libseccomp should support GA and HWE kernels

Bug #1682102 reported by Dimitri John Ledkov on 2017-04-12
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libseccomp (Ubuntu)
Undecided
Unassigned
Xenial
High
Dimitri John Ledkov

Bug Description

[Impact]

out of date libseccomp w.r.t. custom and hwe kernels provides sub-par userspace protection, which is otherwise available on the running kernel and hardware combination.
This results in subpar security of systems running new architectures (s390x & ppc64el) and newer hwe/custom kernels.

* Version 2.3.1 - April 20, 2016
- Fixed a problem with 32-bit x86 socket syscalls on some systems
- Fixed problems with ipc syscalls on 32-bit x86
- Fixed problems with socket and ipc syscalls on s390 and s390x

* Version 2.3.0 - February 29, 2016
- Added support for the s390 and s390x architectures
- Added support for the ppc, ppc64, and ppc64le architectures
- Update the internal syscall tables to match the Linux 4.5-rcX releases
- Filter generation for both multiplexed and direct socket syscalls on x86
- Support for the musl libc implementation
- Additions to the API to enable runtime version checking of the library
- Enable the use of seccomp() instead of prctl() on supported systems
- Added additional tests to the regression test suite

There is no ABI/API break

There are no packaging changes, apart from dropping patches included in this upstream release and updating new symbols.

Doing wholesome update is safer and carries less risk, than individually cherrypicking effectively all of the above.

This is a backport to an LTS release under the banner of safe introduction of new features and new hardware support.

It is expected that container technologies will take advantage of the newly available libseccomp.

This may need to be uploaded as a security update.

Currently, s390x support in xenial libssecomp is incomplete. And there are v4.5+ syscall tables missing as used by hwe kernels and some custom kernels.

[Testcase]
Validate that all main contianer technologies are operational and do not regress, e.g.:
 - lxc
 - lxd
 - docker
 - snapd

[Regression Potential]
Userspace components may detect at runtime newly available libseccomp, and thus restrict user-space processes more than previously done. This may lead to a change of restrictions applied on the user sapce processes, and result in previously unexpected denials / errors returned.

[Proposed Update available in bileto PPA]
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

Changed in libseccomp (Ubuntu Xenial):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Dimitri John Ledkov (xnox)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libseccomp (Ubuntu):
status: New → Confirmed
Tyler Hicks (tyhicks) wrote :

@xnox bringing zesty's libseccomp back to xenial may be needed for some kernel/snapd/libseccomp changes that I'm working on. Have you spent any time investigating such a change?

description: updated
description: updated
ChristianEhrhardt (paelzer) wrote :

A 2.3.x in Xenial would also allow to drop some Delta that the Cloud Archive is adding to "drop" newer seccomp support we add for latter releases - so seconding Tyhicks question being interested as well.

Adam Conrad (adconrad) wrote :

I built this package in the ubuntu-security-proposed PPA so it can be released to both -updates and -security (which seems like probably a sane thing to do) once it's passed the SRU process.

Changed in libseccomp (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-xenial

Hello Dimitri, or anyone else affected,

Accepted libseccomp into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.3.1-2.1ubuntu2~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in libseccomp (Ubuntu):
status: Confirmed → Invalid
Tyler Hicks (tyhicks) wrote :

I've successfully performed the testing described in the [libseccomp Test Case] section of the bug 1567597 description using libseccomp 2.3.1-2.1ubuntu2~16.04.1 from xenial-proposed. It includes the libseccomp live tests (which aren't used during the build) and a specific test of the new seccomp logging functionality. (I'm mentioning my testing here because bug 1567597 isn't mentioned in the changelog of the SRU upload.)

Tyler Hicks (tyhicks) wrote :

As for the failing Xenial snapd autopkgtests...

- amd64: The autopkgtest:ubuntu-16.04-amd64:tests/main/completion fails with and without the libseccomp in xenial-proposed
- s390x: No tests are ever ran due to the tests requiring "machine-level isolation" but that not being available on s390x. However, snapd s390x test runs have been hitting an error for about the last month.

Both are false positives and should not be something that keeps libseccomp from migrating.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers