"Operation not permitted": on ARM it only runs with "disable-sandbox"
Opened this issue · 20 comments
Hi, first of all thanks for your work in this extremely usefull written in C for speed and promising tool.
I've been testing and using it on my x64 Arch Linux for some months. Very happy.
It's intended to be used with terminal RSS readers, to make the articles more readable on web browsers such as lynx.
I use it with w3m. Feel free to update the README as well.
W3m is a very underrated (and badly documented) cli browser. But with incredible customizing options. It works amazingly fast with rdrview.
You can use it for a one shot operation like this:
$ rdrview -H https://www.bbc.com/news/world-asia-china-55784231 | w3m -T text/html
or
$ rdrview -H https://www.bbc.com/news/world-asia-china-55784231 | w3m -T text/html -dump
Or for interactive browsing.
You can for example add these lines to the config file, ~/.w3m/keymap
keymap \\\r COMMAND "SHELL 'rdrview -H $W3M_URL > /tmp/rdrview.html' ; LOAD /tmp/rdrview.html"
or
keymap \\\r COMMAND "SHELL 'clear; echo \"parsing page with rdrview\" ; echo ; rdrview -H $W3M_URL > /tmp/rdrview.html' ; LOAD /tmp/rdrview.html"
and then use "\r" when your browsing a page inside w3m.
My issue is when I try to run in on Arm, also Arch Linux, armv7.
I tried it on both a chromebook running:
Linux alarmsung 5.10.10-1-ARCH #1 SMP PREEMPT Sat Jan 23 23:26:35 UTC 2021 armv7l GNU/Linux
and a Raspberry Pi 2 running:
Linux alarmpi 5.4.83-4-ARCH #1 SMP PREEMPT Wed Jan 20 14:06:49 UTC 2021 armv7l GNU/Linux
I install rdrview by hand. I do not use the Arch User AUR package like this other user, #13. This AUR arch linux is not well maintained and is marked only for x64 not Arm, https://aur.archlinux.org/packages/rdrview-git
What I do instead is this.
I do git clone .. and then run make.
On both these ARM systems I have the exact same needed dependencies installed
They are the same as in my working x64 system, and they are official distro packages:
local/libseccomp 2.5.1-2
Enhanced seccomp library
local/libxml2 2.9.10-8
XML parsing library, version 2
local/libcurl-gnutls 7.74.0-1
An URL retrieval library (linked against gnutls)
Compilation with make runs without a problem. But running it, whatever the options choosen always gets me a message:
rdrview: Operation not permitted
If I use the flag "--disable-sandbox" then it works.
I'm not a developer, and have zero understanding of C programing, syscalls or security. The only thing I could find that brought me here was the similar issue by the other user.
#10 (comment)
...I am on a musl based system....
... have to use 'disable-sandbox' to get a webpage rendered....
Additional info that might be usefull:
- Some libs
Architecture : armv7h
glibc, Version : 2.32-2
gcc, Version : 10.2.0-1
- strace
$ strace rdrview -M https://www.bbc.com/news/world-asia-china-55784231 2>> error_log.txt
- The compiled binary on arm:
$ file ./rdrview
./rdrview: ELF 32-bit LSB pie executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, BuildID[sha1]=b7438379398f311b185c1ba3a7ba9019f245321d, for GNU/Linux 3.2.0, not stripped
...And send me the output
pulled the latest commits, compiled a fresh one, and here it is:
[pid 18413] fstat64(5, 0xbebd5b60) = -1 EPERM (Operation not permitted)
[pid 18413] fcntl64(4, F_GETFL) = -1 EPERM (Operation not permitted)
Still failing.
$ git show origin/master --no-patch
commit ecda324fd9aa1cba07b9a00ac10af0ab7e55c663
Author: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Date: Tue Jan 26 15:23:38 2021 -0300
Allow 64-bit version of fstat() syscall on Linux
...
$ strace -f rdrview -H 'https://github.com/eafer/rdrview' 2>&1 >/dev/null | grep EPERM
[pid 4158] mmap2(NULL, 153932, PROT_READ|PROT_WRITE, MAP_SHARED, 5, 0) = -1 EPERM (Operation not permitted)
[pid 4158] fcntl64(4, F_GETFL) = -1 EPERM (Operation not permitted)
... so it should work
Yes it does. Tested on both Raspberry Pi and Chromebook (armv7).
I dont have a Raspberry Pi 4 for testing armv8/aarch64.
I can confirm working on AArch64 on another rplatform
Although I can't seem to use it with a browser
[parker@nintendoswitch rdrview-git]$ rdrview -B links 'https://github.com/eafer/rdrview'
rdrview: Operation not permitted
[parker@nintendoswitch rdrview-git]$ rdrview -B lynx 'https://github.com/eafer/rdrview'
rdrview: Operation not permitted
Gist of strace (See next message) https://gist.github.com/1bf87765d716ce60b011dd1a633132cf
Forgot to do the follow-forks https://gist.github.com/2948087883f55cccd44164fb9745ffa0
9214 dup(1) = 4
9214 dup3(3, 1, 0) = -1 EPERM (Operation not permitted)
9214 dup(2) = 6
9214 fcntl(6, F_GETFL) = -1 EPERM (Operation not permitted)
9214 close(6) = 0
9214 write(2, "rdrview: Operation not permitted"..., 33) = 33
Works great! Thanks.
Since I forgot to mention: That's Arch Linux ARM (aarch64)
I don't know if this is an issue worthy of it's own thread, but I was having a similar issue on x64 Arch Linux, so I ran the strace previously posted here and got the following errors
[pid 2026874] newfstatat(5, "", 0x7ffd80399170, AT_EMPTY_PATH) = -1 EPERM (Operation not permitted)
[pid 2026874] fcntl(4, F_GETFL) = -1 EPERM (Operation not permitted)
So I tried adding the following lines to my sandbox.c and it worked perfectly.
fail |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0);
fail |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);
I'm facing the same issue (or at least seems like the same). But I'm on x86_64-linux (NixOS). only --disable-sandbox works
I'm facing the same issue (or at least seems like the same). But I'm on x86_64-linux (NixOS). only --disable-sandbox works
Can you run
strace -f rdrview -H 'https://github.com/eafer/rdrview' 2>&1 >/dev/null | grep EPERM
and send me the output?
PS: I'm using 7be01fb
In that case, I think this issue has already been fixed. Try the current head.