Ubuntu
libseccomp package

Bug #1450642
Activity log

Activity log for bug #1450642

Date	Who	What changed	Old value	New value	Message
2015-04-30 21:33:31	Jamie Strandboge	bug			added bug
2015-04-30 21:33:41	Jamie Strandboge	libseccomp (Ubuntu): assignee		Jamie Strandboge (jdstrand)
2015-04-30 21:33:56	Jamie Strandboge	bug task added		snappy-ubuntu
2015-04-30 21:35:04	Jamie Strandboge	snappy-ubuntu: status	New	In Progress
2015-04-30 21:35:07	Jamie Strandboge	libseccomp (Ubuntu): status	New	In Progress
2015-05-04 20:33:24	Jamie Strandboge	description	Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering. add finit_module: https://github.com/seccomp/libseccomp/commit/64152018ffdf971efefd84466db4a92002bb8b15 sync the syscall table entries - 3.16 https://github.com/seccomp/libseccomp/commit/9186136be7696ed63a8ddc06c9b397057abc5c75 https://github.com/seccomp/libseccomp/commit/3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 https://github.com/seccomp/libseccomp/commit/689f19e7488535c775c1db415b8d9895905ef8dd https://github.com/seccomp/libseccomp/commit/ac6802b300922ef2ad3e95e2c80f89b575073aeb https://github.com/seccomp/libseccomp/commit/c6205d9600983aa3fa68ca952b7624f2fec86718 https://github.com/seccomp/libseccomp/commit/76739812a3e23182504cde43403ddb9921e0e05a sync the syscall table entries - 3.17 https://github.com/seccomp/libseccomp/commit/6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 sync the syscall table entries - 3.19 https://github.com/seccomp/libseccomp/commit/7b80fb2fb683cafaf5dc9ff7692437ba86e598a3 This should also be applied (fix a segfault for invalid syscall numbers): https://github.com/seccomp/libseccomp/commit/2d09a74c7f04d29ae740db1e2187ff1a1886b2c3	[Impact] Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering. [Test Case] seccomp itself has a comprehensive testsuite, and while it doesn't fail the build, regressions can be seen by looking at the build log. Eg: Regression Test Summary tests run: 6494 tests skipped: 52 tests passed: 6494 tests failed: 0 tests errored: 0 Furthermore, on a snappy system, perform: $ sudo snappy install hello-world $ hello-world.env It should show the environment. On an arm system with 2.1.1-1 from the archive, this will fail due to a seccomp denial: audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0 (note, snappy images have a ppa fix for this, see notes below). To test the segfault fix, do: $ scmp_sys_resolver 1024 Segmentation fault It should return: $ scmp_sys_resolver 1024 UNKNOWN For the new 3.19 syscalls: $ scmp_sys_resolver getrandom -1 it should return something like (actual number depends on arch, this is on armhf): $ scmp_sys_resolver getrandom 384 autopkgtests for libseccomp have been added as part of this update to verify that the library recognizes all the syscalls from 3.19 and the private syscalls. These tests can be run like so (assuming you are in the unpacked source and the binaries are in ../binary): $ export REL=vivid $ adt-run `for i in ../binary/.deb ; do echo -n "-B $i " ; done` --source ../source/.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-$REL-amd64 \|\| echo "** AUTOPKGTESTS FAILED" Alternatively, if you don't have autopkgtest setup, you can do: $ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev seccomp $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-filter ... PASS $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-scmp_sys_resolver ... PASS Lastly, seccomp is used by lxc. lxc can be tested by using the test case as outlined in step 4 of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only. [Regression Potential] If the above tests, regression potential is considered low. Unknown syscalls will continue to be handled as before. Description of changes: add finit_module: https://github.com/seccomp/libseccomp/commit/64152018ffdf971efefd84466db4a92002bb8b15 sync the syscall table entries - 3.16 https://github.com/seccomp/libseccomp/commit/9186136be7696ed63a8ddc06c9b397057abc5c75 https://github.com/seccomp/libseccomp/commit/3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 https://github.com/seccomp/libseccomp/commit/689f19e7488535c775c1db415b8d9895905ef8dd https://github.com/seccomp/libseccomp/commit/ac6802b300922ef2ad3e95e2c80f89b575073aeb https://github.com/seccomp/libseccomp/commit/c6205d9600983aa3fa68ca952b7624f2fec86718 https://github.com/seccomp/libseccomp/commit/76739812a3e23182504cde43403ddb9921e0e05a sync the syscall table entries - 3.17 https://github.com/seccomp/libseccomp/commit/6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 sync the syscall table entries - 3.19 https://github.com/seccomp/libseccomp/commit/7b80fb2fb683cafaf5dc9ff7692437ba86e598a3 This should also be applied (fix a segfault for invalid syscall numbers): https://github.com/seccomp/libseccomp/commit/2d09a74c7f04d29ae740db1e2187ff1a1886b2c3 In addition, add-missing-arm-private-syscalls.patch is add to add 5 private ARM syscalls. These are absolutely required on snappy. This portion of the patch has been well tested and is included by default in stable snappy images via the snappy image PPA.
