Ubuntu
chromium-browser package

chromium: missing syscalls whitelist from seccomp

Bug #1890625 reported by Simon Déziel
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Whenever I start chromium's snap, I get the following messages:

Aug 6 10:50:08 simon-lemur kernel: [10608.138795] audit: type=1326 audit(1596725407.998:159): auid=1000 uid=1000 gid=1000 ses=2 pid=32290 comm="chrome" exe="/snap/chromium/1244/usr/lib/chromium-browser/chrome" sig=0 arch=c000003e syscall=203 compat=0 ip=0x7f8f31df4b9f code=0x50000
...{repeats 3 times}...
Aug 6 10:50:08 simon-lemur org.gnome.Shell.desktop[3092]: WARNING: Kernel has no file descriptor comparison support: Operation not permitted
Aug 6 10:50:08 simon-lemur kernel: [10608.433753] audit: type=1326 audit(1596725408.290:163): auid=1000 uid=1000 gid=1000 ses=2 pid=32290 comm="ThreadPoolForeg" exe="/snap/chromium/1244/usr/lib/chromium-browser/chrome" sig=0 arch=c000003e syscall=312 compat=0 ip=0x7f8f2b614959 code=0x50000
...{repeats 4 times}...

According to https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl, it seems that syscall 203 is sys_sched_setaffinity and 312 is sys_kcmp. The blocking of sys_kcmp could probably explain the "WARNING: Kernel has no file descriptor comparison support: Operation not permitted" message from org.gnome.Shell.desktop.

Additional information

$ uname -a
Linux simon-lemur 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -rd
Description: Ubuntu 18.04.4 LTS
Release: 18.04

$ apt-cache policy snapd
snapd:
  Installed: 2.45.1+18.04.2
  Candidate: 2.45.1+18.04.2
  Version table:
 *** 2.45.1+18.04.2 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.32.5+18.04 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

$ snap info chromium
name: chromium
summary: Chromium web browser, open-source version of Chrome
publisher: Canonical✓
store-url: https://snapcraft.io/chromium
contact: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bugs?field.tag=snap
license: unset
description: |
  An open-source browser project that aims to build a safer, faster, and more stable way for all
  Internet users to experience the web.
commands:
  - chromium.chromedriver
  - chromium
snap-id: XKEcBqPM06H1Z7zGOdG5fbICuf8NWK5R
tracking: latest/stable
refresh-date: 7 days ago, at 11:45 EDT
channels:
  latest/stable: 84.0.4147.105 2020-07-30 (1244) 166MB -
  latest/candidate: 84.0.4147.105 2020-07-30 (1244) 166MB -
  latest/beta: 85.0.4183.49 2020-07-31 (1248) 167MB -
  latest/edge: 86.0.4221.3 2020-08-05 (1257) 167MB -
installed: 84.0.4147.105 (1244) 166MB -

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in chromium-browser (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.