[Bug 2059734] Re: Tar fails to extract archives that include folders with certain permissions on armhf

Simon Chopin 2059734 at bugs.launchpad.net
Wed Nov 20 10:07:49 UTC 2024 

Unsubscribing ubuntu-sponsors as AFAICT there is nothing for us to do
here.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2059734

Title:
  Tar fails to extract archives that include folders with certain
  permissions on armhf

Status in libseccomp package in Ubuntu:
  Fix Released
Status in tar package in Ubuntu:
  Invalid
Status in libseccomp source package in Jammy:
  Fix Committed
Status in libseccomp source package in Mantic:
  Won't Fix
Status in tar source package in Mantic:
  Won't Fix
Status in libseccomp source package in Noble:
  Invalid
Status in tar source package in Noble:
  Invalid

Bug description:
  Thank you @loganbussell-msft for the bug report!

  [Impact]

  Currently running containers using modern versions of glibc such as
  the one available in noble on older hosts causes permissions issues
  inside the container. This is due to newer versions of glibc expecting
  the fchmodat2 syscall to be available and to return ENOSYS in case it
  is not. However docker seccomp profile defaults to returning EPERM for
  all non defined syscalls and writing an entry for fchmodat2 in the
  docker seccomp profile to return ENOSYS does not work on systems where
  libseccomp does not have support for fchmodat2.

  Running armhf noble docker containers on arm64 jammy hosts has been
  seen to exhibit this behavior and a patch to libseccomp for jammy is
  required to fix the issue.

  Other architectures may also be affected by this issue that such as
  ppc64le as reported by @mark-elvers.

  I have backported a fix from upstream that adds the missing syscalls
  to libseccomp and verified it on an ampere arm machine as well as on a
  raspberry pi 4

  [Test Plan]

  1- On an ARM 64 machine install the latest version of docker on a
  jammy host by following the official docker documentation.
  [https://docs.docker.com/engine/install/ubuntu/]

  2- Create an armhf noble docker container:
  $ docker run --rm -it --platform linux/arm/v7 --entrypoint bash ubuntu.azurecr.io/ubuntu:noble

  3- inside the docker container execute the following commands to
  create a new tar file and then extract it:

  mkdir /test \
      && chmod 775 /test \
      && cd /test \
      && mkdir 775 \
      && chmod 775 775 \
      && touch 775/test.txt \
      && chmod 644 775/test.txt \
      && tar -czvf /test.tar.gz .

  mkdir -p /test2 \
      && tar -tzvf /test.tar.gz \
      && tar -oxzf /test.tar.gz -C /test2

  4- you will see the following errors:

  tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted
  tar: Exiting with failure status due to previous errors

  5- When  libseccomp is patched the command will run with no permission
  issues

  [Where problems could occur]

  * the issue might still occur on other platforms 
  * if using an older version of docker the issue will still occur

  
  [Original Description]
  When running Ubuntu Noble in an arm32 Docker container, on certain hosts (Azure VM CI agents), tar fails to extract certain archives that include folders with specific permissions set.

  Here's a concise repro. The error occurs in when building the
  Dockerfile. I can only get this to work on Azure VMs, but can't find
  out why.

  ```Dockerfile
  FROM ubuntu.azurecr.io/ubuntu:noble

  # Create the problematic archive
  RUN mkdir /test \
      && chmod 775 /test \
      && cd /test \
      && mkdir 775 \
      && chmod 775 775 \
      && touch 775/test.txt \
      && chmod 644 775/test.txt \
      && tar -czvf /test.tar.gz .

  # Extracting it gives an error
  RUN mkdir -p /test2 \
      && tar -tzvf /test.tar.gz \
      && tar -oxzf /test.tar.gz -C /test2
  ```

  What I expected to happen: The test.tar.gz archive should be
  successfully extracted to the /test2 directory.

  What happened instead: Tar throws the following error:
  ```
  tar: ./775: Cannot change mode to rwxrwxr-x: Operation not permitted
  tar: Exiting with failure status due to previous errors
  ```

  The Ubuntu container is running as root so there shouldn't be any
  permission errors.

  Since this is running in a container, I observed this happening on the following kernel:
  `Linux version 5.15.148.2-2.cm2 (root at CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) #1 SMP Fri Feb 23 23:38:33 UTC 2024`
  As well as
  `Linux <hostname> 6.5.0-1017-azure #17~22.04.1-Ubuntu SMP Sat Mar  9 10:04:07 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux`

  I was not able to reproduce it using Ubuntu 22.04 Jammy
  (ubuntu.azurecr.io/ubuntu:jammy), using the same kernel as above.

  Additionally I was not able to reproduce this on the kernel `Linux
  cb0507859b24 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11
  04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux`, which is running on
  my work machine, using Docker qemu emulation for the arm32 image.

  Ubuntu version: Ubuntu Noble Numbat (development branch) 24.04 (from ubuntu.azurecr.io/ubuntu:noble)
  tar version: `1.35+dfsg-3`

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/2059734/+subscriptions

More information about the Ubuntu-sponsors mailing list