Ubuntu
libseccomp package

libseccomp fix - s390: handle multiplexed syscalls correctly

Bug #1679691 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
Medium
Canonical Server
libseccomp (Ubuntu)
Invalid
Undecided
Dimitri John Ledkov
Ubuntu ubuntu-17.04
Xenial
Fix Released
Medium
Unassigned
Artful
Invalid
Undecided
Unassigned

Bug Description

Within Xenial version 2.2.3 of seccomp is included.
With Yaketty version 2.3.1 is available and fixed this problem.

Even Docker is working on a SNAP solution, please provide the fix to 16.04.

With following patches this can be applied to 2.2.3 in support of the 16.04 LTS Release
16.04....

Here the upstream git commits for the patches:

0001-arch-fix-a-problem-with-the-rule-rewrites-in-_seccom.patch
1d63fad4a064b80e0b921b16ed419f3342337ed4

0001-all-block-negative-syscall-numbers-from-the-filter.patch
51c46f80c1edee863bbc4eb21b03decc44e69a45

0001-api-limit-errno-values-to-MAX_ERRNO.patch
0d287caf43792239b107ee3215b32b8bc901f9c3

0001-db-fix-a-minor-style-problem.patch
61c28579a984a6c4bd87ec585dc6d5cd4cc0e702

0001-db-make-the-individual-db-filter-ops-private.patch
a4478ddcd4e3b34fcd9c526dcf54f0d79b33ac16

0001-db-store-the-rules-used-to-build-the-filter.patch
f16f405f61ecdbad202257b61004b85fce64d75c

0001-arch-make-use-of-function-tables-instead-of-switch-s.patch
57df79c166b26d5044e7e27099e6e69671e727dd

0001-db-introduce-transaction-support.patch
9be1538a4ac0e45047a3f1b79691505c3d11ca31

0001-arch-move-the-low-level-filter-rule-addition-code-in.patch
996e445a74823c735757413fda809e1ed0afc7d4

0001-arch-enable-more-involved-arch-ABI-specific-rule-cre.patch
5b42b8cfa25506fa260c8f46b4a063b5cfd09d1c

0001-arch-basic-support-for-multiplexed-and-direct-socket.patch
d32c3bfa4b07add90dcd04292eb4ba278dd103ba

0001-arch-generate-both-multiplexed-and-direct-socket-sys.patch
983835f3e0fd000a42c8beaea9d7fbe726ffff65

0001-tests-add-a-test-for-the-different-types-of-socket-s.patch
099f4214ce4fe5f53cf0f59e96b71bf4d54a8cd6

0001-api-add-a-seccomp_version-API-call.patch
58a7c20d4c2defc1c984c5c7391ecc60093f85fa

0001-tests-create-a-simple-live-test-to-verify-we-can-set.patch
8ed78c3859f476d302995b43d6739f3341f5b37d

0001-s390-handle-multiplexed-syscalls-correctly.patch
47516603828396f85107ea3e2a254958c2bc3ff5

0001-arch-fix-the-multiplexed-ipc-syscalls.patch
3a89bd144885f54aff86f2e275859a1483992edd

With the following additional commit all tests pass with "make check"

0001-tests-remove-fuzzing-from-28-sim-arch_x86.tests.patch
0d8504bc192e0989494df06efc4b186a9f02e20a

Revision history for this message
bugproxy (bugproxy) wrote : Fix for "s390: handle multiplexed syscalls correctly"

Default Comment by Bridge

tags: added: architecture-s39064 bugnameltc-152352 severity-high targetmilestone-inin1604
Revision history for this message
bugproxy (bugproxy) wrote : make_check.log

------- Comment on attachment From <email address hidden> 2017-04-04 08:52 EDT-------

 "make check" output of libseccomp with required patches

Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → libseccomp (Ubuntu)
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
assignee: nobody → Canonical Server Team (canonical-server)
tags: added: s390x
Changed in ubuntu-z-systems:
importance: Undecided → Medium
Dimitri John Ledkov (xnox)
Changed in libseccomp (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → Dimitri John Ledkov (xnox)
milestone: none → ubuntu-17.04
Revision history for this message
bugproxy (bugproxy) wrote : Fix for "s390: handle multiplexed syscalls correctly"

Default Comment by Bridge

Dimitri John Ledkov (xnox)
Changed in libseccomp (Ubuntu):
status: New → Confirmed
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: New → Confirmed
bugproxy (bugproxy)
tags: added: targetmilestone-inin16041
removed: targetmilestone-inin1604
Revision history for this message
Frank Heimes (fheimes) wrote :

Patch is only required for the Xenial libseccomp package.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

0001-s390-handle-multiplexed-syscalls-correctly.patch
47516603828396f85107ea3e2a254958c2bc3ff5
-> this one is actually 66282c31034e2bb442bd9dc862d6d814f0df2f98 upstream

0001-arch-fix-the-multiplexed-ipc-syscalls.patch
3a89bd144885f54aff86f2e275859a1483992edd
-> this one is actually a58deebd1ee7bedc47bb966ebeec699421e40c65 upstream

Given the size of the backport, I will look into backporting libseccomp 2.3.1 as a whole. Let me investigate if that will be feasable or not.

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2017-04-21 08:31 EDT-------
@Xnox: Can you please provide an update regarding your evaluation. Many thx in advance

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Hi,

This is in progress. Instead of cherry-picking individual patches, I am personally in favor of an outright backport of libssecomp to stable releases, under the banner of hardware enablement to support HWE kernels.

I have started this effort at https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102 but I need a response from the SRU team if they will accept that or not. I don't have an ETA right now, currently, that team is busy with post-release tasks and archive opening for the new series.

Regards,

Dimitri.

Dimitri John Ledkov (xnox)
Changed in libseccomp (Ubuntu Artful):
status: New → Invalid
no longer affects: libseccomp (Ubuntu Zesty)
no longer affects: libseccomp (Ubuntu Yakkety)
Changed in libseccomp (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Medium
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Confirmed → Triaged
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2017-08-30 07:07 EDT-------
@xnox: any updates here ??

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

This bug was fixed in the package libseccomp - 2.3.1-2.1ubuntu2~16.04.1

---------------
libseccomp (2.3.1-2.1ubuntu2~16.04.1) xenial; urgency=medium

  * Backport libseccomp 2.3.1 to xenial LP: #1682102
    - Improved s390x support
    - Improved support for v4.5+ kernels

 -- Dimitri John Ledkov <email address hidden> Fri, 06 Oct 2017 14:47:39 +0100

Changed in libseccomp (Ubuntu Xenial):
status: Triaged → Fix Released
Changed in ubuntu-z-systems:
status: Triaged → Fix Released
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

This update got released yesterday, it should be available from all mirrors soon.

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-01-08 05:50 EDT-------
IBM Bugzilla status -> closed, Fix Released within Xenial

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.