errno 1
  6 open_by_handle_at errno 1
  7 init_module errno 1
  8 finit_module errno 1
  9 delete_module errno 1

In this configuration, get_seccomp will return 2, 

# perl -E 'use Linux::Prctl qw(:constants :functions); say get_seccomp();'
2

       PR_GET_SECCOMP (since Linux 2.6.23)
              Return (as the function result) the secure computing mode of the
              calling thread.  If the caller is not in secure computing  mode,
              this operation returns 0; if the caller is in strict secure com-
              puting mode, then the prctl() call will cause a  SIGKILL  signal
              to be sent to the process.  If the caller is in filter mode, and
              this system call is allowed by the seccomp filters,  it  returns
              2.  This operation is available only if the kernel is configured
              with CONFIG_SECCOMP enabled.

Regards,
Salvatore

More information about the pkg-perl-maintainers mailing list