On středa 29. října 2025 21:44:14, středoevropský standardní čas Richard W.M.
Jones wrote:
> On Wed, Oct 29, 2025 at 04:33:29PM +0100, Pavel Raiskup wrote:
> > On středa 29. října 2025 15:20:26, středoevropský standardní čas Pavel
> > Raiskup wrote:
> > > On pondělí 11. srpna 2025 0:08:23, středoevropský standardní čas Orion
> > > Poplawski wrote:
> > > > I use centos stream 9 for my primary laptop. I'm trying to build some
> > > > Fedora Rawhide packages in mock. When rpm is trying to uncompress xz
> > > > tar balls I get:
> > > >
> > > > + /usr/lib/rpm/rpmuncompress -x
> > > > /builddir/build/SOURCES/gdal-3.11.3-fedora.tar.xz
> > > > /usr/bin/xz: Failed to enable the sandbox
> > > >
> > > > Any clue as to what is causing this? I'm not seeing any obvious
> > > > SELinux
> > > > errors.
> > >
> > > I was pointed to this e-mail today. This seems like the EL9 kernel is
> > > just too
> > > old to run `xz` built for rawhide.
> > >
> > > <mock-rawhide-shell-on-el9-box> $ strace xz -d gdal-3.11.4-fedora.tar.xz
> > > prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
> > > landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION) = 6
> > > landlock_create_ruleset({handled_access_fs=LANDLOCK_ACCESS_FS_EXECUTE|LANDLOCK_ACCESS_FS_REMOVE_DIR|LANDLOCK_ACCESS_FS_MAKE_CHAR|LANDLOCK_ACCESS_FS_MAKE_DIR|LANDLOCK_ACCESS_FS_MAKE_SOCK|LANDLOCK_ACCESS_FS_MAKE_FIFO|LANDLOCK_ACCESS_FS_MAKE_BLOCK|LANDLOCK_ACCESS_FS_MAKE_SYM|LANDLOCK_ACCESS_FS_REFER|LANDLOCK_ACCESS_FS_TRUNCATE|LANDLOCK_ACCESS_FS_IOCTL_DEV,
> > >
> > > handled_access_net=LANDLOCK_ACCESS_NET_BIND_TCP|LANDLOCK_ACCESS_NET_CONNECT_TCP,
> > > scoped=LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET|LANDLOCK_SCOPE_SIGNAL}, 24,
> > > 0) = -1 EINVAL (Invalid argument)
> > > ...
> >
> > I opened this bug to let XZ maintainers know:
> > https://bugzilla.redhat.com/show_bug.cgi?id=2407105
>
> Does this still happen if you update the RHEL 9 kernel to any version >=
> kernel-5.14.0-596.el9?
>
> It seems like the landlock ABI in RHEL 9 changed from 5 to 6 in
> -596.el9, making it compatible with Fedora again, and that might have
> the side effect of fixing the problem. Of course the same thing will
> probably happen again in future.
Yes, with kernel-5.14.0-625.el9.x86_64:
landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION) = 6
landlock_create_ruleset({handled_access_fs=LANDLOCK_ACCESS_FS_EXECUTE|LANDLOCK_ACCESS_FS_REMOVE_DIR|LANDLOCK_ACCESS_FS_MAKE_CHAR|LANDLOCK_ACCESS_FS_MAKE_DIR|LANDLOCK_ACCESS_FS_MAKE_SOCK|LANDLOCK_ACCESS_FS_MAKE_FIFO|LANDLOCK_ACCESS_FS_MAKE_BLOCK|LANDLOCK_ACCESS_FS_MAKE_SYM|LANDLOCK_ACCESS_FS_REFER|LANDLOCK_ACCESS_FS_TRUNCATE|LANDLOCK_ACCESS_FS_IOCTL_DEV,
handled_access_net=LANDLOCK_ACCESS_NET_BIND_TCP|LANDLOCK_ACCESS_NET_CONNECT_TCP,
scoped=LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET|LANDLOCK_SCOPE_SIGNAL}, 24, 0) = -1
EINVAL (Invalid argument)
brk(NULL) = 0x556396ab6000
brk(0x556396ad7000) = 0x556396ad7000
write(2, "xz: ", 4xz: ) = 4
write(2, "Failed to enable the sandbox", 28Failed to enable the sandbox) =
28
write(2, "\n", 1
) = 1
exit_group(1) = ?
+++ exited with 1 +++
To reproduce, just grab a RHEL 9 machine, and do:
dnf install -y mock --enablerepo epel
useradd foo && usermod -a -G mock foo && su - foo
mock -r fedora-rawhide-x86_64 --install strace
mock -r fedora-rawhide-x86_64 --shell --enable-network
.. execute `xz -d some.xz` through strace ...
Pavel
> Rich.
>
> --
> Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
> Read my programming and virtualization blog: http://rwmj.wordpress.com
> Fedora Windows cross-compiler. Compile Windows programs, test, and
> build Windows installers. Over 100 libraries supported.
> http://fedoraproject.org/wiki/MinGW
>
>
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
