seccomp missing many new syscalls
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Snappy |
Undecided
|
Unassigned | ||
| | 15.04 |
Undecided
|
Jamie Strandboge | ||
| | libseccomp (Ubuntu) |
High
|
Jamie Strandboge | ||
| | Trusty |
High
|
Tyler Hicks | ||
| | Vivid |
High
|
Jamie Strandboge | ||
| | Wily |
High
|
Jamie Strandboge | ||
Bug Description
[Impact]
Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering.
[Test Case]
seccomp itself has a comprehensive testsuite, and while it doesn't fail the build, regressions can be seen by looking at the build log. Eg:
Regression Test Summary
tests run: 6494
tests skipped: 52
tests passed: 6494
tests failed: 0
tests errored: 0
Furthermore, on a snappy system, perform:
# Note, for the 14.04 SRU, you'll have to install snapd from trusty-proposed and reboot into the lts kernel that it installs
$ sudo snap install hello-world
$ hello-world.env
It should show the environment. On an arm system with 2.1.1-1 from the archive, this will fail due to a seccomp denial:
audit: type=1326 audit(143076610
(note, snappy images have a ppa fix for this, see notes below).
To test the segfault fix, do:
$ scmp_sys_resolver 1024
Segmentation fault
It should return:
$ scmp_sys_resolver 1024
UNKNOWN
For the new 3.19 syscalls:
$ scmp_sys_resolver getrandom
-1
it should return something like (actual number depends on arch, this is on armhf):
$ scmp_sys_resolver getrandom
384
For the 14.04 SRU, test the following syscalls (expected results on amd64 are shown):
$ scmp_sys_resolver getrandom
318
$ scmp_sys_resolver membarrier
324
$ scmp_sys_resolver userfaultfd
323
$ scmp_sys_resolver mlock2
325
autopkgtests for libseccomp have been added as part of this update to verify that the library recognizes all the syscalls from 3.19 and the private syscalls. These tests can be run like so (assuming you are in the unpacked source and the binaries are in ../binary):
$ export REL=vivid
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-
Alternatively, if you don't have autopkgtest setup, you can do:
$ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev seccomp
$ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/
...
PASS
$ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/
...
PASS
Lastly, seccomp is used by lxc. lxc can be tested by using the test case as outlined in step 4 of https:/
[Regression Potential]
If the above tests, regression potential is considered low. Unknown syscalls will continue to be handled as before.
Description of changes:
add finit_module:
https:/
sync the syscall table entries - 3.16
https:/
https:/
https:/
https:/
https:/
https:/
sync the syscall table entries - 3.17
https:/
sync the syscall table entries - 3.19
https:/
This should also be applied (fix a segfault for invalid syscall numbers):
https:/
For the 14.04 SRU so that libseccomp can handle all of the syscalls in the 4.4 based linux-lts-xenial kernel:
- membarrier and userfaultfd syscalls:
https:/
- x86 direct socket syscalls
https:/
- mlock2 syscall
https:/
In addition, add-missing-
| Changed in libseccomp (Ubuntu): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in snappy-ubuntu: | |
| status: | New → In Progress |
| Changed in libseccomp (Ubuntu): | |
| status: | New → In Progress |
| description: | updated |
| Changed in libseccomp (Ubuntu Vivid): | |
| status: | New → In Progress |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Jamie Strandboge (jdstrand) wrote : | #1 |
| Changed in libseccomp (Ubuntu Wily): | |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #2 |
This bug was fixed in the package libseccomp - 2.1.1-1ubuntu1~
---------------
libseccomp (2.1.1-
* add-finit-
syscall tables
* update syscalls for modern kernels (skipping MIPS)
- update syscalls for 3.16:
+ update-
+ update-
+ update-
+ update-
+ sync-syscall-
+ sync-syscall-
- update syscalls for 3.17:
+ sync-syscall-
- update syscalls for 3.19:
+ sync-syscall-
- LP: #1450642
* fix-segfault-
* debian/
ARM syscalls
* add autopkgtests for scmp_sys_resolver and filter testing and
SYS_getrandom() testing
-- Jamie Strandboge <email address hidden> Mon, 04 May 2015 13:53:49 -0500
| Changed in libseccomp (Ubuntu Wily): | |
| status: | Fix Committed → Fix Released |
| Chris J Arges (arges) wrote : | #3 |
Since 2.1.1-1ubuntu1~
| Brian Murray (brian-murray) wrote : | #4 |
Actually, because that version number, 2.1.1-1ubuntu1~
| Jamie Strandboge (jdstrand) wrote : | #5 |
2.1.1-1ubuntu1~