2015-05-04 20:35:23	Jamie Strandboge	bug			added subscriber Ubuntu Stable Release Updates Team
2015-05-05 14:08:47	Jamie Strandboge	nominated for series		Ubuntu Wily
2015-05-05 14:08:47	Jamie Strandboge	bug task added		libseccomp (Ubuntu Wily)
2015-05-05 14:08:47	Jamie Strandboge	nominated for series		Ubuntu Vivid
2015-05-05 14:08:47	Jamie Strandboge	bug task added		libseccomp (Ubuntu Vivid)
2015-05-05 14:08:56	Jamie Strandboge	libseccomp (Ubuntu Vivid): status	New	In Progress
2015-05-05 14:08:58	Jamie Strandboge	libseccomp (Ubuntu Vivid): assignee		Jamie Strandboge (jdstrand)
2015-05-05 15:38:57	Jamie Strandboge	libseccomp (Ubuntu Wily): status	In Progress	Fix Committed
2015-05-05 15:58:59	Launchpad Janitor	libseccomp (Ubuntu Wily): status	Fix Committed	Fix Released
2015-05-12 18:25:09	Chris J Arges	libseccomp (Ubuntu Vivid): status	In Progress	Fix Committed
2015-05-12 18:25:12	Chris J Arges	bug			added subscriber SRU Verification
2015-05-12 18:25:13	Chris J Arges	tags		verification-needed
2015-05-14 19:21:56	Jamie Strandboge	tags	verification-needed	verification-done
2015-05-14 19:22:10	Jamie Strandboge	snappy-ubuntu: status	In Progress	Fix Committed
2015-05-18 21:36:38	Michael Terry	affects	snappy-ubuntu	snappy
2015-05-21 22:28:10	Launchpad Janitor	libseccomp (Ubuntu Vivid): status	Fix Committed	Fix Released
2015-05-21 22:28:14	Brian Murray	removed subscriber Ubuntu Stable Release Updates Team
2015-05-24 19:55:06	Launchpad Janitor	branch linked		lp:ubuntu/libseccomp
2015-05-24 19:55:13	Launchpad Janitor	branch linked		lp:~ubuntu-branches/ubuntu/vivid/libseccomp/vivid-proposed
2015-06-02 04:26:56	Ricardo Salveti	nominated for series		snappy/15.04
2015-06-02 04:26:56	Ricardo Salveti	bug task added		snappy/15.04
2015-06-02 04:27:04	Ricardo Salveti	snappy/15.04: milestone		15.04.1
2015-06-02 04:27:16	Ricardo Salveti	snappy/15.04: assignee		Jamie Strandboge (jdstrand)
2015-06-02 04:27:18	Ricardo Salveti	snappy/15.04: status	New	Fix Committed
2015-06-02 04:27:21	Ricardo Salveti	snappy: status	Fix Committed	Fix Released
2015-06-11 01:04:06	Ricardo Salveti	snappy/15.04: status	Fix Committed	Fix Released
2016-12-14 20:19:12	Tyler Hicks	nominated for series		Ubuntu Trusty
2016-12-14 20:19:12	Tyler Hicks	bug task added		libseccomp (Ubuntu Trusty)
2016-12-14 20:19:20	Tyler Hicks	libseccomp (Ubuntu Trusty): status	New	In Progress
2016-12-14 20:19:24	Tyler Hicks	libseccomp (Ubuntu Trusty): importance	Undecided	High
2016-12-14 20:19:26	Tyler Hicks	libseccomp (Ubuntu Trusty): assignee		Tyler Hicks (tyhicks)
2016-12-15 00:21:32	Tyler Hicks	description	[Impact] Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering. [Test Case] seccomp itself has a comprehensive testsuite, and while it doesn't fail the build, regressions can be seen by looking at the build log. Eg: Regression Test Summary tests run: 6494 tests skipped: 52 tests passed: 6494 tests failed: 0 tests errored: 0 Furthermore, on a snappy system, perform: $ sudo snappy install hello-world $ hello-world.env It should show the environment. On an arm system with 2.1.1-1 from the archive, this will fail due to a seccomp denial: audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0 (note, snappy images have a ppa fix for this, see notes below). To test the segfault fix, do: $ scmp_sys_resolver 1024 Segmentation fault It should