Bug#896687: systemd-container: EPERM when use syscall statx inside nspawn, with default filter

[张 敬强]

在 2018年4月23日星期一 CST 下午11:54:26，Michael Biebl 写道：

> > I can use statx outside of the container, but always get EPERM in it.

> > I didn't set filters myself, just use the default ones.

> > The problem does not exsist with amd64 hosts.

>

> Please share more details about your setup:

> - What commands you use to create the chroot

`debootstrap sid /var/lib/machines/ci_buster`

Then chroot to it and install dbus and dev pkgs.

> - What exact command line you use to start the nspawn container

`systemctl start systemd-nspawn at ci_buster`



The nspawn file is:

```

[Exec]
Boot=yes
PrivateUsers=no

[Network]
VirtualEthernet=yes

```



> - What command exactly you run inside the container

Just compile and run this c file:

```

#define _GNU_SOURCE

#include <stdio.h>

#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <linux/stat.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <string.h>
#include <errno.h>

static inline ssize_t statx(int dirfd, const char *pathname, int flags, unsigned int mask, struct statx *statxbuf)
{
       return syscall(__NR_statx, dirfd, pathname, flags, mask, statxbuf);
}

int main(int argc, char *argv[])
{
       struct statx sx;
       int ret = statx(AT_FDCWD, "/tmp/aaa", AT_NO_AUTOMOUNT | AT_SYMLINK_NOFOLLOW, STATX_SIZE, &sx);
       fprintf(stdout, "ret: %d, error: %s, size: %lu\n",ret, strerror(errno), sx.stx_size);
       return 0;
}

```

Will get the 'Operation is not permited' message if run inside the container.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180423/47d6a22e/attachment-0002.html>