backport statx syscall whitelist fix

We're planing to have version 17.12 for bionic.

On 13 March 2018 at 06:58, xantares <email address hidden> wrote:

> Public bug reported:
>
> Hello maintainer,
>
> The docker version 17.03 (bionic) in ubuntu doesn't allow the statx
> syscall which is needed to build qt >=5.10 applications:
> https://github.com/docker/for-linux/issues/208#issuecomment-372400859
>
> Could this fix be backported in the ubuntu package ?
> https://github.com/moby/moby/pull/36417
>
> regards,
> xan.
>
> ** Affects: docker.io (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are subscribed to
> docker.io in Ubuntu.
> https://bugs.launchpad.net/bugs/1755250
>
> Title:
> backport statx syscall whitelist fix
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/
> 1755250/+subscriptions
>

Unfortunately that's not recent enough: the bug has just been fixed a few days ago and will need some backporting.

Indeed, looks like this fix isn't in a released version at all yet (likely to be in 18.04).

Hi,

Could this fix be backported now that docker 17.12 is in bionic and (docker is 18.04 out too with the fix).

xan.

This looks like a simple fix, if indeed all it takes is that upstream couple of one-liners. @mwhydson, do you have any comments?

Looking into this deeper -- applying this patch for bionic will have
net-zero effect, given this comment:
https://github.com/moby/moby/pull/36417#issuecomment-369266565

For this patch to do anything, "libseccomp" needs to be at least version
2.3.3, and bionic is only at 2.3.1 (so the added line would essentially be
ignored and you'd still get EPERM).

Tianon is right, runc silently discards syscalls it doesn't know about:
https://github.com/opencontainers/runc/blob/ecd55a4135e0a26de884ce436442914f945b1e76/libcontainer/seccomp/seccomp_linux.go#L168-L173

This affects other syscalls, like preadv2:
https://github.com/opencontainers/runtime-spec/issues/972

Failing to whitelist a syscall than the kernel does support is safe, but failing to *blacklist* a syscall could be more problematic. But failing to whitelist could also impact functionality/performance compared to a non-containerized application.

I couldn't find if anything is backported in "2.3.1-2.1ubuntu4", but the upstream "2.3.1" limits us to syscalls up to Linux 4.5-rc4.

Summoning Christian to help in bumping the priority of this issue.

This is indeed pretty important for some use-cases so we should try to come up with a reasonable solution.

Status changed to 'Confirmed' because the bug affects multiple users.

I can confirm that this bug is solved in Ubuntu Cosmic (18.10) with Docker 18.06.1 and libseccomp 2.3.3.

here is a patch against libseccomp 2.3.1 in bionic (on top of the debian risc port patch)

I manually applied changes from libseccomp 2.3.3 that reference the statx syscalls

for the risc part i used the diff from https://github.com/seccomp/libseccomp/blob/2a70ad4f3e8ab80e88f0662a760f4ef1d9219205/src/arch-parisc-syscalls.c

successfully rebuilt the package and tested it on x86_64

please apply for ubuntu bionic

to test it in a docker container you can do:
WORKDIR /tmp
RUN wget -q https://raw.githubusercontent.com/torvalds/linux/master/samples/statx/test-statx.c
RUN gcc test-statx.c -o test-statx
RUN touch test-file
RUN ./test-statx test-file

The attachment "libsecomp231-statx.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Hi I polished your patch a bit and I'm currently testing it in PPA [1].
If you can give it a try as well.

I have created an SRU Teamplate and more detailed test steps and will add them once they hopefully succeed on the prepare PPA. Otherwise I'll ping here for you to revisit the change.

[1]: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3640

Ok, tests worked fine for me - I added all I had as SRU template in the bug description.

I opened a MP [1] for review by different parties:
- you (@xantares) as the original author if you are fine with my polishing
- security to get their ack on it
- server-team to spot silly errors that I might have missed or done

[1]: https://code.launchpad.net/~paelzer/ubuntu/+source/libseccomp/+git/libseccomp/+merge/362906

All pre-checks and tests complete, and uploaded to the SRU review queue

hello,

how long does it take usually for ubuntu to review the changes ?

