32 bit applications on 64 bit system fail due to seccomp
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snapcraft |
Fix Released
|
Wishlist
|
Kyle Fazzari | ||
Snappy |
Invalid
|
Undecided
|
Unassigned | ||
snap-confine |
Fix Released
|
Wishlist
|
Jamie Strandboge |
Bug Description
[Impact]
Snaps currently can't leverage compatibility architectures such as 32 bit binaries on a 64 bit system (eg, shipping 32 bit wine applications to amd64 system or 32 bit skype on amd64) or when using 64 bit kernels with a 32 bit userspace.
[Test Case]
1. On an amd64 system, download the attached snap
2. sudo snap install --dangerous ./snap-
3. test 64bit binary works (ie, normal case):
$ snap-ls.ls64 --version
ls (GNU coreutils) 8.25
...
4. test 32bit binary works (this bug):
$ snap-ls.ls32 --version
ls (GNU coreutils) 8.25
...
With an unpatched snap-confine, you see this instead:
$ snap-ls.ls32 --version
Bad system call
with a seccomp denial in /var/log/syslog:
audit: type=1326 audit(147881461
(note 'syscall=45 compat=1')
[Regression Potential]
Regression potential is considered low since we are only adding to the architectures for systems that support the compatibility architectures. snap-confine and snapd also have extensive testsuites.
= Original description =
Someone trying to snap a 32 bit application and run it on amd64 had the following seccomp denial:
auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=26210 comm="wine" exe="/snap/
What is happening is that the seccomp policy loaded into the kernel is for x86_64, not x86 but the 32 bit app is using the 32 bit syscall table. I need to verify with upstream seccomp, but AIUI, fixing this requires kernel work.
WORKAROUND: install the snap with --devmode
WORKAROUND #2: install 64bit snaps on 64 bit systems and 32 bit snaps on 32 bit systems
Due to the initial intended purpose and design of seccomp, the kernel doesn't do remapping of syscalls in the manner needed, but it might be possible to run a 32 bit launcher on a 64 bit system to launch a 64 bit application. Preliminary testing shows this does not work, but more investigate is needed. It may be that we need to simply say that for the foreseeable future snaps need to ship binaries for the specified architecture and not a personality of the architecture.
tags: | added: snapd-interface |
Changed in snappy: | |
importance: | Undecided → Wishlist |
description: | updated |
Changed in snappy: | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | Confirmed → In Progress |
Changed in snap-confine: | |
status: | In Progress → Fix Committed |
Changed in snap-confine: | |
milestone: | none → 1.0.45 |
Changed in snapcraft: | |
status: | New → Fix Committed |
importance: | Undecided → Medium |
assignee: | nobody → Kyle Fazzari (kyrofa) |
milestone: | none → 2.26 |
importance: | Medium → Wishlist |
Changed in snapcraft: | |
status: | Fix Committed → Fix Released |
Would this mean that we could let packages with arch:i386 install in arch:amd64?