2020-08-16 16:41:56 |
Steve Dodd |
bug |
|
|
added bug |
2020-08-16 22:18:27 |
Steve Dodd |
bug watch added |
|
https://github.com/seccomp/libseccomp/issues/273 |
|
2020-08-17 06:45:29 |
Alex Murray |
libseccomp (Ubuntu): assignee |
|
Alex Murray (alexmurray) |
|
2020-08-17 13:46:16 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Groovy |
|
2020-08-17 13:46:16 |
Jamie Strandboge |
bug task added |
|
libseccomp (Ubuntu Groovy) |
|
2020-08-17 13:46:16 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Xenial |
|
2020-08-17 13:46:16 |
Jamie Strandboge |
bug task added |
|
libseccomp (Ubuntu Xenial) |
|
2020-08-17 13:46:16 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Bionic |
|
2020-08-17 13:46:16 |
Jamie Strandboge |
bug task added |
|
libseccomp (Ubuntu Bionic) |
|
2020-08-17 13:46:16 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Focal |
|
2020-08-17 13:46:16 |
Jamie Strandboge |
bug task added |
|
libseccomp (Ubuntu Focal) |
|
2020-08-17 13:46:37 |
Jamie Strandboge |
libseccomp (Ubuntu Focal): assignee |
|
Alex Murray (alexmurray) |
|
2020-08-17 13:46:44 |
Jamie Strandboge |
libseccomp (Ubuntu Bionic): assignee |
|
Alex Murray (alexmurray) |
|
2020-08-17 13:46:53 |
Jamie Strandboge |
libseccomp (Ubuntu Xenial): assignee |
|
Alex Murray (alexmurray) |
|
2021-01-19 17:30:50 |
Dan Streetman |
bug |
|
|
added subscriber Dan Streetman |
2021-01-20 11:56:05 |
Steve Dodd |
attachment added |
|
Trivial test case https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+attachment/5454861/+files/openat.c |
|
2021-03-01 02:34:56 |
Alex Murray |
nominated for series |
|
Ubuntu Hirsute |
|
2021-03-01 02:34:56 |
Alex Murray |
bug task added |
|
libseccomp (Ubuntu Hirsute) |
|
2021-03-01 02:35:03 |
Alex Murray |
libseccomp (Ubuntu Hirsute): status |
New |
Fix Released |
|
2021-03-15 00:32:35 |
Alex Murray |
description |
The version of libseccomp2 in bionic does not know about the openat2 syscall.
In my particular usecase, I was trying to run podman/buildah in an nspawn container, using fuse-overlayfs. This leads to peculiar failure modes as described in this issue:
https://github.com/containers/fuse-overlayfs/issues/220
This could well cause other problems, previously issues like that have affected snapd, etc.
Backporting the master branch of libseccomp fixed this for me, but for an SRU a cherrypick of https://github.com/seccomp/libseccomp/commit/b3206ad5645dceda89538ea8acc984078ab697ab might be sufficient...
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: libseccomp2 2.4.3-1ubuntu3.18.04.3
ProcVersionSignature: Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44
Uname: Linux 5.4.0-42-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.16
Architecture: amd64
Date: Sun Aug 16 17:35:09 2020
Dependencies:
gcc-8-base 8.4.0-1ubuntu1~18.04
libc6 2.27-3ubuntu1.2
libgcc1 1:8.4.0-1ubuntu1~18.04
ProcEnviron:
TERM=screen.xterm-256color
PATH=(custom, no user)
LANG=en_GB.UTF-8
SHELL=/bin/bash
SourcePackage: libseccomp
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated.
[Test Plan]
This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call:
Existing behaviour:
$ scmp_sys_resolver openat2
-1
Expected behaviour:
$ scmp_sys_resolver openat2
437
(Note this value will be different on other architectures)
[Where problems could occur]
In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696
There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing.
In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update.
[Other Info]
* As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ |
|
2021-03-15 00:34:04 |
Alex Murray |
description |
[Impact]
The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated.
[Test Plan]
This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call:
Existing behaviour:
$ scmp_sys_resolver openat2
-1
Expected behaviour:
$ scmp_sys_resolver openat2
437
(Note this value will be different on other architectures)
[Where problems could occur]
In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696
There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing.
In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update.
[Other Info]
* As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ |
[Impact]
The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated.
[Test Plan]
This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call:
Existing behaviour:
$ scmp_sys_resolver openat2
-1
Expected behaviour:
$ scmp_sys_resolver openat2
437
(Note this value will be different on other architectures)
[Where problems could occur]
In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696
There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing.
In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update.
