Re: [meta-qt5][PATCH] qfilesystemengine_unix.cpp: optionally disable use of statx(2)

[Martin Jansa <martin.jansa@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 5404 bytes --]

On Mon, Jul 16, 2018 at 11:22:21AM +0200, Rasmus Villemoes wrote:
> When used inside an unprivileged docker container, statx(2) gets
> rejected with -EPERM by the default seccomp profile, unless the host
> runs an almost-bleeding edge version of docker (at least 18.04). That
> causes most qt apps, qmake in particular, to fail.
> 
> While the qt release notes do mention this
> 
>    - Qt uses the statx(2) system call for obtaining file information on
>    kernels 4.12 and later. Some older container systems install system call
>    protection rules that do not include this system call. If you experience
>    problems running Qt applications inside containers (such as the report of
>    a file not existing when it does), ensure the statx(2) is allowed in the
>    container configuration.
> 
> it's not always feasible nor reasonable to upgrade (or tell one's
> customers to upgrade) the build infrastructure, especially since several
> distros as of this writing don't even seem to ship such a recent version
> in their official repositories.
> 
> This opt-in patch simply monkey-patches out any (the only) use of statx
> and ensures that the -ENOSYS fallbacks are used. While I agree that this
> is really a bug in the container system, this takes the short and
> pragmatic approach to getting things to work.
> 
> To opt-in, just prepend no-xstat: to OVERRIDES in some global
> configuration file, possibly restricting that to e.g. native and
> nativesdk.
> 
> Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
> ---
>  ...temengine_unix.cpp-disable-use-of-statx-2.patch | 58 ++++++++++++++++++++++
>  recipes-qt/qt5/qt5-git.inc                         |  2 +
>  2 files changed, 60 insertions(+)
>  create mode 100644 recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
> 
> diff --git a/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
> new file mode 100644
> index 0000000..6efbfe4
> --- /dev/null
> +++ b/recipes-qt/qt5/files/0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch
> @@ -0,0 +1,58 @@
> +From dc5218c70d445a4692271add1a17091afb230095 Mon Sep 17 00:00:00 2001
> +From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
> +Date: Mon, 16 Jul 2018 09:50:06 +0200
> +Subject: [PATCH] qfilesystemengine_unix.cpp: disable use of statx(2)
> +
> +When used inside an unprivileged docker container, statx(2) gets
> +rejected with -EPERM by the default seccomp profile, unless the host
> +runs an almost-bleeding edge version of docker (at least 18.04). That
> +causes most qt apps, qmake in particular, to fail.
> +
> +While the qt release notes do mention this
> +
> +   - Qt uses the statx(2) system call for obtaining file information on
> +   kernels 4.12 and later. Some older container systems install system call
> +   protection rules that do not include this system call. If you experience
> +   problems running Qt applications inside containers (such as the report of
> +   a file not existing when it does), ensure the statx(2) is allowed in the
> +   container configuration.
> +
> +it's not always feasible nor reasonable to upgrade (or tell one's
> +customers to upgrade) the build infrastructure.
> +
> +This opt-in patch simply monkey-patches out any (the only) use of statx
> +and ensures that the -ENOSYS fallbacks are used.
> +
> +https://github.com/docker/for-linux/issues/208
> +https://github.com/moby/moby/pull/36417
> +
> +Upstream-Status: Inappropriate [workaround]
> +---
> + src/corelib/io/qfilesystemengine_unix.cpp | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/src/corelib/io/qfilesystemengine_unix.cpp b/src/corelib/io/qfilesystemengine_unix.cpp
> +index b974af80dc..5f574901e3 100644
> +--- a/src/corelib/io/qfilesystemengine_unix.cpp
> ++++ b/src/corelib/io/qfilesystemengine_unix.cpp
> +@@ -320,6 +320,9 @@ mtime(const T &statBuffer, int)
> + #ifdef STATX_BASIC_STATS
> + static int qt_real_statx(int fd, const char *pathname, int flags, struct statx *statxBuffer)
> + {
> ++#if 1
> ++    return -ENOSYS;
> ++#else
> + #ifdef Q_ATOMIC_INT8_IS_SUPPORTED
> +     static QBasicAtomicInteger<qint8> statxTested  = Q_BASIC_ATOMIC_INITIALIZER(0);
> + #else
> +@@ -337,6 +340,7 @@ static int qt_real_statx(int fd, const char *pathname, int flags, struct statx *
> +     }
> +     statxTested.store(1);
> +     return ret == -1 ? -errno : 0;
> ++#endif
> + }
> + 
> + static int qt_statx(const char *pathname, struct statx *statxBuffer)
> +-- 
> +2.16.4
> +
> diff --git a/recipes-qt/qt5/qt5-git.inc b/recipes-qt/qt5/qt5-git.inc
> index 09b6cc5..41f9b7a 100644
> --- a/recipes-qt/qt5/qt5-git.inc
> +++ b/recipes-qt/qt5/qt5-git.inc
> @@ -15,3 +15,5 @@ CVE_PRODUCT = "qt"
>  S = "${WORKDIR}/git"
>  
>  PV = "5.11.1+git${SRCPV}"
> +
> +SRC_URI_append_no-xstat = " file://0001-qfilesystemengine_unix.cpp-disable-use-of-statx-2.patch"

Isn't this applicable only to *qtbase* ?

> -- 
> 2.16.4
> 
> -- 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 201 bytes --]