rdrview
rdrview copied to clipboard
eafer
"Operation not permitted": on ARM it only runs with "disable-sandbox"
Hi, first of all thanks for your work in this extremely usefull written in C for speed and promising tool.
I've been testing and using it on my x64 Arch Linux for some months. Very happy.
It's intended to be used with terminal RSS readers, to make the articles more readable on web browsers such as lynx.
I use it with w3m. Feel free to update the README as well.
W3m is a very underrated (and badly documented) cli browser. But with incredible customizing options. It works amazingly fast with rdrview.
You can use it for a one shot operation like this:
$ rdrview -H https://www.bbc.com/news/world-asia-china-55784231 | w3m -T text/html
or
$ rdrview -H https://www.bbc.com/news/world-asia-china-55784231 | w3m -T text/html -dump
Or for interactive browsing. You can for example add these lines to the config file, ~/.w3m/keymap
keymap \\\r COMMAND "SHELL 'rdrview -H $W3M_URL > /tmp/rdrview.html' ; LOAD /tmp/rdrview.html"
or
keymap \\\r COMMAND "SHELL 'clear; echo \"parsing page with rdrview\" ; echo ; rdrview -H $W3M_URL > /tmp/rdrview.html' ; LOAD /tmp/rdrview.html"
and then use "\r" when your browsing a page inside w3m.
My issue is when I try to run in on Arm, also Arch Linux, armv7.
I tried it on both a chromebook running:
Linux alarmsung 5.10.10-1-ARCH #1 SMP PREEMPT Sat Jan 23 23:26:35 UTC 2021 armv7l GNU/Linux
and a Raspberry Pi 2 running:
Linux alarmpi 5.4.83-4-ARCH #1 SMP PREEMPT Wed Jan 20 14:06:49 UTC 2021 armv7l GNU/Linux
I install rdrview by hand. I do not use the Arch User AUR package like this other user, https://github.com/eafer/rdrview/issues/13. This AUR arch linux is not well maintained and is marked only for x64 not Arm, https://aur.archlinux.org/packages/rdrview-git
What I do instead is this. I do git clone .. and then run make.
On both these ARM systems I have the exact same needed dependencies installed
They are the same as in my working x64 system, and they are official distro packages:
local/libseccomp 2.5.1-2
Enhanced seccomp library
local/libxml2 2.9.10-8
XML parsing library, version 2
local/libcurl-gnutls 7.74.0-1
An URL retrieval library (linked against gnutls)
Compilation with make runs without a problem. But running it, whatever the options choosen always gets me a message:
rdrview: Operation not permitted
If I use the flag "--disable-sandbox" then it works.
I'm not a developer, and have zero understanding of C programing, syscalls or security. The only thing I could find that brought me here was the similar issue by the other user.
https://github.com/eafer/rdrview/issues/10#start-of-content ...I am on a musl based system.... ... have to use 'disable-sandbox' to get a webpage rendered....
Additional info that might be usefull:
- Some libs
Architecture : armv7h
glibc, Version : 2.32-2
gcc, Version : 10.2.0-1
- strace
$ strace rdrview -M https://www.bbc.com/news/world-asia-china-55784231 2>> error_log.txt
- The compiled binary on arm:
$ file ./rdrview
./rdrview: ELF 32-bit LSB pie executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, BuildID[sha1]=b7438379398f311b185c1ba3a7ba9019f245321d, for GNU/Linux 3.2.0, not stripped
Hi,
Hi, first of all thanks for your work in this extremely usefull written in C for speed and promising tool.
I'm glad that you like it.
My issue is when I try to run in on Arm, also Arch Linux, armv7.
Thanks for the report. These problems are expected with seccomp from time to time, so it's good that I hear about it. Try running this:
strace -f rdrview -H 'https://github.com/eafer/rdrview' 2>&1 >/dev/null | grep EPERM
And send me the output. That should tell us which syscalls are getting blocked, so that I can add them to the whitelist.
...And send me the output
pulled the latest commits, compiled a fresh one, and here it is:
[pid 18413] fstat64(5, 0xbebd5b60) = -1 EPERM (Operation not permitted)
[pid 18413] fcntl64(4, F_GETFL) = -1 EPERM (Operation not permitted)
[pid 18413] fstat64(5, 0xbebd5b60) = -1 EPERM (Operation not permitted) [pid 18413] fcntl64(4, F_GETFL) = -1 EPERM (Operation not permitted)
Ok, I just pushed a patch that allows fstat64(). If this doesn't solve the problem, run the strace command I gave you before and send me the ouput again.
Still failing.