[Other Info]
* As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/
I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. |
|
2021-03-15 00:34:31 |
Alex Murray |
attachment added |
|
libseccomp_2.5.1-1ubuntu1~16.04.1.debdiff https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+attachment/5476576/+files/libseccomp_2.5.1-1ubuntu1~16.04.1.debdiff |
|
2021-03-15 00:35:05 |
Alex Murray |
attachment added |
|
libseccomp_2.5.1-1ubuntu1~18.04.1.debdiff https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+attachment/5476577/+files/libseccomp_2.5.1-1ubuntu1~18.04.1.debdiff |
|
2021-03-15 00:35:30 |
Alex Murray |
attachment added |
|
libseccomp_2.5.1-1ubuntu1~20.04.1.debdiff https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+attachment/5476578/+files/libseccomp_2.5.1-1ubuntu1~20.04.1.debdiff |
|
2021-03-15 00:35:56 |
Alex Murray |
attachment added |
|
libseccomp_2.5.1-1ubuntu1~20.10.1.debdiff https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+attachment/5476579/+files/libseccomp_2.5.1-1ubuntu1~20.10.1.debdiff |
|
2021-03-15 00:36:42 |
Alex Murray |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2021-03-15 08:10:27 |
Mathew Hodson |
libseccomp (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2021-03-15 08:10:38 |
Mathew Hodson |
libseccomp (Ubuntu Focal): importance |
Undecided |
Medium |
|
2021-03-15 08:10:42 |
Mathew Hodson |
libseccomp (Ubuntu Groovy): importance |
Undecided |
Medium |
|
2021-03-15 08:10:45 |
Mathew Hodson |
libseccomp (Ubuntu Hirsute): importance |
Undecided |
Medium |
|
2021-03-15 08:10:51 |
Mathew Hodson |
libseccomp (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2021-03-15 08:17:23 |
Launchpad Janitor |
libseccomp (Ubuntu Xenial): status |
New |
Confirmed |
|
2021-03-15 08:17:23 |
Launchpad Janitor |
libseccomp (Ubuntu Bionic): status |
New |
Confirmed |
|
2021-03-15 08:17:23 |
Launchpad Janitor |
libseccomp (Ubuntu Focal): status |
New |
Confirmed |
|
2021-03-15 08:17:23 |
Launchpad Janitor |
libseccomp (Ubuntu Groovy): status |
New |
Confirmed |
|
2021-03-15 08:17:36 |
Oded Arbel |
bug |
|
|
added subscriber Oded Arbel |
2021-03-29 03:11:44 |
Alex Murray |
libseccomp (Ubuntu Xenial): status |
Confirmed |
In Progress |
|
2021-03-29 03:11:46 |
Alex Murray |
libseccomp (Ubuntu Bionic): status |
Confirmed |
In Progress |
|
2021-03-29 03:11:47 |
Alex Murray |
libseccomp (Ubuntu Focal): status |
Confirmed |
In Progress |
|
2021-03-29 03:11:49 |
Alex Murray |
libseccomp (Ubuntu Groovy): status |
Confirmed |
In Progress |
|
2021-03-29 08:36:32 |
Łukasz Zemczak |
summary |
Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers |
Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers |
|
2021-03-29 08:40:22 |
Łukasz Zemczak |
libseccomp (Ubuntu Groovy): status |
In Progress |
Fix Committed |
|
2021-03-29 08:40:24 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2021-03-29 08:40:27 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2021-03-29 08:40:31 |
Łukasz Zemczak |
tags |
amd64 apport-bug bionic |
amd64 apport-bug bionic verification-needed verification-needed-groovy |
|
2021-03-29 08:40:49 |
Łukasz Zemczak |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2021-03-29 08:58:21 |
Łukasz Zemczak |
libseccomp (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2021-03-29 08:58:27 |
Łukasz Zemczak |
tags |
amd64 apport-bug bionic verification-needed verification-needed-groovy |
amd64 apport-bug bionic verification-needed verification-needed-focal verification-needed-groovy |
|
2021-03-29 09:14:12 |
Łukasz Zemczak |
bug task added |
|
systemd (Ubuntu) |
|
2021-03-29 09:17:34 |
Łukasz Zemczak |
systemd (Ubuntu Focal): status |
New |
Fix Committed |
|
2021-03-29 10:01:57 |
Łukasz Zemczak |
libseccomp (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2021-03-29 10:02:05 |
Łukasz Zemczak |
tags |
amd64 apport-bug bionic verification-needed verification-needed-focal verification-needed-groovy |
amd64 apport-bug bionic verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy |
|
2021-03-29 10:06:02 |
Łukasz Zemczak |
systemd (Ubuntu Bionic): status |
New |
Fix Committed |
|
2021-03-29 10:12:29 |
Łukasz Zemczak |
libseccomp (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2021-03-29 10:12:38 |
Łukasz Zemczak |
tags |
amd64 apport-bug bionic verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy |
amd64 apport-bug bionic verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy verification-needed-xenial |
|
2021-03-30 01:07:47 |
Alex Murray |
tags |
amd64 apport-bug bionic verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy verification-needed-xenial |
amd64 apport-bug bionic verification-done-bionic verification-done-focal verification-done-groovy verification-done-xenial verification-needed |
|
2021-03-30 01:08:13 |
Alex Murray |
tags |
amd64 apport-bug bionic verification-done-bionic verification-done-focal verification-done-groovy verification-done-xenial verification-needed |
amd64 apport-bug bionic verification-done verification-done-bionic verification-done-focal verification-done-groovy verification-done-xenial |
|
2021-04-06 19:13:16 |
Brian Murray |
bug |
|
|
added subscriber Brian Murray |
2021-04-06 19:19:17 |
Launchpad Janitor |
libseccomp (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
2021-04-06 19:19:22 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2021-04-06 19:51:38 |
Launchpad Janitor |
systemd (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2021-04-09 14:24:34 |
Dan Streetman |
systemd (Ubuntu Groovy): status |
New |
Fix Released |
|
2021-04-09 14:25:24 |
Dan Streetman |
systemd (Ubuntu Hirsute): status |
New |
Fix Released |
|
2021-04-09 14:26:37 |
Dan Streetman |
systemd (Ubuntu Xenial): status |
New |
Invalid |
|
2021-04-12 09:26:36 |
Launchpad Janitor |
libseccomp (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2021-04-14 02:52:46 |
Launchpad Janitor |
libseccomp (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2021-04-14 03:48:30 |
Launchpad Janitor |
libseccomp (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2021-04-15 10:01:19 |
Launchpad Janitor |
systemd (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2021-09-30 19:43:50 |
Mathew Hodson |
systemd (Ubuntu Xenial): status |
Invalid |
Won't Fix |
|