Which Capabilities Are Needed for Statx to Stop Giving Eperm

Which capabilities are needed for statx to stop giving EPERM

Before 2018-03-06

statx isn't included in the default seccomp whitelist used by Docker as of present date.

You can use --security-opt seccomp=/path/to/seccomp/profile.json to specify a different profile (presumably, one with this syscall added).

---

After 2018-03-06

moby/moby#36417 was merged to master as of March 6th, 2018.

It should be included in nightly builds going forward, and eventually in the Docker 18.04 release.

moc failing with 'Undefined interface' with Qt 5.10 in a Docker container

Running moc under strace shows Operation not permitted on various statx calls, which sheds some light on why exactly it fails (also, related to this question). This pull request is hopefully going to fix this.

Why can't I install libpaper1 with remote Docker 17.09?

The error comes from statx not from libepaper1.
statx wasn't included in the default seccomp whitelist used by Docker before version 18.04.0, as we can see in the Docker Engine 18.04 release notes page.

Whitelist statx syscall. moby/moby#36417

Thats why upgrading docker is the solution.

Sources:

• https://github.com/moby/moby/pull/36417

• Which capabilities are needed for statx to stop giving EPERM

• https://unix.stackexchange.com/questions/672183/cannot-install-ghostscript-libgs9-and-libpaper1-on-debian-bullseye

---

Related Topics