return: $ scmp_sys_resolver 1024 UNKNOWN For the new 3.19 syscalls: $ scmp_sys_resolver getrandom -1 it should return something like (actual number depends on arch, this is on armhf): $ scmp_sys_resolver getrandom 384 autopkgtests for libseccomp have been added as part of this update to verify that the library recognizes all the syscalls from 3.19 and the private syscalls. These tests can be run like so (assuming you are in the unpacked source and the binaries are in ../binary): $ export REL=vivid $ adt-run `for i in ../binary/.deb ; do echo -n "-B $i " ; done` --source ../source/.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-$REL-amd64 \|\| echo "** AUTOPKGTESTS FAILED" Alternatively, if you don't have autopkgtest setup, you can do: $ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev seccomp $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-filter ... PASS $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-scmp_sys_resolver ... PASS Lastly, seccomp is used by lxc. lxc can be tested by using the test case as outlined in step 4 of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only. [Regression Potential] If the above tests, regression potential is considered low. Unknown syscalls will continue to be handled as before. Description of changes: add finit_module: https://github.com/seccomp/libseccomp/commit/64152018ffdf971efefd84466db4a92002bb8b15 sync the syscall table entries - 3.16 https://github.com/seccomp/libseccomp/commit/9186136be7696ed63a8ddc06c9b397057abc5c75 https://github.com/seccomp/libseccomp/commit/3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 https://github.com/seccomp/libseccomp/commit/689f19e7488535c775c1db415b8d9895905ef8dd https://github.com/seccomp/libseccomp/commit/ac6802b300922ef2ad3e95e2c80f89b575073aeb https://github.com/seccomp/libseccomp/commit/c6205d9600983aa3fa68ca952b7624f2fec86718 https://github.com/seccomp/libseccomp/commit/76739812a3e23182504cde43403ddb9921e0e05a sync the syscall table entries - 3.17 https://github.com/seccomp/libseccomp/commit/6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 sync the syscall table entries - 3.19 https://github.com/seccomp/libseccomp/commit/7b80fb2fb683cafaf5dc9ff7692437ba86e598a3 This should also be applied (fix a segfault for invalid syscall numbers): https://github.com/seccomp/libseccomp/commit/2d09a74c7f04d29ae740db1e2187ff1a1886b2c3 In addition, add-missing-arm-private-syscalls.patch is add to add 5 private ARM syscalls. These are absolutely required on snappy. This portion of the patch has been well tested and is included by default in stable snappy images via the snappy image PPA.	[Impact] Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering. [Test Case] seccomp itself has a comprehensive testsuite, and while it doesn't fail the build, regressions can be seen by looking at the build log. Eg: Regression Test Summary tests run: 6494 tests skipped: 52 tests passed: 6494 tests failed: 0 tests errored: 0 Furthermore, on a snappy system, perform: # Note, for the 14.04 SRU, you'll have to enable trusty-proposed and install snapd from # the following PPA: # https://launchpad.net/~thomas-voss/+archive/ubuntu/trusty/+packages $ sudo snappy install hello-world $ hello-world.env It should show the environment. On an arm system with 2.1.1-1 from the archive, this