util: Add inotify_rm_watch to syscall sandbox (AllowFileSystem) #24690
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Backport into 23.x? |
|
So this only happens in the GUI, not bitcoind? I always wondered how to add GUI-specific syscalls to the sandbox. |
Merged
|
Backported to v23 in #24512. |
jonatack
pushed a commit
to jonatack/bitcoin
that referenced
this pull request
Mar 30, 2022
Github-Pull: bitcoin#24690 Rebased-From: f05a4cd
hebasto
added a commit
to hebasto/bitcoin
that referenced
this pull request
Mar 31, 2022
Github-Pull: bitcoin#24690 Rebased-From: f05a4cd
jonatack
pushed a commit
to jonatack/bitcoin
that referenced
this pull request
Mar 31, 2022
Github-Pull: bitcoin#24690 Rebased-From: f05a4cd
I think ideally we'd add a separate profile for the GUI thread, so that the GUI specific syscalls (which is pretty much an open uncontainable set and pit of despair, given the tree of dependencies) don't clutter the more contained bitcoind ones. Another option would be to not sandbox Qt's threads at all. Maybe that is the best. |
To illustrate: Qt indirectly uses the graphics driver (at for non-statically linked builds which link against the OS). There's no saying what it might do and might depend on the hardware. |
fanquake
added a commit
that referenced
this pull request
Mar 31, 2022
174af33 util: Add inotify_rm_watch to syscall sandbox (AllowFileSystem) (Hennadii Stepanov) ded10fe build: Fix Boost.Process test for Boost 1.78 (Hennadii Stepanov) 26c2f23 build: Fix Boost.Process detection on macOS arm64 (Hennadii Stepanov) 85f85c7 util: add linkat to syscall sandbox (AllowFileSystem) (fanquake) eaa0419 contrib: fix signet miner (sighash mismatch) (Sebastian Falbesoner) 235b042 rpc: Exclude descriptor when address is excluded (MarcoFalke) b05a59b ci: Temporarily use clang-13 to work around clang-14 TSan bug (MarcoFalke) 65b9667 doc, init: add links to doc/cjdns.md (Jon Atack) 7a553d4 doc: update i2p.md with cjdns, improve local addresses section (Jon Atack) 4148396 doc: update tor.md with cjdns and getnodeaddresses, fix tor grep, (Jon Atack) 4690e8a doc: create initial doc/cjdns.md for cjdns how-to documentation (Jon Atack) 5d24f61 Clarify in -maxtimeadjustment that only outbound peers influence time data (Jon Atack) b1646f1 test: set segwit height back to 0 on regtest (Martin Zumsande) ef6a37b rpc: rename getdeploymentinfo status-next to status_next (Jon Atack) 2a6fcf9 init, doc: improve -onlynet help and tor/i2p documentation (Jon Atack) Pull request description: Backport the following to 23.x: - #24468 - #24528 - #24527 - #24609 - #24555 - #24663 - #24572 - #24636 - #24553 - #24659 - #24521 - #24523 - #24690 - #24710 Possibly also: - #24579 - #24691 ACKs for top commit: laanwj: List-of-commits ACK 174af33, I think we should merge this and move forward with rc3.. hebasto: ACK 174af33 Tree-SHA512: 5a493e1652b780b527767d6ca9e67012abd2fa5573496e85e0d8aa4bed3eb332bfcd72610b8dfb954ff274d42450623233c96c479de2085b9c8344ba5abf1935
sidhujag
pushed a commit
to syscoin/syscoin
that referenced
this pull request
Apr 3, 2022
…llowFileSystem) f05a4cd util: Add inotify_rm_watch to syscall sandbox (AllowFileSystem) (Hennadii Stepanov) Pull request description: This PR fixes the current master (3297f5c) when running `bitcoin-qt` on Ubuntu 22.04 and quitting: ``` $ ./src/qt/bitcoin-qt -signet -sandbox=log-and-abort Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway. ERROR: The syscall "inotify_rm_watch" (syscall number 255) is not allowed by the syscall sandbox in thread "main". Please report. terminate called without an active exception Aborted (core dumped) ``` Also see bitcoin#24659 (comment) ACKs for top commit: fanquake: ACK f05a4cd - checked that qt is using this in it's filesystem watcher code. Tree-SHA512: 9c7920a25422cd3a040bc1cbc487c12c3dc2b91358c3757f1030d6a1ff12c18c688a8e5b7466f683da88a5e4f5f15d442975660022d706e47021253c24c58f4a
laanwj
added a commit
to bitcoin-core/gui
that referenced
this pull request
Apr 6, 2022
…qt and remove gui-related syscalls fabdf9f Remove gui-only syscalls (MarcoFalke) fa0c2aa init: Disable syscall sandbox in the bitcoin-qt process (MarcoFalke) Pull request description: It is basically impossible (and a bit out of scope) for us to maintain a sandbox for the qt library. I am not sure if it is possible to only sandbox a few threads in a process, but I doubt this will add no practical benefit anyway, so I am disabling the sandbox for the whole bitcoin-qt process. See also bitcoin/bitcoin#24690 (comment) ACKs for top commit: laanwj: Code review ACK fabdf9f Tree-SHA512: 944ded03ee25f7dfd0bfeea9c3f97f575f2d470aa03b387b07f3e3bec5cb886e4aaa17e4a9fb359d3e670e6da69adc9111673d13e6561ec55b3161bb67dfe760
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes the current master (3297f5c) when running
bitcoin-qton Ubuntu 22.04 and quitting:Also see #24659 (comment)