$ git show origin/master --no-patch
commit ecda324fd9aa1cba07b9a00ac10af0ab7e55c663
Author: Ernesto A. Fernández <[email protected]>
Date: Tue Jan 26 15:23:38 2021 -0300
Allow 64-bit version of fstat() syscall on Linux
...
$ strace -f rdrview -H 'https://github.com/eafer/rdrview' 2>&1 >/dev/null | grep EPERM
[pid 4158] mmap2(NULL, 153932, PROT_READ|PROT_WRITE, MAP_SHARED, 5, 0) = -1 EPERM (Operation not permitted)
[pid 4158] fcntl64(4, F_GETFL) = -1 EPERM (Operation not permitted)
[pid 4158] mmap2(NULL, 153932, PROT_READ|PROT_WRITE, MAP_SHARED, 5, 0) = -1 EPERM (Operation not permitted)
OK, I just pushed a patch to allow mmap2(). I tested it myself this time on a Raspberry Pi, so it should work, but let me know.
... so it should work
Yes it does. Tested on both Raspberry Pi and Chromebook (armv7). I dont have a Raspberry Pi 4 for testing armv8/aarch64.
Although I can't seem to use it with a browser
[parker@nintendoswitch rdrview-git]$ rdrview -B links 'https://github.com/eafer/rdrview'
rdrview: Operation not permitted
[parker@nintendoswitch rdrview-git]$ rdrview -B lynx 'https://github.com/eafer/rdrview'
rdrview: Operation not permitted
Gist of strace (See next message) ~~https://gist.github.com/1bf87765d716ce60b011dd1a633132cf~~
Forgot to do the follow-forks https://gist.github.com/2948087883f55cccd44164fb9745ffa0
9214 dup(1) = 4
9214 dup3(3, 1, 0) = -1 EPERM (Operation not permitted)
9214 dup(2) = 6
9214 fcntl(6, F_GETFL) = -1 EPERM (Operation not permitted)
9214 close(6) = 0
9214 write(2, "rdrview: Operation not permitted"..., 33) = 33
Although I can't seem to use it with a browser
It seems that your standard library implements dup2() using the dup3() syscall instead. I'm pushing a patch to allow dup3(), let me know if it's not enough.
Works great! Thanks.
Since I forgot to mention: That's Arch Linux ARM (aarch64)
I don't know if this is an issue worthy of it's own thread, but I was having a similar issue on x64 Arch Linux, so I ran the strace previously posted here and got the following errors
[pid 2026874] newfstatat(5, "", 0x7ffd80399170, AT_EMPTY_PATH) = -1 EPERM (Operation not permitted)
[pid 2026874] fcntl(4, F_GETFL) = -1 EPERM (Operation not permitted)
So I tried adding the following lines to my sandbox.c and it worked perfectly.
fail |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0);
fail |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl), 0);
[pid 2026874] newfstatat(5, "", 0x7ffd80399170, AT_EMPTY_PATH) = -1 EPERM (Operation not permitted)
Thank you for the report. It seems that your libc implements fstat() using a variation of fstatat(). I can't just allow fstatat() because it's called with a path, not with a file descriptor, so it's too dangerous. This is all very annoying: I think I will have to write my own wrapper...
[pid 2026874] newfstatat(5, "", 0x7ffd80399170, AT_EMPTY_PATH) = -1 EPERM (Operation not permitted)
Ok, I'm just moving the call to fstat() outside the sandbox. That doesn't carry any risk, and it should make all these problems go away. Please let me know if it works for you.
I'm facing the same issue (or at least seems like the same). But I'm on x86_64-linux (NixOS). only --disable-sandbox works
I'm facing the same issue (or at least seems like the same). But I'm on x86_64-linux (NixOS). only --disable-sandbox works
Can you run
strace -f rdrview -H 'https://github.com/eafer/rdrview' 2>&1 >/dev/null | grep EPERM
and send me the output?
@eafer
[pid 435094] newfstatat(5, "", 0x7ffc3cf6a770, AT_EMPTY_PATH) = -1 EPERM (Operation not permitted)
[pid 435094] fcntl(4, F_GETFL) = -1 EPERM (Operation not permitted)
PS: I'm using https://github.com/eafer/rdrview/commit/7be01fb36a6ab3311a9ad1c8c2c75bf5c1345d93
PS: I'm using 7be01fb
In that case, I think this issue has already been fixed. Try the current head.
@eafer tested with rev 444ce3d6efd8989cd6ecfdc0560071b20e622636 and the issue is no longer. I previously hadn't checked if Nix package was up to date, sorry about this.
@eafer tested with rev 444ce3d6efd8989cd6ecfdc0560071b20e622636 and the issue is no longer. I previously hadn't checked if Nix package was up to date, sorry about this.
No problem, I'm glad it works.