Hello xantares, or anyone else affected,

Accepted libseccomp into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.3.1-2.1ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Testing as-is
(remember to clean old images if you have tested the ppa on the same system before)
$ docker system prune -a

... Test steps ...
Step 8/8 : RUN ./test-statx test-file
 ---> Running in 60210feb0c2e
test-file: Operation not permitted
statx(test-file) = -1
The command '/bin/sh -c ./test-statx test-file' returned a non-zero code: 1

Fails as expected

Upgrading to libseccomp2 from proposed
$ sudo apt install libseccomp2/bionic-proposed
Reading package lists... Done
Building dependency tree
Reading state information... Done
Selected version '2.3.1-2.1ubuntu4.1' (Ubuntu:18.04/bionic-proposed [amd64]) for 'libseccomp2'
The following package was automatically installed and is no longer required:
  grub-pc-bin
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
  libseccomp-dev
The following packages will be upgraded:
  libseccomp-dev libseccomp2
2 upgraded, 0 newly installed, 0 to remove and 26 not upgraded.
Need to get 96.9 kB of archives.
After this operation, 15.4 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libseccomp-dev amd64 2.3.1-2.1ubuntu4.1 [57.8 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libseccomp2 amd64 2.3.1-2.1ubuntu4.1 [39.1 kB]
Fetched 96.9 kB in 0s (755 kB/s)
(Reading database ... 102759 files and directories currently installed.)
Preparing to unpack .../libseccomp-dev_2.3.1-2.1ubuntu4.1_amd64.deb ...
Unpacking libseccomp-dev:amd64 (2.3.1-2.1ubuntu4.1) over (2.3.1-2.1ubuntu4) ...
Preparing to unpack .../libseccomp2_2.3.1-2.1ubuntu4.1_amd64.deb ...
Unpacking libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) over (2.3.1-2.1ubuntu4) ...
Setting up libseccomp2:amd64 (2.3.1-2.1ubuntu4.1) ...
Setting up libseccomp-dev:amd64 (2.3.1-2.1ubuntu4.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

Retest the case:
Step 8/8 : RUN ./test-statx test-file
 ---> Running in 3b7450662773
statx(test-file) = 0
results=fff
  Size: 0 Blocks: 0 IO Block: 4096 regular file
Device: 00:31 Inode: 261790 Links: 1
Access: (0644/-rw-r--r--) Uid: 0 Gid: 0
Access: 2019-02-28 09:38:56.000000000+0000
Modify: 2019-02-28 09:38:56.000000000+0000
Change: 2019-02-28 09:38:56.266396084+0000
 Birth: 2019-02-28 09:38:56.266396084+0000
Attributes: 0000000000000000 (........ ........ ........ ........ ........ ........ ....-... .---.-..)
Removing intermediate container 3b7450662773
 ---> c381bca61860
Successfully built c381bca61860

Thereby setting verified

Ok for me too, I just installed libseccomp2_2.3.1-2.1ubuntu4.1_amd64.deb and it works:

Step 16/18 : RUN gcc test-statx.c -o test-statx
 ---> Running in 501935bb923d
Removing intermediate container 501935bb923d
 ---> a47f15cd6fc8
Step 17/18 : RUN touch test-file
 ---> Running in 1038f76ad915
Removing intermediate container 1038f76ad915
 ---> b0722af4d6f1
Step 18/18 : RUN ./test-statx test-file
 ---> Running in 52e32a35825e
statx(test-file) = 0
results=fff
  Size: 0 Blocks: 0 IO Block: 4096 regular file
Device: 00:3a Inode: 4588842 Links: 1
Access: (0644/-rw-r--r--) Uid: 1000 Gid: 1000
Access: 2019-02-28 10:13:33.000000000+0000
Modify: 2019-02-28 10:13:33.000000000+0000
Change: 2019-02-28 10:13:33.836307736+0000
 Birth: 2019-02-28 10:13:33.836307736+0000
Attributes: 0000000000000000 (........ ........ ........ ........ ........ ........ ....-... .---.-..)
Removing intermediate container 52e32a35825e
 ---> 72fbbcb57e15
Successfully built 72fbbcb57e15

Thank you for testing! I see some lxc ADT regressions reported for this upload in bionic. Can you take a look and check if it's all unrelated, just-in-case?

Tests were just flaky as assumed, retried and good now

Has this been released ?

Hi,
it has been released for Cosmic already.
Some tests were blocking it for Bionic but I resolved those already.
It should be released the next time an SRU member will look at this.

This bug was fixed in the package libseccomp - 2.3.1-2.1ubuntu4.1

---------------
libseccomp (2.3.1-2.1ubuntu4.1) bionic; urgency=medium

  * d/p/lp-1755250-add-the-statx-syscall.patch: add statx support (LP: #1755250)
  * d/p/lp-1815415-*: Add syscalls up to kernel 4.15 (LP: #1815415)

 -- Christian Ehrhardt <email address hidden> Fri, 08 Feb 2019 09:17:23 +0100

The verification of the Stable Release Update for libseccomp has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.