will fail due to a seccomp denial: audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0 (note, snappy images have a ppa fix for this, see notes below). To test the segfault fix, do: $ scmp_sys_resolver 1024 Segmentation fault It should return: $ scmp_sys_resolver 1024 UNKNOWN For the new 3.19 syscalls: $ scmp_sys_resolver getrandom -1 it should return something like (actual number depends on arch, this is on armhf): $ scmp_sys_resolver getrandom 384 autopkgtests for libseccomp have been added as part of this update to verify that the library recognizes all the syscalls from 3.19 and the private syscalls. These tests can be run like so (assuming you are in the unpacked source and the binaries are in ../binary): $ export REL=vivid $ adt-run `for i in ../binary/.deb ; do echo -n "-B $i " ; done` --source ../source/.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-$REL-amd64 \|\| echo "** AUTOPKGTESTS FAILED" Alternatively, if you don't have autopkgtest setup, you can do: $ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev seccomp $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-filter ... PASS $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-scmp_sys_resolver ... PASS Lastly, seccomp is used by lxc. lxc can be tested by using the test case as outlined in step 4 of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only. [Regression Potential] If the above tests, regression potential is considered low. Unknown syscalls will continue to be handled as before. Description of changes: add finit_module: https://github.com/seccomp/libseccomp/commit/64152018ffdf971efefd84466db4a92002bb8b15 sync the syscall table entries - 3.16 https://github.com/seccomp/libseccomp/commit/9186136be7696ed63a8ddc06c9b397057abc5c75 https://github.com/seccomp/libseccomp/commit/3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 https://github.com/seccomp/libseccomp/commit/689f19e7488535c775c1db415b8d9895905ef8dd https://github.com/seccomp/libseccomp/commit/ac6802b300922ef2ad3e95e2c80f89b575073aeb https://github.com/seccomp/libseccomp/commit/c6205d9600983aa3fa68ca952b7624f2fec86718 https://github.com/seccomp/libseccomp/commit/76739812a3e23182504cde43403ddb9921e0e05a sync the syscall table entries - 3.17 https://github.com/seccomp/libseccomp/commit/6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 sync the syscall table entries - 3.19 https://github.com/seccomp/libseccomp/commit/7b80fb2fb683cafaf5dc9ff7692437ba86e598a3 This should also be applied (fix a segfault for invalid syscall numbers): https://github.com/seccomp/libseccomp/commit/2d09a74c7f04d29ae740db1e2187ff1a1886b2c3 For the 14.04 SRU so that libseccomp can handle all of the syscalls in the 4.4 based linux-lts-xenial kernel: - membarrier and userfaultfd syscalls: https://github.com/seccomp/libseccomp/commit/d2ca11b7cdddbba3782b1e306ceacf19e898faee - x86 direct socket syscalls https://github.com/seccomp/libseccomp/commit/24114ca6703036f76be1920a7ba387d6835dd764 - mlock2 syscall https://github.com/seccomp/libseccomp/commit/173b96ba8d36a4b1954e99570e82f2f932fe056a In addition, add-missing-arm-private-syscalls.patch is add to add 5 private ARM syscalls. These are absolutely required on snappy. This portion of the patch has been well tested and is included by default in stable snappy images via the snappy image PPA.
