44 lines
1.9 KiB
Diff
44 lines
1.9 KiB
Diff
diff --git a/glib/gspawn.c b/glib/gspawn.c
|
||
index 67be6a6af..aaefd5b0d 100644
|
||
--- a/glib/gspawn.c
|
||
+++ b/glib/gspawn.c
|
||
@@ -1598,9 +1598,18 @@ safe_fdwalk_set_cloexec (int lowfd)
|
||
*
|
||
* Handle ENOSYS in case it’s supported in libc but not the kernel; if so,
|
||
* fall back to safe_fdwalk(). Handle EINVAL in case `CLOSE_RANGE_CLOEXEC`
|
||
- * is not supported. */
|
||
+ * is not supported.
|
||
+ *
|
||
+ * Also handle EPERM for the cases where GLib is running under broken versions
|
||
+ * of Docker+libseccomp which don’t recognise `close_range()` so block calls
|
||
+ * to it under a default security policy which returns EPERM rather than (the
|
||
+ * correct) ENOSYS. This workaround should be carried in distributions until
|
||
+ * they have versions of libseccomp and Docker which contain:
|
||
+ * - https://salsa.debian.org/debian/libseccomp/-/blob/debian/bullseye/debian/patches/syscalls_add_close_range_syscall.patch
|
||
+ * - https://github.com/opencontainers/runc/issues/2151
|
||
+ */
|
||
ret = close_range (lowfd, G_MAXUINT, CLOSE_RANGE_CLOEXEC);
|
||
- if (ret == 0 || !(errno == ENOSYS || errno == EINVAL))
|
||
+ if (ret == 0 || !(errno == ENOSYS || errno == EINVAL || errno == EPERM))
|
||
return ret;
|
||
#endif /* HAVE_CLOSE_RANGE */
|
||
|
||
@@ -1624,9 +1633,15 @@ safe_closefrom (int lowfd)
|
||
* situations: https://bugs.python.org/issue38061
|
||
*
|
||
* Handle ENOSYS in case it’s supported in libc but not the kernel; if so,
|
||
- * fall back to safe_fdwalk(). */
|
||
+ * fall back to safe_fdwalk().
|
||
+ *
|
||
+ * Also handle EPERM for the cases where GLib is running under broken versions
|
||
+ * of Docker+libseccomp which don’t recognise `close_range()` so block calls
|
||
+ * to it under a default security policy which returns EPERM rather than (the
|
||
+ * correct) ENOSYS.
|
||
+ */
|
||
ret = close_range (lowfd, G_MAXUINT, 0);
|
||
- if (ret == 0 || errno != ENOSYS)
|
||
+ if (ret == 0 || errno != ENOSYS || errno == EPERM)
|
||
return ret;
|
||
#endif /* HAVE_CLOSE_RANGE */
|
||
|