Add final workaround for "Failed to enable the sandbox" (RHEL-125143)

(cherry picked from commit 4dbfb6665e)

0001-Landlock-Cache-the-ABI-version.patch

@@ -0,0 +1,46 @@
+From ee75c76958dd891906745125590563ab64e85995 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Sun, 23 Nov 2025 20:13:37 +0200
+Subject: [PATCH 1/4] Landlock: Cache the ABI version
+
+In xz it can avoid up to two syscalls that query the ABI version.
+---
+ src/common/my_landlock.h | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/common/my_landlock.h b/src/common/my_landlock.h
+index e135d08c..379d7bd4 100644
+--- a/src/common/my_landlock.h
++++ b/src/common/my_landlock.h
+@@ -4,6 +4,10 @@
+ //
+ /// \file       my_landlock.h
+ /// \brief      Linux Landlock sandbox helper functions
++///
++/// \note       This uses static variables to cache the Landlock ABI version.
++///             Only one file in an application should include this header.
++///             Only one thread should call these functions.
+ //
+ //  Author:     Lasse Collin
+ //
+@@ -32,8 +36,16 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr)
+ {
+ 	memzero(attr, sizeof(*attr));
+ 
+-	const int abi_version = syscall(SYS_landlock_create_ruleset,
++	// Cache the Landlock ABI version:
++	//  0 = not checked yet
++	// -1 = Landlock not supported
++	// >0 = Landlock ABI version
++	static int abi_version = 0;
++
++	if (abi_version == 0)
++		abi_version = syscall(SYS_landlock_create_ruleset,
+ 			(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
++
+ 	if (abi_version <= 0)
+ 		return -1;
+ 
+-- 
+2.51.1
+

0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch

@@ -0,0 +1,87 @@
+From 2b2652e914b1c38d4c009a8dcac11dfee9c7e008 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Sun, 23 Nov 2025 20:13:49 +0200
+Subject: [PATCH 2/4] Landlock: Workaround a bug in RHEL 9 kernel
+
+If one runs xz 5.8.0 or 5.8.1 from some other distribution in a container
+on RHEL 9, xz will fail with the message "Failed to enable the sandbox".
+
+RHEL 9 kernel since 5.14.0-603.el9 (2025-07-30) claims to support
+Landlock ABI version 6, but it lacks support for LANDLOCK_SCOPE_SIGNAL.
+The issue is still present in 5.14.0-643.el9 (2025-11-22). Red Hat is
+aware of the issue, but I don't know when it will be fixed.
+
+The sandbox is meant to be transparent to users, thus there isn't and
+won't be a command line option to disable it. Instead, add a workaround
+to keep xz working on the buggy RHEL 9 kernels.
+
+Reported-by: Richard W.M. Jones
+Thanks-to: Pavel Raiskup
+Tested-by: Orgad Shaneh
+Tested-by: Richard W.M. Jones
+Fixes: https://github.com/tukaani-project/xz/issues/199
+Link: https://issues.redhat.com/browse/RHEL-125143
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2407105
+Link: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/65BDSY56R5ZJRTUC4B6CIVCVLY4LG4ME/
+---
+ src/common/my_landlock.h | 27 ++++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/src/common/my_landlock.h b/src/common/my_landlock.h
+index 379d7bd4..0f8e04e0 100644
+--- a/src/common/my_landlock.h
++++ b/src/common/my_landlock.h
+@@ -21,6 +21,7 @@
+ #include <linux/landlock.h>
+ #include <sys/syscall.h>
+ #include <sys/prctl.h>
++#include <sys/utsname.h>
+ 
+ 
+ /// \brief      Initialize Landlock ruleset attributes to forbid everything
+@@ -42,10 +43,28 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr)
+ 	// >0 = Landlock ABI version
+ 	static int abi_version = 0;
+ 
+-	if (abi_version == 0)
++	// Red Hat Enterprise Linux 9 kernel since 5.14.0-603.el9 (2025-07-30)
++	// claims ABI version 6 support, but as of 5.14.0-643.el9 (2025-11-22)
++	// it lacks LANDLOCK_SCOPE_SIGNAL. ABI version 6 was added in upstream
++	// Linux 6.12 while RHEL 9 has Linux 5.14 with lots of backports.
++	// We assume that any kernel version 5.14 with ABI version 6 is buggy.
++	static bool is_rhel9 = false;
++
++	if (abi_version == 0) {
+ 		abi_version = syscall(SYS_landlock_create_ruleset,
+ 			(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+ 
++		if (abi_version == 6) {
++			static const char rel[] = "5.14.";
++			const size_t rel_len = sizeof(rel) - 1;
++
++			struct utsname un;
++			if (uname(&un) == 0 && strncmp(
++					un.release, rel, rel_len) == 0)
++				is_rhel9 = true;
++		}
++	}
++
+ 	if (abi_version <= 0)
+ 		return -1;
+ 
+@@ -121,6 +140,12 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr)
+ #endif
+ 		FALLTHROUGH;
+ 
++	case 6:
++		if (is_rhel9)
++			attr->scoped &= ~LANDLOCK_SCOPE_SIGNAL;
++
++		FALLTHROUGH;
++
+ 	default:
+ 		// We only know about the features of the ABIs 1-6.
+ 		break;
+-- 
+2.51.1
+

