What were you trying to do that didn't work?

Run a Fedora Rawhide container on RHEL 9 host. Inside the container, run xz. It will fail with an error like:

/usr/bin/xz: Failed to enable the sandbox

What is the impact of this issue to you?

Affects Fedora containers as above.

Please provide the package NVR for which the bug is seen:

We think it affects kernel-5.14.0-596.el9.x86_64 and newer.

How reproducible is this bug?:

High, multiple reports.

Steps to reproduce

(probably you have to run these commands as root)

podman pull fedora:latest
podman run -it --security-opt=seccomp=unconfined --cap-add SYS_PTRACE fedora:latest /bin/bash

In the Fedora container:

dnf install xz less strace
touch tmp/test
xz tmp/test

The final xz command will fail with:

xz: Failed to enable the sandbox

You can add strace in front of the command to see what's really going on.

Related links

Fedora bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2407105

Upstream bug:

https://github.com/tukaani-project/xz/issues/199

We believe this may be happening because this commit is missing:

commit 54a6e6bbf3bef25c8eb65619edde70af49bd3db0
Author: Tahera Fahimi <fahimitahera@gmail.com>
Date:   Fri Sep 6 15:30:03 2024 -0600

landlock: Add signal scoping