Hello Jamie, or anyone else affected,
Accepted libseccomp into vivid-proposed. The package will build now and be available at http://
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in libseccomp (Ubuntu Vivid): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed |
| Jamie Strandboge (jdstrand) wrote : | #7 |
Test cases pass with packages in vivid-proposed:
* in build testsuite results are same between previous build and this for all archs: PASS
* scmp_sys_resolver 1024: PASS
* scmp_sys_resolver getrandom: PASS
* autopkgtests: PASS
* lxc (amd64 and i386 only): PASS
* docker framework (snappy/armhf): PASS
* snappy hello-world.env (snappy/armhf): PASS
As a further data point, this package is source-identical to what is in wily (other than the debian/changelog) and wily's update made it through proposed migration and lxc's tests all passed:
https:/
https:/
| tags: |
added: verification-done removed: verification-needed |
| Changed in snappy-ubuntu: | |
| status: | In Progress → Fix Committed |
| affects: | snappy-ubuntu → snappy |
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package libseccomp - 2.1.1-1ubuntu1~
---------------
libseccomp (2.1.1-
* add-finit-
syscall tables
* update syscalls for modern kernels (skipping MIPS)
- update syscalls for 3.16:
+ update-
+ update-
+ update-
+ update-
+ sync-syscall-
+ sync-syscall-
- update syscalls for 3.17:
+ sync-syscall-
- update syscalls for 3.19:
+ sync-syscall-
- LP: #1450642
* fix-segfault-
* debian/
ARM syscalls
* add autopkgtests for scmp_sys_resolver and filter testing and
SYS_getrandom() testing
-- Jamie Strandboge <email address hidden> Fri, 08 May 2015 17:10:14 -0400
| Changed in libseccomp (Ubuntu Vivid): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for libseccomp has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
| Changed in snappy: | |
| status: | Fix Committed → Fix Released |
| Changed in libseccomp (Ubuntu Trusty): | |
| status: | New → In Progress |
| importance: | Undecided → High |
| assignee: | nobody → Tyler Hicks (tyhicks) |
| description: | updated |
Hello Jamie, or anyone else affected,
Accepted libseccomp into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in libseccomp (Ubuntu Trusty): | |
| status: | In Progress → Fix Committed |
| tags: | removed: verification-done |
| tags: | added: verification-needed |
| Changed in libseccomp (Ubuntu): | |
| importance: | Undecided → High |
| Changed in libseccomp (Ubuntu Vivid): | |
| importance: | Undecided → High |
| Changed in libseccomp (Ubuntu Wily): | |
| importance: | Undecided → High |
| description: | updated |
| Tyler Hicks (tyhicks) wrote : | #11 |
I've completed my verification of the libseccomp 2.1.1-1ubuntu1~
I followed the test plan and everything went as expected. I think this SRU is good to go.
| tags: |
added: verification-complete removed: verification-needed |
| tags: |
added: verification-done removed: verification-complete |
| Jamie Strandboge (jdstrand) wrote : | #12 |
Note bug #1653487 which says that this SRU is not enough to get seccomp working with snaps on 64 bit systems.
| Tyler Hicks (tyhicks) wrote : | #13 |
I wanted to mention that snaps were working with libseccomp from trusty-proposed in my testing. I tested with the hello-world, pwgen-tyhicks, and lxd snaps on amd64. However, bug #1653487 shows there is a snapd build test failure with the libseccomp from trusty-proposed and it needs to be triaged to understand what's breaking.
| Brian Murray (brian-murray) wrote : | #14 |
I'm setting the tag back to verification-needed then to prevent this from being released.
| tags: |
added: verification-needed removed: verification-done |
| description: | updated |
| Jamie Strandboge (jdstrand) wrote : | #15 |
@Tyler, the problem in bug #1653487 was due to a latent bug in libseccomp 2.1 that is only exposed via snap-confine's use of argument filtering. I'm uploading 2.1.1-1ubuntu1~
| Brian Murray (brian-murray) wrote : | #16 |
Hello Jamie, or anyone else affected,
Accepted libseccomp into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Jamie Strandboge (jdstrand) wrote : | #17 |
I've completed my verification of 2.1.1-1ubuntu1~
I followed the test plan for this and bug #1653487 with additional manual testing for lxc and docker debs along with various snaps (ufw, lxd, docker (amd64 only since docker upstream doesn't provide 32 bit images; also see unrelated bug #1654590), etc and found no regressions.