2016-12-20 18:47:21	Steve Langasek	libseccomp (Ubuntu Trusty): status	In Progress	Fix Committed
2016-12-20 18:47:26	Steve Langasek	bug			added subscriber Ubuntu Stable Release Updates Team
2016-12-20 18:47:36	Steve Langasek	tags	verification-done
2016-12-20 18:47:38	Steve Langasek	tags		verification-needed
2016-12-20 23:47:18	Mathew Hodson	libseccomp (Ubuntu): importance	Undecided	High
2016-12-20 23:47:20	Mathew Hodson	libseccomp (Ubuntu Vivid): importance	Undecided	High
2016-12-20 23:47:24	Mathew Hodson	libseccomp (Ubuntu Wily): importance	Undecided	High
2016-12-22 22:12:41	Tyler Hicks	description	[Impact] Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering. [Test Case] seccomp itself has a comprehensive testsuite, and while it doesn't fail the build, regressions can be seen by looking at the build log. Eg: Regression Test Summary tests run: 6494 tests skipped: 52 tests passed: 6494 tests failed: 0 tests errored: 0 Furthermore, on a snappy system, perform: # Note, for the 14.04 SRU, you'll have to enable trusty-proposed and install snapd from # the following PPA: # https://launchpad.net/~thomas-voss/+archive/ubuntu/trusty/+packages $ sudo snappy install hello-world $ hello-world.env It should show the environment. On an arm system with 2.1.1-1 from the archive, this will fail due to a seccomp denial: audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0 (note, snappy images have a ppa fix for this, see notes below). To test the segfault fix, do: $ scmp_sys_resolver 1024 Segmentation fault It should return: $ scmp_sys_resolver 1024 UNKNOWN For the new 3.19 syscalls: $ scmp_sys_resolver getrandom -1 it should return something like (actual number depends on arch, this is on armhf): $ scmp_sys_resolver getrandom 384 autopkgtests for libseccomp have been added as part of this update to verify that the library recognizes all the syscalls from 3.19 and the private syscalls. These tests can be run like so (assuming you are in the unpacked source and the binaries are in ../binary): $ export REL=vivid $ adt-run `for i in ../binary/.deb ; do echo -n "-B $i " ; done` --source ../source/.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-$REL-amd64 \|\| echo "** AUTOPKGTESTS FAILED" Alternatively, if you don't have autopkgtest setup, you can do: $ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev seccomp $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-filter ... PASS $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-scmp_sys_resolver ... PASS Lastly, seccomp is used by lxc. lxc can be tested by using the test case as outlined in step 4 of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only. [Regression Potential] If the above tests, regression potential is considered low. Unknown syscalls will continue to be handled as before. Description of changes: add finit_module: https://github.com/seccomp/libseccomp/commit/64152018ffdf971efefd84466db4a92002bb8b15 sync the syscall table entries - 3.16 https://github.com/seccomp/libseccomp/commit/9186136be7696ed63a8ddc06c9b397057abc5c75 https://github.com/seccomp/libseccomp/commit/3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 https://github.com/seccomp/libseccomp/commit/689f19e7488535c775c1db415b8d9895905ef8dd https://github.com/seccomp/libseccomp/commit/ac6802b300922ef2ad3e95e2c80f89b575073aeb https://github.com/seccomp/libseccomp/commit/c6205d9600983aa3fa68ca952b7624f2fec86718 https://github.com/seccomp/libseccomp/commit/76739812a3e23182504cde43403ddb9921e0e05a sync the syscall table entries - 3.17 https://github.com/seccomp/libseccomp/commit/6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 sync the syscall table entries - 3.19 https://github.com/seccomp/libseccomp/commit/7b80fb2fb683cafaf5dc9ff7692437ba86e598a3 This should also be applied (fix a segfault for invalid syscall numbers): https://github.com/seccomp/libseccomp/commit/2d09a74c7f04d29ae740db1e2187ff1a1886b2c3 For the 14.04 SRU so that libseccomp can handle all of the syscalls in the 4.4 based linux-lts-xenial kernel: - membarrier and userfaultfd syscalls: https://github.com/seccomp/libseccomp/commit/d2ca11b7cdddbba3782b1e306ceacf19e898faee - x86 direct socket syscalls https://github.com/seccomp/libseccomp/commit/24114ca6703036f76be1920a7ba387d6835dd764 - mlock2 syscall https://github.com/seccomp/libseccomp/commit/173b96ba8d36a4b1954e99570e82f2f932fe056a In addition, add-missing-arm-private-syscalls.patch is add to add 5 private ARM syscalls. These are absolutely required on snappy. This portion of the patch has been well tested and is included by default in stable snappy images via the snappy image PPA.	