0004-Landlock-Add-missing-ifdefs.patch

@@ -0,0 +1,59 @@
+From 8bb516887c1912106a72db96216cab46954e6190 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Sun, 23 Nov 2025 20:39:28 +0200
+Subject: [PATCH 4/4] Landlock: Add missing #ifdefs
+
+The build was broken on distros that have an old <sys/landlock.h>.
+
+Fixes: 2b2652e914b1 ("Landlock: Workaround a bug in RHEL 9 kernel")
+---
+ src/common/my_landlock.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/common/my_landlock.h b/src/common/my_landlock.h
+index 0f8e04e0..5f761695 100644
+--- a/src/common/my_landlock.h
++++ b/src/common/my_landlock.h
+@@ -43,17 +43,20 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr)
+ 	// >0 = Landlock ABI version
+ 	static int abi_version = 0;
+ 
++#ifdef LANDLOCK_SCOPE_SIGNAL
+ 	// Red Hat Enterprise Linux 9 kernel since 5.14.0-603.el9 (2025-07-30)
+ 	// claims ABI version 6 support, but as of 5.14.0-643.el9 (2025-11-22)
+ 	// it lacks LANDLOCK_SCOPE_SIGNAL. ABI version 6 was added in upstream
+ 	// Linux 6.12 while RHEL 9 has Linux 5.14 with lots of backports.
+ 	// We assume that any kernel version 5.14 with ABI version 6 is buggy.
+ 	static bool is_rhel9 = false;
++#endif
+ 
+ 	if (abi_version == 0) {
+ 		abi_version = syscall(SYS_landlock_create_ruleset,
+ 			(void *)NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+ 
++#ifdef LANDLOCK_SCOPE_SIGNAL
+ 		if (abi_version == 6) {
+ 			static const char rel[] = "5.14.";
+ 			const size_t rel_len = sizeof(rel) - 1;
+@@ -63,6 +66,7 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr)
+ 					un.release, rel, rel_len) == 0)
+ 				is_rhel9 = true;
+ 		}
++#endif
+ 	}
+ 
+ 	if (abi_version <= 0)
+@@ -141,8 +145,10 @@ my_landlock_ruleset_attr_forbid_all(struct landlock_ruleset_attr *attr)
+ 		FALLTHROUGH;
+ 
+ 	case 6:
++#ifdef LANDLOCK_SCOPE_SIGNAL
+ 		if (is_rhel9)
+ 			attr->scoped &= ~LANDLOCK_SCOPE_SIGNAL;
++#endif
+ 
+ 		FALLTHROUGH;
+ 
+-- 
+2.51.1
+

gating.yaml

@@ -1,7 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpmdeplint.functional}

xz.spec

@@ -5,13 +5,13 @@ Summary:	LZMA compression utilities
 Name:		xz
 Epoch:		1
 Version:	5.8.1
-Release:	1%{?dist}
+Release:	4%{?dist}
 
 # liblzma - 0BSD
 # xz{,dec}, lzma{dec,info} - 0BSD
 #    - getopt_long - LGPL-2.1-or-later - not built in Fedora
 # xz{grep,diff,less,more} - GPL-2.0-or-later
-# docs - BSD0 AND LicenseRef-Fedora-Public-Domain
+# docs - BSD0 AND LicenseRef-Fedora-Public-Domain
 # man pages and translations - 0BSD AND LicenseRef-Fedora-Public-Domain
 # See: https://gitlab.com/fedora/legal/fedora-license-data/-/issues/547
 License:	0BSD AND GPL-2.0-or-later AND LicenseRef-Fedora-Public-Domain
@@ -24,6 +24,14 @@ Source2:	https://tukaani.org/misc/lasse_collin_pubkey.txt
 Source100:	colorxzgrep.sh
 Source101:	colorxzgrep.csh
 
+# https://github.com/tukaani-project/xz/issues/199
+# https://issues.redhat.com/browse/RHEL-125143
+# Upstream in > 5.8.1
+Patch:          0001-Landlock-Cache-the-ABI-version.patch
+Patch:          0002-Landlock-Workaround-a-bug-in-RHEL-9-kernel.patch
+#Patch:          0003-Update-THANKS.patch
+Patch:          0004-Landlock-Add-missing-ifdefs.patch
+
 URL:		https://tukaani.org/%{name}/
 Requires:	%{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 
@@ -180,6 +188,15 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 
 
 %changelog
+* Sun Nov 23 2025 Richard W.M. Jones <rjones@redhat.com> - 1:5.8.1-4
+- Add final workaround for "Failed to enable the sandbox" (RHEL-125143)
+
+* Sat Nov 22 2025 Richard W.M. Jones <rjones@redhat.com> - 1:5.8.1-3
+- Add workaround for "Failed to enable the sandbox" (RHEL-125143)
+
+* Thu Apr 24 2025 Adam Williamson <awilliam@redhat.com> - 1:5.8.1-2
+- Rebuild without changes to fix gating problem
+
 * Thu Apr 03 2025 Richard W.M. Jones <rjones@redhat.com> - 1:5.8.1-1
 - New upstream version 5.8.1
 - Fixes CVE-2025-31115 heap-use-after-free bug in threaded .xz decoder