crypto/rand: cgo compilation failure in seccomp_linux with older glibc

[dougm]

Go version

go1.24.x

Output of go env in your module/workspace:

AR='ar'
CC='x86_64-vmk-linux-gnu-gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='0'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='x86_64-vmk-linux-gnu-g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/.../.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/.../.config/go/env'
GOEXE=''
GOEXPERIMENT='boringcrypto'
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2454380300=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/.../gocode/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/.../gocode'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/.../sharedcompcache/cayman_golang/ob-24786139/linux64'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/.../.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/.../sharedcompcache/cayman_golang/ob-24786139/linux64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4 X:boringcrypto'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

Building a program with CGO_ENABLED=1 and glibc 2.17 , build system is bazel + rules_go.
Opened #75658 to fix.

I don't have a small / self-contained way to reproduce, but can work on providing one if needed.

Output below is from bazel + rules_go:

# Configuration: 401fe02c7ff71a55e232e0319046a651a93e13fbeeb2347c8d1824918d4d953a
# Execution platform: //:rbe_platform
# Runner: remote
ERROR: /build/mts/release/sb-89794686/build-bazel/2c834866d59c6ed267f6d69c0a35fa75/external/io_bazel_rules_go/BUILD.bazel:42:7: GoStdlib external/io_bazel_rules_go/stdlib_/pkg failed: (Exit 1): builder failed: error executing GoStdlib command (from target @@io_bazel_rules_go//:stdlib)
  (cd /build/mts/release/sb-89794686/build-bazel/2c834866d59c6ed267f6d69c0a35fa75/execroot/top && \
  exec env - \
    CC=external/cayman_esx_toolchain_gcc12/usr/bin/x86_64-vmk-linux-gnu-gcc \
    CGO_CFLAGS='-D_BSD_SOURCE -D_DEFAULT_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -D_SVID_SOURCE -D_XOPEN_SOURCE=600 -g -Os -DVMX86_BETA -DVMX86_DEBUG -std=gnu99 -ffunction-sections -fdata-sections -fPIC -pthread --sysroot=external/cayman_esx_glibc_2_17/sysroot -fwrapv -fno-strict-aliasing -funwind-tables -fasynchronous-unwind-tables -pipe -D_FORTIFY_SOURCE=2 -fstack-protector -fstack-protector-all -Wextra -Wimplicit-fallthrough -Werror -no-canonical-prefixes -fno-canonical-system-headers -Wno-unused-but-set-variable -Wno-pointer-sign -Wno-strict-prototypes -Wno-enum-compare -Wno-unknown-pragmas -Wno-format-overflow -Wno-maybe-uninitialized -Wno-unused-variable -Wno-unused-function -Wno-unused-parameter -Wno-ignored-qualifiers -Wno-shift-negative-value -Wno-unused-but-set-parameter -Wno-type-limits -Wno-old-style-declaration -Wno-sign-compare -Wno-missing-field-initializers -Wno-cast-function-type -Wno-empty-body' \
    CGO_ENABLED=1 \
    CGO_LDFLAGS='-pie -static-libgcc -Wl,--allow-shlib-undefined -Bexternal/cayman_llvm/lin64+glibc217+gcc12/usr/bin -Wl,--undefined=VMW_EMBED_LABEL -Wl,--disable-new-dtags -Wl,--build-id -Wl,--hash-style=gnu -Wl,-O2 -pie -pthread -Lexternal/cayman_esx_toolchain_gcc12/usr/lib/gcc/x86_64-vmk-linux-gnu/12.1.0 -Lexternal/cayman_esx_toolchain_gcc12/usr/x86_64-vmk-linux-gnu/lib64 --sysroot=external/cayman_esx_glibc_2_17/sysroot -Wl,-z,relro -Wl,-z,noexecstack -Wl,-z,now -Wl,-z,separate-code' \
    GOARCH=amd64 \
    GODEBUG='winsymlink=0' \
    GOEXPERIMENT=boringcrypto,nocoverageredesign \
    GOOS=linux \
    GOPATH='' \
    GOROOT=external/linux_amd64_go_sdk \
    GOROOT_FINAL=GOROOT \
    GOTOOLCHAIN=local \
    PATH=external/cayman_esx_toolchain_gcc12/usr/bin:/bin:/usr/bin \
  bazel-out/k8-opt-exec-ST-b286fc5bebce/bin/external/linux_amd64_go_sdk/builder_reset/builder stdlib -sdk external/linux_amd64_go_sdk -goroot external/linux_amd64_go_sdk -installsuffix linux_amd64 -out bazel-out/k8-opt-beta-ST-44ac1bd27845/bin/external/io_bazel_rules_go/stdlib_ -package std -package runtime/cgo -shared -gcflags '')
# Configuration: b6c510da2c7806097c4a44233118d63bef7924a43518a80546f7db39266393d4
# Execution platform: //:rbe_platform
# crypto/internal/sysrand/internal/seccomp
bazel-out/k8-opt-beta-ST-44ac1bd27845/bin/external/io_bazel_rules_go/stdlib_/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go: In function 'disable_getrandom':
bazel-out/k8-opt-beta-ST-44ac1bd27845/bin/external/io_bazel_rules_go/stdlib_/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go:58:45: error: 'SYS_getrandom' undeclared (first use in this function); did you mean 'SYS_getuid'?
   58 |         BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_getrandom, 0, 1),
      |                                             ^~~~~~~~~~~~~
bazel-out/k8-opt-beta-ST-44ac1bd27845/bin/external/io_bazel_rules_go/stdlib_/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go:39:69: note: in definition of macro 'BPF_JUMP'
   39 | #define BPF_JUMP(code, k, jt, jf) { (unsigned short)(code), jt, jf, k }
      |                                                                     ^
bazel-out/k8-opt-beta-ST-44ac1bd27845/bin/external/io_bazel_rules_go/stdlib_/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go:58:45: note: each undeclared identifier is reported only once for each function it appears in
   58 |         BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_getrandom, 0, 1),
      |                                             ^~~~~~~~~~~~~
bazel-out/k8-opt-beta-ST-44ac1bd27845/bin/external/io_bazel_rules_go/stdlib_/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go:39:69: note: in definition of macro 'BPF_JUMP'
   39 | #define BPF_JUMP(code, k, jt, jf) { (unsigned short)(code), jt, jf, k }
      |                                                                     ^
bazel-out/k8-opt-beta-ST-44ac1bd27845/bin/external/io_bazel_rules_go/stdlib_/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go:66:17: error: 'SYS_seccomp' undeclared (first use in this function); did you mean 'SYS_semop'?
   66 |     if (syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog)) {
      |                 ^~~~~~~~~~~
      |                 SYS_semop
stdlib: error running subcommand external/linux_amd64_go_sdk/bin/go: exit status 1

What did you see happen?

Compilation failed due to SYS_getrandom and SYS_seccomp not included in glibc 2.17

What did you expect to see?

Program should compile, as seccomp_linux.go is only used for Go's own tests.

[gabyhelp]

Related Issues

• cmd/go: gccgo and GOROOT not quite there yet #3246 (closed)
• Error on compiling go source with CGO_ENABLED=1 #22118 (closed)
• . #66828 (closed)
• cmd/go: build failure on a machine with gccgo installed after commit 38431f1044 #32060 (closed)
• cmd/cgo/internal/testtls: `signal arrived during external code execution` on Windows with clang 14.0.6 #64400
• some issues here ! #39105 (closed)
• cmd/cgo: after upgrade from 1.9.2 to 1.10, cgo compile fails with "invalid flag in #cgo LDFLAGS: -Wl,-z,relro" #24124 (closed)
• Bug #70776 (closed)
• runtime/cgo: Compilation Error #58320 (closed)
• bug #68989 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[ianlancetaylor]

I guess one question is: why is Bazel trying to build the crypto/internal/sysrand/internal/seccomp package? Does it just build every standard library package whether or not the package is needed?