seccomp missing many new syscalls
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Fix Released
|
Undecided
|
Unassigned | ||
15.04 |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
libseccomp (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge | ||
Trusty |
Fix Released
|
High
|
Tyler Hicks | ||
Vivid |
Fix Released
|
High
|
Jamie Strandboge | ||
Wily |
Fix Released
|
High
|
Jamie Strandboge |
Bug Description
[Impact]
Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering.
[Test Case]
seccomp itself has a comprehensive testsuite, and while it doesn't fail the build, regressions can be seen by looking at the build log. Eg:
Regression Test Summary
tests run: 6494
tests skipped: 52
tests passed: 6494
tests failed: 0
tests errored: 0
Furthermore, on a snappy system, perform:
# Note, for the 14.04 SRU, you'll have to install snapd from trusty-proposed and reboot into the lts kernel that it installs
$ sudo snap install hello-world
$ hello-world.env
It should show the environment. On an arm system with 2.1.1-1 from the archive, this will fail due to a seccomp denial:
audit: type=1326 audit(143076610
(note, snappy images have a ppa fix for this, see notes below).
To test the segfault fix, do:
$ scmp_sys_resolver 1024
Segmentation fault
It should return:
$ scmp_sys_resolver 1024
UNKNOWN
For the new 3.19 syscalls:
$ scmp_sys_resolver getrandom
-1
it should return something like (actual number depends on arch, this is on armhf):
$ scmp_sys_resolver getrandom
384
For the 14.04 SRU, test the following syscalls (expected results on amd64 are shown):
$ scmp_sys_resolver getrandom
318
$ scmp_sys_resolver membarrier
324
$ scmp_sys_resolver userfaultfd
323
$ scmp_sys_resolver mlock2
325
autopkgtests for libseccomp have been added as part of this update to verify that the library recognizes all the syscalls from 3.19 and the private syscalls. These tests can be run like so (assuming you are in the unpacked source and the binaries are in ../binary):
$ export REL=vivid
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-
Alternatively, if you don't have autopkgtest setup, you can do:
$ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev seccomp
$ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/
...
PASS
$ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/
...
PASS
Lastly, seccomp is used by lxc. lxc can be tested by using the test case as outlined in step 4 of https:/
[Regression Potential]
If the above tests, regression potential is considered low. Unknown syscalls will continue to be handled as before.
Description of changes:
add finit_module:
https:/
sync the syscall table entries - 3.16
https:/
https:/
https:/
https:/
https:/
https:/
sync the syscall table entries - 3.17
https:/
sync the syscall table entries - 3.19
https:/
This should also be applied (fix a segfault for invalid syscall numbers):
https:/
For the 14.04 SRU so that libseccomp can handle all of the syscalls in the 4.4 based linux-lts-xenial kernel:
- membarrier and userfaultfd syscalls:
https:/
- x86 direct socket syscalls
https:/
- mlock2 syscall
https:/
In addition, add-missing-
Changed in libseccomp (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in snappy-ubuntu: | |
status: | New → In Progress |
Changed in libseccomp (Ubuntu): | |
status: | New → In Progress |
description: | updated |
Changed in libseccomp (Ubuntu Vivid): | |
status: | New → In Progress |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in libseccomp (Ubuntu Wily): | |
status: | In Progress → Fix Committed |
affects: | snappy-ubuntu → snappy |
Changed in snappy: | |
status: | Fix Committed → Fix Released |
Changed in libseccomp (Ubuntu Trusty): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Tyler Hicks (tyhicks) |
description: | updated |
Changed in libseccomp (Ubuntu): | |
importance: | Undecided → High |
Changed in libseccomp (Ubuntu Vivid): | |
importance: | Undecided → High |
Changed in libseccomp (Ubuntu Wily): | |
importance: | Undecided → High |
description: | updated |
description: | updated |
Uploaded the same version to wily (it is in unapproved).