[Impact] Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering. [Test Case] seccomp itself has a comprehensive testsuite, and while it doesn't fail the build, regressions can be seen by looking at the build log. Eg: Regression Test Summary tests run: 6494 tests skipped: 52 tests passed: 6494 tests failed: 0 tests errored: 0 Furthermore, on a snappy system, perform: # Note, for the 14.04 SRU, you'll have to install snapd from trusty-proposed $ sudo snappy install hello-world $ hello-world.env It should show the environment. On an arm system with 2.1.1-1 from the archive, this will fail due to a seccomp denial: audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0 (note, snappy images have a ppa fix for this, see notes below). To test the segfault fix, do: $ scmp_sys_resolver 1024 Segmentation fault It should return: $ scmp_sys_resolver 1024 UNKNOWN For the new 3.19 syscalls: $ scmp_sys_resolver getrandom -1 it should return something like (actual number depends on arch, this is on armhf): $ scmp_sys_resolver getrandom 384 For the 14.04 SRU, test the following syscalls (expected results on amd64 are shown): $ scmp_sys_resolver getrandom 318 $ scmp_sys_resolver membarrier 324 $ scmp_sys_resolver userfaultfd 323 $ scmp_sys_resolver mlock2 325 autopkgtests for libseccomp have been added as part of this update to verify that the library recognizes all the syscalls from 3.19 and the private syscalls. These tests can be run like so (assuming you are in the unpacked source and the binaries are in ../binary): $ export REL=vivid $ adt-run `for i in ../binary/.deb ; do echo -n "-B $i " ; done` --source ../source/.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-$REL-amd64 \|\| echo "** AUTOPKGTESTS FAILED" Alternatively, if you don't have autopkgtest setup, you can do: $ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev seccomp $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-filter ... PASS $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-scmp_sys_resolver ... PASS Lastly, seccomp is used by lxc. lxc can be tested by using the test case as outlined in step 4 of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only. [Regression Potential] If the above tests, regression potential is considered low. Unknown syscalls will continue to be handled as before. Description of changes: add finit_module: https://github.com/seccomp/libseccomp/commit/64152018ffdf971efefd84466db4a92002bb8b15 sync the syscall table entries - 3.16 https://github.com/seccomp/libseccomp/commit/9186136be7696ed63a8ddc06c9b397057abc5c75 https://github.com/seccomp/libseccomp/commit/3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 https://github.com/seccomp/libseccomp/commit/689f19e7488535c775c1db415b8d9895905ef8dd https://github.com/seccomp/libseccomp/commit/ac6802b300922ef2ad3e95e2c80f89b575073aeb https://github.com/seccomp/libseccomp/commit/c6205d9600983aa3fa68ca952b7624f2fec86718 https://github.com/seccomp/libseccomp/commit/76739812a3e23182504cde43403ddb9921e0e05a sync the syscall table entries - 3.17 https://github.com/seccomp/libseccomp/commit/6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 sync the syscall table entries - 3.19 https://github.com/seccomp/libseccomp/commit/7b80fb2fb683cafaf5dc9ff7692437ba86e598a3 This should also be applied (fix a segfault for invalid syscall numbers): https://github.com/seccomp/libseccomp/commit/2d09a74c7f04d29ae740db1e2187ff1a1886b2c3 For the 14.04 SRU so that libseccomp can handle all of the syscalls in the 4.4 based linux-lts-xenial kernel: - membarrier and userfaultfd syscalls: https://github.com/seccomp/libseccomp/commit/d2ca11b7cdddbba3782b1e306ceacf19e898faee - x86 direct socket syscalls https://github.com/seccomp/libseccomp/commit/24114ca6703036f76be1920a7ba387d6835dd764 - mlock2 syscall https://github.com/seccomp/libseccomp/commit/173b96ba8d36a4b1954e99570e82f2f932fe056a In addition, add-missing-arm-private-syscalls.patch is add to add 5 private ARM syscalls. These are absolutely required on snappy. This portion of the patch has been well tested and is included by default in stable snappy images via the snappy image PPA.