NOTE: I discovered that the systemd upstart job won't start if cgmanager (pulled in by lxc) is installed. tvoss and I discussed and he will followup with Foundations. This is unrelated to this SRU but may be useful to know for testers.
| tags: |
added: verification-done removed: verification-needed |
| Robie Basak (racb) wrote : | #18 |
There's an autopkgtest lxc failure on armhf, which usually passes. Please could you determine if this is caused by this SRU? Removing verification-done for now to avoid any accidents. Please set back if you determine that the autopkgtest failure has a cause unrelated to this SRU.
| Robie Basak (racb) wrote : | #19 |
| tags: | removed: verification-done |
| Jamie Strandboge (jdstrand) wrote : | #20 |
There are a lot of failures and containers don't seem to be starting for a variety of reasons. lxc 1.0.8 (what this version of libseccomp was tested against) always failed on armhf according to http://
Case in point: https:/
$ zgrep -i fail ./log.gz
FAIL: lxc-tests: /usr/bin/
FAIL: lxc-tests: /usr/bin/
FAIL
FAIL: lxc-tests: /usr/bin/
FAIL: lxc-tests: /usr/bin/
Starting the container (lxc-test-
Starting the container (lxc-test-
Starting the container (lxc-test-
Starting the container (lxc-test-
FAIL: lxc-tests: /usr/bin/
FAIL: lxc-tests: /usr/bin/
67: failed to start lxctest1
FAIL: lxc-tests: /usr/bin/
FAIL: lxc-tests: /usr/bin/
68: failed to start lxctest1
FAIL: lxc-tests: /usr/bin/
169: lxctest1 failed to start
FAIL: lxc-tests: /usr/bin/
lxc-start: lxc_start.c: main: 341 The container failed to start.
+ pass=fail
+ '[' fail = pass ']'
+ pass=fail
+ '[' fail '!=' pass ']'
lxc-start 1483662018.638 ERROR lxc_cgfs - cgfs.c:
lxc-start 1483662018.638 ERROR lxc_start - start.c:
lxc-start 1483662018.711 ERROR lxc_start - start.c:
lxc-start 1483662018.711 WARN lxc_commands - commands.
lxc-start 1483662018.712 ERROR lxc_start_ui - lxc_start.
+ echo 'FAIL: Test 1: expected pass but container did not.'
FAIL: Test 1: expected pass but container did not.
FAIL: lxc-tests: /usr/bin/
lxc_container: lxccontainer.c: create_
Failed creating ubuntu container
FAIL: python3: API
SUMMARY: pass=9, fail=12, ignored=5
which are all the same failures as in https:/
In other words, this SRU introduced no new regressions in the lxc autopkgtest.
| tags: | added: verification-done |
| Launchpad Janitor (janitor) wrote : | #21 |
This bug was fixed in the package libseccomp - 2.1.1-1ubuntu1~
---------------
libseccomp (2.1.1-
* Cherrypick various bpf fixes to support argument filtering on 64-bit
(LP: #1653487)
- debian/
db->arch in _gen_bpf_arch()
- debian/
filters in a collection to share the same endianess
- debian/
by big endian systems
- debian/
checking logic
- debian/
state and reload it when necessary. This is the fix for LP: #1653487. The
previous patches are required by this patch.
- debian/
simulator always has a valid architecture value. This fixes a regression
in the testsuite introduced by resolve-
- debian/
testsuite introduced by bpf-accumulator
- debian/
not being defined correctly for the tools
libseccomp (2.1.1-
* Bring libseccomp 2.1.1-1ubuntu1~
14.04 and add a couple patches to account for new syscalls found in the
4.4 based hardware enablement kernel. This allows for proper snap seccomp
confinement on Ubuntu 14.04 when using the hardware enablement kernel
(LP: #1450642)
- debian/
userfaultfd syscalls
- debian/
- debian/
verifies all syscalls found in the 4.4 kernel, except for the s390
specific syscalls, are supported by libseccomp. The s390 specific
syscalls are not needed since this version of libseccomp does not
support the s390 architecture.
- debian/
SYS_getrandom is not defined in 14.04 environment and the getrandom(2)
syscall is not even available in the 14.04 release kernel.
libseccomp (2.1.1-
* add-finit-
syscall tables
* update syscalls for modern kernels (skipping MIPS)
- update syscalls for 3.16:
+ update-
+ update-
+ update-
+ update-
+ sync-syscall-
+ sync-syscall-
- update syscalls for 3.17:
+ sync-syscall-
- update syscalls for 3.19:
+ sync-syscall-
- LP: #1450642
* fix-segfault-
| Changed in libseccomp (Ubuntu Trusty): | |
| status: | Fix Committed → Fix Released |
Uploaded the same version to wily (it is in unapproved).