View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000678fileGeneralpublic2025-08-06 21:172025-08-06 21:30
Reportertobias Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version5.46 
Summary0000678: glibc on physical terminals with seccomp fails due to TCGETS2
DescriptionCurrent Arch Linux installations cannot run file on physical terminal.

This happens because file is built with seccomp and glibc uses the ioctl TCGETS2.

TCGETS is already part of the sandbox, but not TCGETS2.
Steps To Reproduce- Install Arch Linux or compile file with seccomp on a system with current glibc (2.24, maybe lower as well [not tested]).
- Switch to physical terminal.
- Run file /dev/null

The call fails due to bad system call, which is ioctl TCGETS2.
TagsNo tags attached.

Activities

tobias

2025-08-06 21:17

reporter  

tcgets2.patch (1,188 bytes)    
From 7b23bd3f87069fcebc9173c8d1637c2a2e1a12d1 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Wed, 6 Aug 2025 23:11:10 +0200
Subject: [PATCH] Extend seccomp for glibc and  physical terminals

New glibc implementations might also use TCGETS2 instead of TCGETS.
This happens on current Arch Linux systems. Allow TCGETS2 in seccomp
sandbox as well.
---
 src/seccomp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/seccomp.c b/src/seccomp.c
index f05c30f9..dddb821c 100644
--- a/src/seccomp.c
+++ b/src/seccomp.c
@@ -37,6 +37,8 @@ FILE_RCSID("@(#)$File: seccomp.c,v 1.31 2025/03/20 14:57:41 christos Exp $")
 #ifdef __powerpc64__
 // See: https://sourceware.org/bugzilla/show_bug.cgi?id=32806
 # include <asm/termbits.h>
+#elif defined __linux__
+# include <linux/termios.h>
 #else
 # include <termios.h>
 #endif
@@ -121,6 +123,10 @@ enable_sandbox(void)
 #ifdef TCGETS
 	// glibc may call ioctl TCGETS on stdout on physical terminal
 	ALLOW_IOCTL_RULE(TCGETS);
+#endif
+#ifdef TCGETS2
+	// glibc may call ioctl TCGETS2 on stdout on physical terminal
+	ALLOW_IOCTL_RULE(TCGETS2);
 #endif
 	ALLOW_RULE(lseek);
  	ALLOW_RULE(_llseek);
-- 
2.50.1
tcgets2.patch (1,188 bytes)   

tobias

2025-08-06 21:30

reporter   ~0004280

Description states glibc 2.24 instead of 2.42. Sorry for that, didn't test THAT far back in time. :)

Issue History

Date Modified Username Field Change
2025-08-06 21:17 tobias New Issue
2025-08-06 21:17 tobias File Added: tcgets2.patch
2025-08-06 21:30 tobias Note Added: 0004280