2016-12-22 22:30:04	Tyler Hicks	tags	verification-needed	verification-complete
2016-12-22 22:30:42	Tyler Hicks	tags	verification-complete	verification-done
2017-01-04 17:14:54	Brian Murray	tags	verification-done	verification-needed
2017-01-05 20:47:22	Jamie Strandboge	description	[Impact] Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering. [Test Case] seccomp itself has a comprehensive testsuite, and while it doesn't fail the build, regressions can be seen by looking at the build log. Eg: Regression Test Summary tests run: 6494 tests skipped: 52 tests passed: 6494 tests failed: 0 tests errored: 0 Furthermore, on a snappy system, perform: # Note, for the 14.04 SRU, you'll have to install snapd from trusty-proposed $ sudo snappy install hello-world $ hello-world.env It should show the environment. On an arm system with 2.1.1-1 from the archive, this will fail due to a seccomp denial: audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0 (note, snappy images have a ppa fix for this, see notes below). To test the segfault fix, do: $ scmp_sys_resolver 1024 Segmentation fault It should return: $ scmp_sys_resolver 1024 UNKNOWN For the new 3.19 syscalls: $ scmp_sys_resolver getrandom -1 it should return something like (actual number depends on arch, this is on armhf): $ scmp_sys_resolver getrandom 384 For the 14.04 SRU, test the following syscalls (expected results on amd64 are shown): $ scmp_sys_resolver getrandom 318 $ scmp_sys_resolver membarrier 324 $ scmp_sys_resolver userfaultfd 323 $ scmp_sys_resolver mlock2 325 autopkgtests for libseccomp have been added as part of this update to verify that the library recognizes all the syscalls from 3.19 and the private syscalls. These tests can be run like so (assuming you are in the unpacked source and the binaries are in ../binary): $ export REL=vivid $ adt-run `for i in ../binary/.deb ; do echo -n "-B $i " ; done` --source ../source/.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-$REL-amd64 \|\| echo "** AUTOPKGTESTS FAILED" Alternatively, if you don't have autopkgtest setup, you can do: $ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev seccomp $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-filter ... PASS $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-scmp_sys_resolver ... PASS Lastly, seccomp is used by lxc. lxc can be tested by using the test case as outlined in step 4 of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only. [Regression Potential] If the above tests, regression potential is considered low. Unknown syscalls will continue to be handled as before. Description of changes: add finit_module: https://github.com/seccomp/libseccomp/commit/64152018ffdf971efefd84466db4a92002bb8b15 sync the syscall table entries - 3.16 https://github.com/seccomp/libseccomp/commit/9186136be7696ed63a8ddc06c9b397057abc5c75 https://github.com/seccomp/libseccomp/commit/3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 https://github.com/seccomp/libseccomp/commit/689f19e7488535c775c1db415b8d9895905ef8dd https://github.com/seccomp/libseccomp/commit/ac6802b300922ef2ad3e95e2c80f89b575073aeb https://github.com/seccomp/libseccomp/commit/c6205d9600983aa3fa68ca952b7624f2fec86718 https://github.com/seccomp/libseccomp/commit/76739812a3e23182504cde43403ddb9921e0e05a sync the syscall table entries - 3.17 https://github.com/seccomp/libseccomp/commit/6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 sync the syscall table entries - 3.19 https://github.com/seccomp/libseccomp/commit/7b80fb2fb683cafaf5dc9ff7692437ba86e598a3 This should also be applied (fix a segfault for invalid syscall numbers): https://github.com/seccomp/libseccomp/commit/2d09a74c7f04d29ae740db1e2187ff1a1886b2c3 For the 14.04 SRU so that libseccomp can handle all of the syscalls in the 4.4 based linux-lts-xenial kernel: - membarrier and userfaultfd syscalls: https://github.com/seccomp/libseccomp/commit/d2ca11b7cdddbba3782b1e306ceacf19e898faee - x86 direct socket syscalls https://github.com/seccomp/libseccomp/commit/24114ca6703036f76be1920a7ba387d6835dd764 - mlock2 syscall https://github.com/seccomp/libseccomp/commit/173b96ba8d36a4b1954e99570e82f2f932fe056a In addition, add-missing-arm-private-syscalls.patch is add to add 5 private ARM syscalls. These are absolutely required on snappy. This portion of the patch has been well tested and is included by default in stable snappy images via the snappy image PPA.	