2017-04-12 11:48:00 |
Dimitri John Ledkov |
bug |
|
|
added bug |
2017-04-12 11:48:12 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Xenial |
|
2017-04-12 11:48:12 |
Dimitri John Ledkov |
bug task added |
|
libseccomp (Ubuntu Xenial) |
|
2017-04-12 11:48:17 |
Dimitri John Ledkov |
libseccomp (Ubuntu Xenial): status |
New |
Confirmed |
|
2017-04-12 11:48:21 |
Dimitri John Ledkov |
libseccomp (Ubuntu Xenial): importance |
Undecided |
High |
|
2017-04-12 11:48:25 |
Dimitri John Ledkov |
libseccomp (Ubuntu Xenial): assignee |
|
Dimitri John Ledkov (xnox) |
|
2017-04-24 07:01:50 |
Launchpad Janitor |
libseccomp (Ubuntu): status |
New |
Confirmed |
|
2017-10-06 13:59:21 |
Dimitri John Ledkov |
description |
Currently libseccomp version in Ubuntu are:
libseccomp | 2.2.3-3ubuntu3 | xenial | source
libseccomp | 2.3.1-2ubuntu2 | yakkety | source
libseccomp | 2.3.1-2.1ubuntu1 | zesty | source
The difference between 2.2.3 and 2.3.1 is 63 upstream commits.
Of those commits, 7 are already cherrypicked into xenial for s390x support.
However that s390x support is incomplete as multiplexed syscalls are not supported.
A request has been filed to support multiplexed syscalls in libseccomp in xenial at https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1679691
That is a request for further 18 commits to backport, bringing the total to 25.
Looking at the remaining 38 commits there are:
- documentation updates
- tools updates
- tests updates
- bugfixes
- updates to syscall tables for linux 4.3, 4.5-rc4+
IMHO, in the future when libseccomp is updated to support 4.10 kernel syscalls, it should be backported back to xenial too, to properly suppor the HWE kernels. |
[Impact]
out of date libseccomp w.r.t. custom and hwe kernels provides sub-par userspace protection, which is otherwise available on the running kernel and hardware combination.
This results in subpar security of systems running new architectures (s390x & ppc64el) and newer hwe/custom kernels.
* Version 2.3.1 - April 20, 2016
- Fixed a problem with 32-bit x86 socket syscalls on some systems
- Fixed problems with ipc syscalls on 32-bit x86
- Fixed problems with socket and ipc syscalls on s390 and s390x
* Version 2.3.0 - February 29, 2016
- Added support for the s390 and s390x architectures
- Added support for the ppc, ppc64, and ppc64le architectures
- Update the internal syscall tables to match the Linux 4.5-rcX releases
- Filter generation for both multiplexed and direct socket syscalls on x86
- Support for the musl libc implementation
- Additions to the API to enable runtime version checking of the library
- Enable the use of seccomp() instead of prctl() on supported systems
- Added additional tests to the regression test suite
There is no ABI/API break
There are no packaging changes, apart from dropping patches included in this upstream release and updating new symbols.
Doing wholesome update is safer and carries less risk, than individually cherrypicking effectively all of the above.
This is a backport to an LTS release under the banner of safe introduction of new features and new hardware support.
It is expected that container technologies will take advantage of the newly available libseccomp.
This may need to be uploaded as a security update.
Currently, s390x support in xenial libssecomp is incomplete. And there are v4.5+ syscall tables missing as used by hwe kernels and some custom kernels.
[Testcase]
Validate that all main contianer technologies are operational and do not regress, e.g.:
- lxc
- lxd
- docker
- snapd
[Regression Potential]
Userspace components may detect at runtime newly available libseccomp, and thus restrict user-space processes more than previously done. This may lead to a change of restrictions applied on the user sapce processes, and result in previously unexpected denials / errors returned. |
|
2017-10-06 16:05:03 |
Dimitri John Ledkov |
description |
[Impact]
out of date libseccomp w.r.t. custom and hwe kernels provides sub-par userspace protection, which is otherwise available on the running kernel and hardware combination.
This results in subpar security of systems running new architectures (s390x & ppc64el) and newer hwe/custom kernels.
