statx需要哪些功能才能停止提供EPERM [英] Which capabilities are needed for statx to stop giving EPERM

问题描述

我有一个Qt项目，该项目使用一个在我的系统上可以正常编译的插件接口。但是，当在docker中编译同一项目时，它停止使用Qt 5.10.1，给出消息 Error：Undefined interface 。在运行 moc 的某些 strace 之后，发现找不到定义该接口的头文件，因为包含文件路径上的 statx 调用始终返回 EPERM 。文档甚至都没有提到如何产生此错误。

I have a Qt project that uses a plugin interface which compiles fine on my system. However, when the same project is compiled inside docker it stopped working with Qt 5.10.1, giving the messageError: Undefined interface. After some straceing the moc run, it turned out that a header file that defines the interface is not found because the statx call on the include's filepath always returns EPERM. The documentation does not even mention how this error can be generated.

docker run --privileged 修复了此问题，但我想避免过多的权限，所以我只想设置必要的权限。

docker run --privileged fixes this problem but I would like to avoid excessive permissions so I wanted to set only the necessary ones.

到目前为止，我试图添加所有这些功能（即使同时）成功：

So far I tried to add all of these capabilities (even at the same time) without success:

• CAP_DAC_OVERRIDE


• CAP_DAC_READ_SEARCH


• CAP_FOWNER


• CAP_SETFCAP

• CAP_DAC_OVERRIDE
• CAP_DAC_READ_SEARCH
• CAP_FOWNER
• CAP_SETFCAP

我在这里缺少什么吗？

更新

A

A pull request for this is pending.

推荐答案

在2018-03-06之前

statx 不包含在默认 seccomp 白名单。

Before 2018-03-06

statx isn't included in the default seccomp whitelist used by Docker as of present date.

您可以使用-security-opt seccomp = / path /to/seccomp/profile.json 指定其他配置文件（大概是添加了此系统调用的配置文件）。

You can use --security-opt seccomp=/path/to/seccomp/profile.json to specify a different profile (presumably, one with this syscall added).

moby / moby＃36417 是于2018年3月6日合并为大师。

它应该包含在以后的每晚构建中，最终包含在Docker中18.04版本。

It should be included in nightly builds going forward, and eventually in the Docker 18.04 release.

这篇关于statx需要哪些功能才能停止提供EPERM的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！