please update libseccomp for newer kernel syscalls
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libseccomp (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* The libseccomp library provides an easy to use, platform independent,
interface to the Linux Kernel's syscall filtering mechanism. But it can
only "control" those syscalls it knows about. Therefore staying up to
date with newer kernels is a requirement to be fully funcitonal.
* At the time 18.04 was released with the 4.15 kernel the new definitions
were not yet released for libseccomp - lets fix this mismatch by
backporting the new syscall definitions [2][3][4].
[Test Case]
* Note: a lot of this is kernel dependent it should work with the intended SRU target of Bionic with kernel 4.15 or 4.18, but be careful to run it there (e.g. not a LXD container on Xenials 4.4 kernel)
* we modify the already existing autopkgtest for this SRU verification
# Prep
$ apt install ubuntu-dev-tools build-essential linux-libc-dev libseccomp-dev libseccomp2 seccomp
$ pull-lp-source libseccomp bionic
$ cd libseccomp-2.3.1
$ export ADTTMP=$(mktemp -d); echo $ADTTMP
# run original tests as-is (should pass/fail as expected)
$ ./debian/
# add new syscalls of this SRU
$ cp debian/
$ printf "preadv2\
# remove unknown calls (x86 4.18 kernel)
sed -i -e '/^_exit$/d' -e '/^fstatvfs$/d' -e '/^llseek$/d' -e '/^pread$/d' -e '/^pselect$/d' -e '/^pwrite$/d' -e '/^sigtimedwait$/d' -e '/^sigwaitinfo$/d' -e '/^statvfs$/d' debian/
# make unknown call a fail
$ sed -i -e '111s/continue;
# build new test binary
$ export ADTTMP=$(mktemp -d); echo $ADTTMP
$ ./debian/
# run this special test and check return value
${ADTTMP}/exe ./debian/
Without the fix it will fail like:
DEBUG: seccomp_
failed to find preadv2
seccomp_
1
But with the fix applied those new calls will work:
DEBUG: seccomp_
Tue Feb 12 07:41:05 UTC 2019
0
[Regression Potential]
* This isn't adding new active code like functions, but only extending
the definitions of per-arch syscall numbers to be aware of the newer
syscalls that were added in the kernel. Therefore no old use-cases
should regress (they are not touched). The only change in behavior for
an SRU POV would be that things that got denied so far (e.g. if you
tried to set such a new syscall through libseccomp) was denied before
and would now work. I think that is exactly the intention of the SRU
and not a regression.
[Other Info]
* Requested while security reviewing an libseccomp SRU to have one update
for both [1].
* we also missed the former update for kernel 4.9 [3] AND 4.10 [4] as the
official releases of the lib are rather seldom.
* In general there already are build time tests and autopkgtests in the
package already. So coverage of "old calls" for regressions is already
good.
---
This came up while working on bug 1755250 which asked for statx.
But on the review of that it was pointed out [1] that it would be great to support further new kernel syscall defines - this isn't even looking at HWE kernels for Bionic, but "just" adding those which are there for the 4.15 kernel Bionic was released with.
With the HWE kernels in mind there would be even more one might want to add, but there is no newer such update in the upstream repo yet.
[1]: https:/
[2]: https:/
[3]: https:/
[4]: https:/
Related branches
- Andreas Hasenack: Approve
- xantares (community): Approve
- Seth Arnold (community): Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 1499 lines (+1460/-0)6 files modifieddebian/changelog (+7/-0)
debian/patches/lp-1755250-add-the-statx-syscall.patch (+308/-0)
debian/patches/lp-1815415-arch-update-syscalls-for-Linux-4.9.patch (+536/-0)
debian/patches/lp-1815415-arch-update-syscalls-for-Linux-v4.15.patch (+499/-0)
debian/patches/lp-1815415-update-the-syscall-tables-to-4.10.patch (+106/-0)
debian/patches/series (+4/-0)
description: | updated |
Disco and Cosmic already contain those changes