[Impact] Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering. [Test Case] seccomp itself has a comprehensive testsuite, and while it doesn't fail the build, regressions can be seen by looking at the build log. Eg: Regression Test Summary tests run: 6494 tests skipped: 52 tests passed: 6494 tests failed: 0 tests errored: 0 Furthermore, on a snappy system, perform: # Note, for the 14.04 SRU, you'll have to install snapd from trusty-proposed and reboot into the lts kernel that it installs $ sudo snap install hello-world $ hello-world.env It should show the environment. On an arm system with 2.1.1-1 from the archive, this will fail due to a seccomp denial: audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0 (note, snappy images have a ppa fix for this, see notes below). To test the segfault fix, do: $ scmp_sys_resolver 1024 Segmentation fault It should return: $ scmp_sys_resolver 1024 UNKNOWN For the new 3.19 syscalls: $ scmp_sys_resolver getrandom -1 it should return something like (actual number depends on arch, this is on armhf): $ scmp_sys_resolver getrandom 384 For the 14.04 SRU, test the following syscalls (expected results on amd64 are shown): $ scmp_sys_resolver getrandom 318 $ scmp_sys_resolver membarrier 324 $ scmp_sys_resolver userfaultfd 323 $ scmp_sys_resolver mlock2 325 autopkgtests for libseccomp have been added as part of this update to verify that the library recognizes all the syscalls from 3.19 and the private syscalls. These tests can be run like so (assuming you are in the unpacked source and the binaries are in ../binary): $ export REL=vivid $ adt-run `for i in ../binary/.deb ; do echo -n "-B $i " ; done` --source ../source/.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-$REL-amd64 \|\| echo "** AUTOPKGTESTS FAILED" Alternatively, if you don't have autopkgtest setup, you can do: $ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev seccomp $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-filter ... PASS $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-scmp_sys_resolver ... PASS Lastly, seccomp is used by lxc. lxc can be tested by using the test case as outlined in step 4 of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only. [Regression Potential] If the above tests, regression potential is considered low. Unknown syscalls will continue to be handled as before. Description of changes: add finit_module: https://github.com/seccomp/libseccomp/commit/64152018ffdf971efefd84466db4a92002bb8b15 sync the syscall table entries - 3.16 https://github.com/seccomp/libseccomp/commit/9186136be7696ed63a8ddc06c9b397057abc5c75 https://github.com/seccomp/libseccomp/commit/3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 https://github.com/seccomp/libseccomp/commit/689f19e7488535c775c1db415b8d9895905ef8dd https://github.com/seccomp/libseccomp/commit/ac6802b300922ef2ad3e95e2c80f89b575073aeb https://github.com/seccomp/libseccomp/commit/c6205d9600983aa3fa68ca952b7624f2fec86718 https://github.com/seccomp/libseccomp/commit/76739812a3e23182504cde43403ddb9921e0e05a sync the syscall table entries - 3.17 https://github.com/seccomp/libseccomp/commit/6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 sync the syscall table entries - 3.19 https://github.com/seccomp/libseccomp/commit/7b80fb2fb683cafaf5dc9ff7692437ba86e598a3 This should also be applied (fix a segfault for invalid syscall numbers): https://github.com/seccomp/libseccomp/commit/2d09a74c7f04d29ae740db1e2187ff1a1886b2c3 For the 14.04 SRU so that libseccomp can handle all of the syscalls in the 4.4 based linux-lts-xenial kernel: - membarrier and userfaultfd syscalls: https://github.com/seccomp/libseccomp/commit/d2ca11b7cdddbba3782b1e306ceacf19e898faee - x86 direct socket syscalls https://github.com/seccomp/libseccomp/commit/24114ca6703036f76be1920a7ba387d6835dd764 - mlock2 syscall https://github.com/seccomp/libseccomp/commit/173b96ba8d36a4b1954e99570e82f2f932fe056a In addition, add-missing-arm-private-syscalls.patch is add to add 5 private ARM syscalls. These are absolutely required on snappy. This portion of the patch has been well tested and is included by default in stable snappy images via the snappy image PPA.
2017-01-06 16:32:34	Jamie Strandboge	tags	verification-needed	verification-done
2017-01-18 11:42:26	Robie Basak	tags	verification-done
2017-01-18 14:32:36	Jamie Strandboge	tags		verification-done
2017-01-18 17:28:42	Launchpad Janitor	libseccomp (Ubuntu Trusty): status	Fix Committed	Fix Released

Ubuntulibseccomp package

Activity log for bug #1450642

Ubuntu
libseccomp package