lacks seccomp-tsync support

Bug #1379020 reported by Kees Cook on 2014-10-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Tim Gardner
Trusty
Medium
Unassigned
Utopic
Medium
Tim Gardner

Bug Description

For Chrome (and other seccomp users like LXC), the thread-sync features for seccomp would provide better process isolation. The feature landed in kernel 3.17, and is relatively easy to back-port. The upstream seccomp regression tests can be used to verify both the new features and the old API, to prove there were no regressions.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1379020

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Trusty):
status: New → Incomplete
Kees Cook (kees) wrote :

2014-08-11 seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock
2014-07-18 seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
2014-07-18 seccomp: allow mode setting across threads
2014-07-18 seccomp: introduce writer locking
2014-07-18 seccomp: split filter prep from check and apply
2014-07-18 sched: move no_new_privs into new atomic flags
2014-07-18 MIPS: add seccomp syscall
2014-07-18 ARM: add seccomp syscall
2014-07-18 seccomp: add "seccomp" syscall
2014-07-18 seccomp: split mode setting routines
2014-07-18 seccomp: extract check/assign mode helpers
2014-07-18 seccomp: create internal mode-setting function

Changed in linux (Ubuntu):
importance: Undecided → Medium
Changed in linux (Ubuntu Trusty):
importance: Undecided → Medium
tags: added: bot-stop-nagging kernel-da-key trusty
Changed in linux (Ubuntu):
status: Incomplete → Triaged
Changed in linux (Ubuntu Trusty):
status: Incomplete → Triaged
Tim Gardner (timg-tpi) on 2014-10-09
Changed in linux (Ubuntu Utopic):
assignee: nobody → Tim Gardner (timg-tpi)
status: Triaged → Fix Committed
Kees Cook (kees) wrote :

Thanks for the backport to Utopic!

Pull request for Trusty is here: https://lists.ubuntu.com/archives/kernel-team/2014-October/049110.html

Logs for test runs of https://github.com/redpig/seccomp.git tests/seccomp_bpf_tests all pass now.

Kees Cook (kees) wrote :
Kees Cook (kees) wrote :
Launchpad Janitor (janitor) wrote :
Download full text (4.1 KiB)

This bug was fixed in the package linux - 3.16.0-22.29

---------------
linux (3.16.0-22.29) utopic; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1379321

  [ Andrew Morton ]

  * SAUCE: (no-up) mm-introduce-a-general-rcu-get_user_pages_fast-fix
    - LP: #1309221
  * SAUCE: (no-up) arm64-mm-enable-rcu-fast_gup-checkpatch-fixes
    - LP: #1309221

  [ Andy Whitcroft ]

  * [Config] CONFIG_PATA_MACIO=y
    - LP: #1378894
  * [Config] enable cloud tools on i386
    - LP: #1367399
  * SAUCE: scsi: hyper-v storsvc switch up to SPC-3
    - LP: #1354397
  * SAUCE: powerpc -- fix mm/slice.c switch include to linux/hugetlb.h

  [ dann frazier ]

  * [Config] CONFIG_HAVE_GENERIC_RCU_GUP=y
    - LP: #1309221

  [ Feng Kan ]

  * SAUCE: (no-up) power: reset: Add generic SYSCON register mapped reset
    - LP: #1284433
  * SAUCE: (no-up) arm64: dts: Add X-Gene reboot driver dts node
    - LP: #1284433

  [ Ian Munsie ]

  * SAUCE: (no-up) powerpc/cell: Move spu_handle_mm_fault() out of cell platform
  * SAUCE: (no-up) powerpc/cell: Move data segment faulting code out of cell platform
  * SAUCE: (no-up) powerpc/cell: Make spu_flush_all_slbs() generic
  * SAUCE: (no-up) powerpc/msi: Improve IRQ bitmap allocator
  * SAUCE: (no-up) powerpc/mm: Export mmu_kernel_ssize and mmu_linear_psize
  * SAUCE: (no-up) powerpc/powernv: Split out set MSI IRQ chip code
  * SAUCE: (no-up) cxl: Add new header for call backs and structs
  * SAUCE: (no-up) powerpc/powerpc: Add new PCIe functions for allocating cxl interrupts
  * SAUCE: (no-up) powerpc/mm: Add new hash_page_mm()
  * SAUCE: (no-up) powerpc/opal: Add PHB to cxl mode call
  * SAUCE: (no-up) powerpc/mm: Add hooks for cxl
  * SAUCE: (no-up) cxl: Add base builtin support
  * SAUCE: (no-up) cxl: Driver code for powernv PCIe based cards for userspace access
  * SAUCE: (no-up) cxl: Add userspace header file
  * SAUCE: (no-up) cxl: Add driver to Kbuild and Makefiles
  * SAUCE: (no-up) cxl: Add documentation for userspace APIs
  * SAUCE: (no-up) cxl: Fix afu_read() not doing finish_wait() on signal or non-blocking

  [ John Johansen ]

  * SAUCE: Revert: fix: only allow a single threaded process to ...
    - LP: #1371310

  [ Steve Capper ]

