[packages/podman] upstream patch allowing more syscalls in seccomp policy for 32bit platforms

Wed Jun 2 12:18:57 CEST 2021

commit 096dadfb8110620405b091d416bc2cd0b81c3ce6
Author: Jan Palus <atler at pld-linux.org>
Date:   Wed Jun 2 10:16:17 2021 +0000

    upstream patch allowing more syscalls in seccomp policy for 32bit platforms

 podman-seccomp_32bit.patch | 127 +++++++++++++++++++++++++++++++++++++++++++++
 podman.spec                |   3 ++
 2 files changed, 130 insertions(+)
---

diff --git a/podman.spec b/podman.spec
index 9abaf7c..452b981 100644
--- a/podman.spec
+++ b/podman.spec
@@ -9,6 +9,7 @@ Source0:	https://github.com/containers/podman/archive/v%{version}/%{name}-%{vers
 # Source0-md5:	763d21ca1d9d3a3b7a49b226843e609e
 Source1:	policy.json
 Source2:	registries.conf
+Patch0:		%{name}-seccomp_32bit.patch
 URL:		https://github.com/containers/podman
 BuildRequires:	device-mapper-devel
 BuildRequires:	go-md2man
@@ -67,6 +68,8 @@ Zsh completion for podman command.
 
 %prep
 %setup -q
+cd vendor/github.com/containers/common
+%patch0 -p1
 
 %build
 %{__make} \
diff --git a/podman-seccomp_32bit.patch b/podman-seccomp_32bit.patch
new file mode 100644
index 0000000..fe848fc
--- /dev/null
+++ b/podman-seccomp_32bit.patch
@@ -0,0 +1,127 @@
+From 619da3b9581020e84c48edcae99ac817037a2b2f Mon Sep 17 00:00:00 2001
+From: Jan Palus <jpalus at fastmail.com>
+Date: Tue, 1 Jun 2021 17:57:27 +0200
+Subject: [PATCH] seccomp: allow more *_time64 syscalls
+
+add missing equivalents of already allowed syscalls for 32-bit platforms
+with 64-bit time for countering Y2038
+
+Fixes #593
+
+Signed-off-by: Jan Palus <jpalus at fastmail.com>
+---
+ pkg/seccomp/default_linux.go | 7 +++++++
+ pkg/seccomp/seccomp.json     | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/pkg/seccomp/default_linux.go b/pkg/seccomp/default_linux.go
+index f86f3e2..6bbb80b 100644
+--- a/pkg/seccomp/default_linux.go
++++ b/pkg/seccomp/default_linux.go
+@@ -128,6 +128,7 @@ func DefaultProfile() *Seccomp {
+ 				"ftruncate",
+ 				"ftruncate64",
+ 				"futex",
++				"futex_time64",
+ 				"futimesat",
+ 				"get_robust_list",
+ 				"get_thread_area",
+@@ -212,7 +213,9 @@ func DefaultProfile() *Seccomp {
+ 				"mq_notify",
+ 				"mq_open",
+ 				"mq_timedreceive",
++				"mq_timedreceive_time64",
+ 				"mq_timedsend",
++				"mq_timedsend_time64",
+ 				"mq_unlink",
+ 				"mremap",
+ 				"msgctl",
+@@ -259,6 +262,7 @@ func DefaultProfile() *Seccomp {
+ 				"recv",
+ 				"recvfrom",
+ 				"recvmmsg",
++				"recvmmsg_time64",
+ 				"recvmsg",
+ 				"remap_file_pages",
+ 				"removexattr",
+@@ -274,6 +278,7 @@ func DefaultProfile() *Seccomp {
+ 				"rt_sigreturn",
+ 				"rt_sigsuspend",
+ 				"rt_sigtimedwait",
++				"rt_sigtimedwait_time64",
+ 				"rt_tgsigqueueinfo",
+ 				"sched_get_priority_max",
+ 				"sched_get_priority_min",
+@@ -282,6 +287,7 @@ func DefaultProfile() *Seccomp {
+ 				"sched_getparam",
+ 				"sched_getscheduler",
+ 				"sched_rr_get_interval",
++				"sched_rr_get_interval_time64",
+ 				"sched_setaffinity",
+ 				"sched_setattr",
+ 				"sched_setparam",
+@@ -293,6 +299,7 @@ func DefaultProfile() *Seccomp {
+ 				"semget",
+ 				"semop",
+ 				"semtimedop",
++				"semtimedop_time64",
+ 				"send",
+ 				"sendfile",
+ 				"sendfile64",
+diff --git a/pkg/seccomp/seccomp.json b/pkg/seccomp/seccomp.json
+index 8d799fd..cf81ca4 100644
+--- a/pkg/seccomp/seccomp.json
++++ b/pkg/seccomp/seccomp.json
+@@ -132,6 +132,7 @@
+ 				"ftruncate",
+ 				"ftruncate64",
+ 				"futex",
++				"futex_time64",
+ 				"futimesat",
+ 				"get_robust_list",
+ 				"get_thread_area",
+@@ -216,7 +217,9 @@
+ 				"mq_notify",
+ 				"mq_open",
+ 				"mq_timedreceive",
++				"mq_timedreceive_time64",
+ 				"mq_timedsend",
++				"mq_timedsend_time64",
+ 				"mq_unlink",
+ 				"mremap",
+ 				"msgctl",
+@@ -263,6 +266,7 @@
+ 				"recv",
+ 				"recvfrom",
+ 				"recvmmsg",
++				"recvmmsg_time64",
+ 				"recvmsg",
+ 				"remap_file_pages",
+ 				"removexattr",
+@@ -278,6 +282,7 @@
+ 				"rt_sigreturn",
+ 				"rt_sigsuspend",
+ 				"rt_sigtimedwait",
++				"rt_sigtimedwait_time64",
+ 				"rt_tgsigqueueinfo",
+ 				"sched_get_priority_max",
+ 				"sched_get_priority_min",
+@@ -286,6 +291,7 @@
+ 				"sched_getparam",
+ 				"sched_getscheduler",
+ 				"sched_rr_get_interval",
++				"sched_rr_get_interval_time64",
+ 				"sched_setaffinity",
+ 				"sched_setattr",
+ 				"sched_setparam",
+@@ -297,6 +303,7 @@
+ 				"semget",
+ 				"semop",
+ 				"semtimedop",
++				"semtimedop_time64",
+ 				"send",
+ 				"sendfile",
+ 				"sendfile64",
+-- 
+2.31.1
+
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/podman.git/commitdiff/096dadfb8110620405b091d416bc2cd0b81c3ce6

