Projects
openEuler:24.03:SP1:Everything:64G
glib2
_service:tar_scm:gspawn-eperm.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:gspawn-eperm.patch of Package glib2
diff --git a/glib/gspawn.c b/glib/gspawn.c index 67be6a6af..aaefd5b0d 100644 --- a/glib/gspawn.c +++ b/glib/gspawn.c @@ -1598,9 +1598,18 @@ safe_fdwalk_set_cloexec (int lowfd) * * Handle ENOSYS in case it’s supported in libc but not the kernel; if so, * fall back to safe_fdwalk(). Handle EINVAL in case `CLOSE_RANGE_CLOEXEC` - * is not supported. */ + * is not supported. + * + * Also handle EPERM for the cases where GLib is running under broken versions + * of Docker+libseccomp which don’t recognise `close_range()` so block calls + * to it under a default security policy which returns EPERM rather than (the + * correct) ENOSYS. This workaround should be carried in distributions until + * they have versions of libseccomp and Docker which contain: + * - https://salsa.debian.org/debian/libseccomp/-/blob/debian/bullseye/debian/patches/syscalls_add_close_range_syscall.patch + * - https://github.com/opencontainers/runc/issues/2151 + */ ret = close_range (lowfd, G_MAXUINT, CLOSE_RANGE_CLOEXEC); - if (ret == 0 || !(errno == ENOSYS || errno == EINVAL)) + if (ret == 0 || !(errno == ENOSYS || errno == EINVAL || errno == EPERM)) return ret; #endif /* HAVE_CLOSE_RANGE */ @@ -1624,9 +1633,15 @@ safe_closefrom (int lowfd) * situations: https://bugs.python.org/issue38061 * * Handle ENOSYS in case it’s supported in libc but not the kernel; if so, - * fall back to safe_fdwalk(). */ + * fall back to safe_fdwalk(). + * + * Also handle EPERM for the cases where GLib is running under broken versions + * of Docker+libseccomp which don’t recognise `close_range()` so block calls + * to it under a default security policy which returns EPERM rather than (the + * correct) ENOSYS. + */ ret = close_range (lowfd, G_MAXUINT, 0); - if (ret == 0 || errno != ENOSYS) + if (ret == 0 || !(errno == ENOSYS || errno == EPERM)) return ret; #endif /* HAVE_CLOSE_RANGE */
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2