* Version 2.3.1 - April 20, 2016
- Fixed a problem with 32-bit x86 socket syscalls on some systems
- Fixed problems with ipc syscalls on 32-bit x86
- Fixed problems with socket and ipc syscalls on s390 and s390x
* Version 2.3.0 - February 29, 2016
- Added support for the s390 and s390x architectures
- Added support for the ppc, ppc64, and ppc64le architectures
- Update the internal syscall tables to match the Linux 4.5-rcX releases
- Filter generation for both multiplexed and direct socket syscalls on x86
- Support for the musl libc implementation
- Additions to the API to enable runtime version checking of the library
- Enable the use of seccomp() instead of prctl() on supported systems
- Added additional tests to the regression test suite
There is no ABI/API break
There are no packaging changes, apart from dropping patches included in this upstream release and updating new symbols.
Doing wholesome update is safer and carries less risk, than individually cherrypicking effectively all of the above.
This is a backport to an LTS release under the banner of safe introduction of new features and new hardware support.
It is expected that container technologies will take advantage of the newly available libseccomp.
This may need to be uploaded as a security update.
Currently, s390x support in xenial libssecomp is incomplete. And there are v4.5+ syscall tables missing as used by hwe kernels and some custom kernels.
[Testcase]
Validate that all main contianer technologies are operational and do not regress, e.g.:
- lxc
- lxd
- docker
- snapd
[Regression Potential]
Userspace components may detect at runtime newly available libseccomp, and thus restrict user-space processes more than previously done. This may lead to a change of restrictions applied on the user sapce processes, and result in previously unexpected denials / errors returned. |
[Impact]
out of date libseccomp w.r.t. custom and hwe kernels provides sub-par userspace protection, which is otherwise available on the running kernel and hardware combination.
This results in subpar security of systems running new architectures (s390x & ppc64el) and newer hwe/custom kernels.
* Version 2.3.1 - April 20, 2016
- Fixed a problem with 32-bit x86 socket syscalls on some systems
- Fixed problems with ipc syscalls on 32-bit x86
- Fixed problems with socket and ipc syscalls on s390 and s390x
* Version 2.3.0 - February 29, 2016
- Added support for the s390 and s390x architectures
- Added support for the ppc, ppc64, and ppc64le architectures
- Update the internal syscall tables to match the Linux 4.5-rcX releases
- Filter generation for both multiplexed and direct socket syscalls on x86
- Support for the musl libc implementation
- Additions to the API to enable runtime version checking of the library
- Enable the use of seccomp() instead of prctl() on supported systems
- Added additional tests to the regression test suite
There is no ABI/API break
There are no packaging changes, apart from dropping patches included in this upstream release and updating new symbols.
Doing wholesome update is safer and carries less risk, than individually cherrypicking effectively all of the above.
This is a backport to an LTS release under the banner of safe introduction of new features and new hardware support.
It is expected that container technologies will take advantage of the newly available libseccomp.
This may need to be uploaded as a security update.
Currently, s390x support in xenial libssecomp is incomplete. And there are v4.5+ syscall tables missing as used by hwe kernels and some custom kernels.
[Testcase]
Validate that all main contianer technologies are operational and do not regress, e.g.:
- lxc
- lxd
- docker
- snapd
[Regression Potential]
Userspace components may detect at runtime newly available libseccomp, and thus restrict user-space processes more than previously done. This may lead to a change of restrictions applied on the user sapce processes, and result in previously unexpected denials / errors returned.
[Proposed Update available in bileto PPA]
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981 |
|
2017-10-06 18:22:57 |
Tyler Hicks |
bug |
|
|
added subscriber Tyler Hicks |
2017-10-11 13:17:22 |
Christian Ehrhardt |
bug |
|
|
added subscriber ChristianEhrhardt |
2017-11-08 02:38:14 |
Adam Conrad |
libseccomp (Ubuntu Xenial): status |
Confirmed |
Fix Committed |
|
2017-11-08 02:38:16 |
Adam Conrad |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-11-08 02:38:19 |
Adam Conrad |
bug |
|
|
added subscriber SRU Verification |
2017-11-08 02:38:24 |
Adam Conrad |
tags |
|
verification-needed verification-needed-xenial |
|
2017-11-08 02:38:31 |
Adam Conrad |
libseccomp (Ubuntu): status |
Confirmed |
Invalid |
|
2018-01-02 21:52:37 |
Launchpad Janitor |
libseccomp (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2018-01-02 21:53:25 |
Steve Langasek |
tags |
verification-needed verification-needed-xenial |
verification-done verification-done-xenial |
|
2018-02-15 19:51:47 |
Francis Ginther |
tags |
verification-done verification-done-xenial |
id-5a3bd5fa5445fb1d95040a5b verification-done verification-done-xenial |
|