#5487 closed enhancement (worksforme)
glibc enable-kernel version
| Reported by: | thomas | Owned by: | lfs-book |
|---|---|---|---|
| Priority: | normal | Milestone: | 12.2 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
In #lfs, a user reported
[08:51:00] <urja> If you build glibc with --enable-kernel=4.19, as is said in
the book, firefox 125 sandboxed content process will not be
able to find any fonts (and mysteriously crashes) because
glibc statx() will not fall back to fstat (the sandbox
blocks statx expecting the fallback)
I just add this as noone else of us is in #lfs, so i want to make sure that this doesn't get lost. I know, we do not have ff-125 in book for whatever reason, but its also true that Arch uses --enable-kernel=4.4.
I cannot comment any further as my technical knowledge about this stuff is quite clear...
Change History (3)
comment:1 by , 6 months ago
comment:2 by , 6 months ago
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
I've built Firefox-125.0.3 and it runs fine for me on a system with Glibc built --enable-kernel=6.8.
I guess the issue has been covered up since the Glibc commit:
commit 551101e8240b7514fc646d1722f8b79c90362b8f
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Mon Sep 11 10:25:48 2023 -0300
io: Do not implement fstat with fstatat
AT_EMPTY_PATH is a requirement to implement fstat over fstatat,
however it does not prevent the kernel to read the path argument.
It is not an issue, but on x86-64 with SMAP-capable CPUs the kernel is
forced to perform expensive user memory access. After that regular
lookup is performed which adds even more overhead.
Instead, issue the fstat syscall directly on LFS fstat implementation
(32 bit architectures will still continue to use statx, which is
required to have 64 bit time_t support). it should be even a
small performance gain on non x86_64, since there is no need
to handle the path argument.
Checked on x86_64-linux-gnu.
which is released in Glibc-2.39 for x86_64. For 32-bit x86 we are already saying --disable-sandbox should be used in BLFS Firefox page.
comment:3 by , 6 months ago
No my previous guess seems incorrect. On x86_64 even Glibc-2.38 does not use statx for fstatat or fstat.
But anyway Firefox-125.0.3 is running fine for me. So I now guess the OP is just running a 32-bit LFS, and for 32-bit system we are already telling to disable Firefox sandbox.
The entire idea of "seccomp sandboxing" is bullsh*t, I'd say.