  * SAUCE: (no-up) mm: introduce a general RCU get_user_pages_fast()
    - LP: #1309221
  * SAUCE: (no-up) arm: mm: introduce special ptes for LPAE
    - LP: #1309221
  * SAUCE: (no-up) arm: mm: enable HAVE_RCU_TABLE_FREE logic
    - LP: #1309221
  * SAUCE: (no-up) arm: mm: enable RCU fast_gup
    - LP: #1309221
  * SAUCE: (no-up) arm64: mm: enable HAVE_RCU_TABLE_FREE logic
    - LP: #1309221
  * SAUCE: (no-up) arm64: mm: enable RCU fast_gup
    - LP: #1309221

  [ Tim Gardner ]

  * SAUCE: Added bnx2x/bnx2x-e1-7.8.19.0.fw
    - LP: #1378491
  * [Config] CONFIG_CXL=m
  * [Config] CONFIG_POWER_RESET_SYSCON=y for arm64
  * SAUCE: (no-up) Restrict CONFIG_POWER_RESET_SYSCON to arm64 only

  [ Upstream Kernel Changes ]

  * powerpc: implement vmemmap_list_free()
    - LP: #1378413
  * powerpc: implement vmemmap_remove_mapping() for BOOK3S
    - LP: #1378413
  * powerpc: implement vmemmap_free()
    - LP: #1378413
  * powerpc: start loop at section start of start in vm...

Read more...

Changed in linux (Ubuntu Utopic):
status: Fix Committed → Fix Released
Andy Whitcroft (apw) on 2014-10-28
Changed in linux (Ubuntu Trusty):
status: Triaged → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Kees Cook (kees) wrote :

Thanks! Tested Ubuntu 3.13.0-40.68-generic 3.13.11.10 with upstream regression suite, all tests pass.

tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :
Download full text (22.1 KiB)

This bug was fixed in the package linux - 3.13.0-40.69

---------------
linux (3.13.0-40.69) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - re-used previous tracking bug

  [ Upstream Kernel Changes ]

  * regmap: fix kernel hang on regmap_bulk_write with zero val_count.

linux (3.13.0-40.68) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1388943
  * SAUCE: DEP8 test to run our regression tests
    - LP: #1385330
  * SAUCE: The very first thing we should do when testing is make sure we
    are testing the correct kernel
    - LP: #1385330

  [ dann frazier ]

  * [Config] Disable CONFIG_IPMI_SI_PROBE_DEFAULTS on armhf and arm64
    - LP: #1388952

  [ Duc Dang ]

  * SAUCE: (no-up) [PCIE] APM X-Gene: Remove debug messages in MSI
    interrupt handler path.
    - LP: #1382244
  * SAUCE: (no-up) PCI: X-Gene: Fix max payload size and phantom function
    configuration
    - LP: #1386261

  [ McAulay, Alistair ]

  * SAUCE: drm/i915: Rework GPU reset sequence to match driver load & thaw
    - LP: #1384469

  [ Timo Aaltonen ]

  * SAUCE: i915_bdw: Fix cherry-pick typo
    - LP: #1384469

  [ Upstream Kernel Changes ]

  * Revert "mac80211: disable uAPSD if all ACs are under ACM"
    - LP: #1381234
  * Revert "iwlwifi: dvm: don't enable CTS to self"
    - LP: #1381234
  * Revert "lzo: properly check for overruns"
    - LP: #1387886
  * drm/i915: provide interface for audio driver to query cdclk
    - LP: #1381168
  * regulatory: add NUL to alpha2
    - LP: #1381234
  * percpu: fix pcpu_alloc_pages() failure path
    - LP: #1381234
  * percpu: perform tlb flush after pcpu_map_pages() failure
    - LP: #1381234
  * cgroup: reject cgroup names with '\n'
    - LP: #1381234
  * vfs: add d_is_dir()
    - LP: #1381234
  * CIFS: Fix directory rename error
    - LP: #1381234
  * usb: phy: twl4030-usb: Fix lost interrupts after ID pin goes down
    - LP: #1381234
  * rtlwifi: rtl8192cu: Add new ID
    - LP: #1381234
  * CIFS: Fix wrong restart readdir for SMB1
    - LP: #1381234
  * CIFS: Fix wrong filename length for SMB2
    - LP: #1381234
  * ahci: Add Device IDs for Intel 9 Series PCH
    - LP: #1381234
  * ata_piix: Add Device IDs for Intel 9 Series PCH
    - LP: #1381234
  * USB: zte_ev: fix removed PIDs
    - LP: #1381234
  * USB: ftdi_sio: add support for NOVITUS Bono E thermal printer
    - LP: #1381234
  * USB: sierra: avoid CDC class functions on "68A3" devices
    - LP: #1381234
  * USB: sierra: add 1199:68AA device ID
    - LP: #1381234
  * iommu/arm-smmu: fix programming of SMMU_CBn_TCR for stage 1
    - LP: #1381234
  * iommu/arm-smmu: remove pgtable_page_{c,d}tor()
    - LP: #1381234
  * usb: gadget: fusb300_udc.h: Fix typo in include guard
    - LP: #1381234
  * usb: phy: tegra: Avoid use of sizeof(void)
    - LP: #1381234
  * arm64: use irq_set_affinity with force=false when migrating irqs
    - LP: #1381234
  * block: Fix dev_t minor allocation lifetime
    - LP: #1381234
  * usb: dwc3: core: fix order of PM runtime calls
    - LP: #1381234
  * usb: dwc3: core: fix ordering for PHY suspend
    - LP: #1381234
  * usb: dwc3: omap: fix ordering for runtime pm calls
    - LP: #1381234
  * ...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers