seccomp-bpf missing on ARM in precise

Bug #1183616 reported by Kees Cook
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Triaged
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

While seccomp-bpf was backported into precise, it was only for x86. Now that the ARM support is upstream too, it would be great to have the same level of support on ARM in the LTS kernel.

I'll prepare patches.

[Impact]
ARM devices lack seccomp-bpf protections when running seccomp-aware applications (e.g. Chrome)

[Test Case]
git clone https://github.com/redpig/seccomp.git
cd seccomp/tests
make
./seccomp_bpf_tests
All tests should pass

[Regression Potential]
Low: ARM currently has no seccomp-bpf support, so this is very unlikely to cause regressions. The changes that are common between x86 and ARM bring Precise closer to upstream seccomp-bpf, so this is similarly unlike to cause regressions (as this code is more correct than what is currently in Precise). Changes have been minimized, and tested.

Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1183616

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Precise):
status: New → Incomplete
tags: added: precise
Changed in linux (Ubuntu):
importance: Undecided → Medium
Changed in linux (Ubuntu Precise):
importance: Undecided → Medium
tags: added: kernel-da-key kernel-stable-key
tags: added: bot-stop-nagging
Changed in linux (Ubuntu):
status: Incomplete → Triaged
Changed in linux (Ubuntu Precise):
status: Incomplete → Triaged
Kees Cook (kees)
description: updated
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
Revision history for this message
Paolo Pisati (p-pisati) wrote :
Download full text (4.9 KiB)

as i said on irc, this code ATM doesn't compile:

flag@flag-desktop:~/seccomp/tests$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.3 LTS
Release: 12.04
Codename: precise
flag@flag-desktop:~/seccomp/tests$ uname -a
Linux flag-desktop 3.2.0-1441-omap4 #60 SMP PREEMPT Fri Nov 15 15:16:44 UTC 2013 armv7l armv7l armv7l GNU/Linux

/usr/include/arm-linux-gnueabi/asm/unistd.h:
...
#if defined(__ARM_EABI__) && !defined(__KERNEL__)
#warning im here
#undef __NR_time
#undef __NR_umount
#undef __NR_stime
#undef __NR_alarm
#undef __NR_utime
#undef __NR_getrlimit
#undef __NR_select
#undef __NR_readdir
#undef __NR_mmap
#undef __NR_socketcall
#undef __NR_syscall
#undef __NR_ipc
#endif

the #warning is mine:

flag@flag-desktop:~/seccomp/tests$ gcc -dM -E seccomp_bpf_tests.c | grep EABI
#define __ARM_EABI__ 1

flag@flag-desktop:~/seccomp/tests$ make
cc seccomp_bpf_tests.c -o seccomp_bpf_tests
In file included from /usr/include/arm-linux-gnueabi/sys/syscall.h:25:0,
                 from /usr/include/syscall.h:1,
                 from seccomp_bpf_tests.c:22:
/usr/include/arm-linux-gnueabi/asm/unistd.h:428:2: warning: #warning im here [-Wcpp]
seccomp_bpf_tests.c: In function ‘ERRNO_one’:
seccomp_bpf_tests.c:310:3: error: ‘__NR_time’ undeclared (first use in this function)
seccomp_bpf_tests.c:310:3: note: each undeclared identifier is reported only once for each function it appears in
seccomp_bpf_tests.c:326:2: warning: passing argument 1 of ‘syscall’ makes integer from pointer without a cast [enabled by default]
/usr/include/unistd.h:1082:17: note: expected ‘long int’ but argument is of type ‘struct sock_filter *’
seccomp_bpf_tests.c:326:2: warning: passing argument 1 of ‘syscall’ makes integer from pointer without a cast [enabled by default]
/usr/include/unistd.h:1082:17: note: expected ‘long int’ but argument is of type ‘struct sock_filter *’
seccomp_bpf_tests.c: In function ‘ERRNO_one_ok’:
seccomp_bpf_tests.c:339:3: error: ‘__NR_time’ undeclared (first use in this function)
seccomp_bpf_tests.c:339:3: warning: initialization makes integer from pointer without a cast [enabled by default]
seccomp_bpf_tests.c:339:3: warning: (near initialization for ‘filter[1].k’) [enabled by default]
seccomp_bpf_tests.c:358:3: warning: passing argument 1 of ‘syscall’ makes integer from pointer without a cast [enabled by default]
/usr/include/unistd.h:1082:17: note: expected ‘long int’ but argument is of type ‘struct sock_filter *’
seccomp_bpf_tests.c:358:3: warning: passing argument 1 of ‘syscall’ makes integer from pointer without a cast [enabled by default]
/usr/include/unistd.h:1082:17: note: expected ‘long int’ but argument is of type ‘struct sock_filter *’
seccomp_bpf_tests.c: In function ‘TRAP_setup’:
seccomp_bpf_tests.c:375:3: error: ‘__NR_time’ undeclared (first use in this function)
seccomp_bpf_tests.c:375:3: warning: initialization makes integer from pointer without a cast [enabled by default]
seccomp_bpf_tests.c:375:3: warning: (near initialization for ‘filter[3].k’) [enabled by default]
seccomp_bpf_tests.c: In function ‘TRAP_dfl’:
seccomp_bpf_tests.c:398:10: error: ‘__NR_time’ undeclared (first use i...

Read more...

Revision history for this message
Kees Cook (kees) wrote :

My testing was with a Debian userspace. I don't have a functional Ubuntu ARM environment. I can boot rebuilt kernels in KVM.

Can you just adjust the header file to get it compiled? I have no idea why __NR_time is stripped out like that. It's a valid syscall.

Revision history for this message
Paolo Pisati (p-pisati) wrote :

flag@flag-desktop:~/seccomp/tests$ ./seccomp_bpf_tests
[==========] Running 31 tests from 1 test cases.
[ RUN ] global.mode_strict_support
[ OK ] global.mode_strict_support
[ RUN ] global.mode_strict_cannot_call_prctl
[ OK ] global.mode_strict_cannot_call_prctl
[ RUN ] global.no_new_privs_support
[ OK ] global.no_new_privs_support
[ RUN ] global.mode_filter_support
[ OK ] global.mode_filter_support
[ RUN ] global.mode_filter_without_nnp
[ OK ] global.mode_filter_without_nnp
[ RUN ] global.mode_filter_cannot_move_to_strict
[ OK ] global.mode_filter_cannot_move_to_strict
[ RUN ] global.ALLOW_all
[ OK ] global.ALLOW_all
[ RUN ] global.empty_prog
[ OK ] global.empty_prog
[ RUN ] global.unknown_ret_is_kill_inside
[ OK ] global.unknown_ret_is_kill_inside
[ RUN ] global.unknown_ret_is_kill_above_allow
[ OK ] global.unknown_ret_is_kill_above_allow
[ RUN ] global.KILL_all
[ OK ] global.KILL_all
[ RUN ] global.KILL_one
[ OK ] global.KILL_one
[ RUN ] global.KILL_one_arg_one
[ OK ] global.KILL_one_arg_one
[ RUN ] global.KILL_one_arg_six
[ OK ] global.KILL_one_arg_six
[ RUN ] global.arg_out_of_range
[ OK ] global.arg_out_of_range
[ RUN ] global.ERRNO_one
[ OK ] global.ERRNO_one
[ RUN ] global.ERRNO_one_ok
[ OK ] global.ERRNO_one_ok
[ RUN ] TRAP.dfl
[ OK ] TRAP.dfl
[ RUN ] TRAP.ign
[ OK ] TRAP.ign
[ RUN ] TRAP.handler
[ OK ] TRAP.handler
[ RUN ] TRAP.handler
[ OK ] TRAP.handler
[ RUN ] precedence.allow_ok
[ OK ] precedence.allow_ok
[ RUN ] precedence.kill_is_highest
[ OK ] precedence.kill_is_highest
[ RUN ] precedence.kill_is_highest_in_any_order
[ OK ] precedence.kill_is_highest_in_any_order
[ RUN ] precedence.trap_is_second
[ OK ] precedence.trap_is_second
[ RUN ] precedence.trap_is_second_in_any_order
[ OK ] precedence.trap_is_second_in_any_order
[ RUN ] precedence.errno_is_third
[ OK ] precedence.errno_is_third
[ RUN ] precedence.errno_is_third_in_any_order
[ OK ] precedence.errno_is_third_in_any_order
[ RUN ] precedence.trace_is_fourth
[ OK ] precedence.trace_is_fourth
[ RUN ] precedence.trace_is_fourth_in_any_order
[ OK ] precedence.trace_is_fourth_in_any_order
[ RUN ] TRACE.read_has_side_effects
[ OK ] TRACE.read_has_side_effects
[ RUN ] TRACE.getpid_runs_normally
[ OK ] TRACE.getpid_runs_normally
[==========] 31 / 31 tests passed.
[ PASSED ]
flag@flag-desktop:~/seccomp/tests$

