Azure CI: use PPA to provide newer libseccomp version

Linux 5.8 made faccessat2() system call available in August 2020. This
system call is used now by GNU libc to implement more precisely
faccessat() system call. GNU glibc does compile-time check for the
kernel version and uses faccessat2() unconditionally in case it is
available. If kernel responds with ENOSYS error code, GNU libc will
attempt to use older, less flexible, faccessat(() system call.

When running on a system where libseccomp does not know about the new
syscall, the default action in seccomp filters in Docker and other
container runtimes is to respond with EPERM error code. This breaks GNU
libc's implementation of the faccessat() function -- as well as other
newer syscall implementations (e.g. statx()).

libseccomp started to support faccessat2() in July 2020 with
5696c89640
(version 2.5.0: https://github.com/seccomp/libseccomp/releases/tag/v2.5.0)

With Ubuntu 20.04 as a host, use PPA abbra/freeipa-libseccomp which
provides libseccomp 2.5.0 rebuild from Debian Sid.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Alexander Bokovoy 2020-11-16 23:07:56 +02:00
parent 6e1eaad873
commit 1bf0d62828
2 changed files with 6 additions and 1 deletions

View File

@ -90,6 +90,7 @@
"exit",
"exit_group",
"faccessat",
"faccessat2",
"fadvise64",
"fadvise64_64",
"fallocate",

View File

@ -12,7 +12,11 @@ steps:
moreutils \
rng-tools \
systemd-coredump \
python3-docker
python3-docker \
software-properties-common
sudo add-apt-repository -y ppa:abbra/freeipa-libseccomp
sudo apt-get update
sudo apt-get install -y libseccomp2
# ubuntu's one is too old: different API
python3 -m pip install docker --user
displayName: Install Host's tests requirements