flag@flag-desktop:~/seccomp/tests$ uname -a
Linux flag-desktop 3.2.0-1441-omap4 #60 SMP PREEMPT Fri Nov 15 15:16:44 UTC 2013 armv7l armv7l armv7l GNU/Linux
flag@flag-desktop:~/seccomp/tests$

tags: added: verification-done-precise
removed: verification-needed-precise
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (12.2 KiB)

This bug was fixed in the package linux - 3.2.0-57.87

---------------
linux (3.2.0-57.87) precise; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #1250622

  [ Andy Whitcroft ]

  * tools -- upgrade to common generic helper
    - LP: #1205284

  [ Kees Cook ]

  * SAUCE: backport ARM seccomp-bpf support
    - LP: #1183616

  [ Luis Henriques ]

  * SAUCE: ACPI battery: fix compiler warning
    - LP: #1247154

  [ Tim Gardner ]

  * [Config] updateconfigs: CONFIG_HAVE_AOUT=n for arm

  [ Upstream Kernel Changes ]

  * Revert "sctp: fix call to SCTP_CMD_PROCESS_SACK in
    sctp_cmd_interpreter()"
    - LP: #1249089
  * xen/blkback: Check device permissions before allowing OP_DISCARD
    - LP: #1091187
    - CVE-2013-2140
  * zram: allow request end to coincide with disksize
    - LP: #1246664
  * ARM: 7373/1: add support for the generic syscall.h interface
    - LP: #1183616
  * ARM: 7577/1: arch/add syscall_get_arch
    - LP: #1183616
  * htb: fix sign extension bug
    - LP: #1249089
  * net: check net.core.somaxconn sysctl values
    - LP: #1249089
  * fib_trie: remove potential out of bound access
    - LP: #1249089
  * tcp: cubic: fix overflow error in bictcp_update()
    - LP: #1249089
  * tcp: cubic: fix bug in bictcp_acked()
    - LP: #1249089
  * ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not
    match
    - LP: #1249089
  * 8139cp: Add dma_mapping_error checking
    - LP: #1249089
  * tun: signedness bug in tun_get_user()
    - LP: #1249089
  * ipv6: remove max_addresses check from ipv6_create_tempaddr
    - LP: #1249089
  * ipv6: drop packets with multiple fragmentation headers
    - LP: #1249089
  * ipv6: Don't depend on per socket memory for neighbour discovery
    messages
    - LP: #1249089
  * net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for
    max_delay
    - LP: #1249089
  * ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO
    - LP: #1249089
  * tipc: fix lockdep warning during bearer initialization
    - LP: #1249089
  * HID: hidraw: put old deallocation mechanism in place
    - LP: #1249089
  * HID: hidraw: correctly deallocate memory on device disconnect
    - LP: #1249089
  * xen-gnt: prevent adding duplicate gnt callbacks
    - LP: #1249089
  * ath9k: always clear ps filter bit on new assoc
    - LP: #1249089
  * libceph: unregister request in __map_request failed and nofail == false
    - LP: #1249089
  * usb: config->desc.bLength may not exceed amount of data returned by the
    device
    - LP: #1249089
  * USB: cdc-wdm: fix race between interrupt handler and tasklet
    - LP: #1249089
  * powerpc: Handle unaligned ldbrx/stdbrx
    - LP: #1249089
  * intel-iommu: Fix leaks in pagetable freeing
    - LP: #1249089
  * ath9k: fix rx descriptor related race condition
    - LP: #1249089
  * ath9k: avoid accessing MRC registers on single-chain devices
    - LP: #1249089
  * ASoC: wm8960: Fix PLL register writes
    - LP: #1249089
  * rculist: list_first_or_null_rcu() should use list_entry_rcu()
    - LP: #1249089
  * USB: mos7720: use GFP_ATOMIC under spinlock
    - LP: #1249089
  * USB: mos7720: fix big-endian control requests
    - LP: #1249089
  * s...

Changed in linux (Ubuntu Precise):
status: Triaged → Fix Released
status: Triaged → Fix Released
Mathew Hodson (mhodson)
tags: removed: bot-stop-nagging
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.