Backport seccomp sandbox fixes to 18.04

Bug #1785414 reported by Colin Watson on 2018-08-04
This bug affects 2 people
Affects Status Importance Assigned to Milestone
man-db (Ubuntu)
Colin Watson
Colin Watson

Bug Description

I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I think they would all be worth backporting to 18.04. They're all corner cases, but at least the second and third of them turned up in an AskUbuntu post ( and I had a fair amount of email responses to requests for details about it. Here are the details:

 * sandbox: Allow sched_setaffinity

   It's possible to run into this if reading xz-compressed manual pages with (e.g.) XZ_DEFAULTS=--threads=0 set in the environment.

 * sandbox: Allow some shared memory operations

   Some unusual software that installs itself in /etc/ breaks man without this patch, such as the Astrill VPN.

 * sandbox: Improve ESET compatibility further

   This is a refinement to some previous work I did to cope with ESET File Security (an antivirus program that installs itself in /etc/

[Test Case]
The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=--threads=0 before trying to read it. The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works.

[Regression Potential]
This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions.

Colin Watson (cjwatson) wrote :

These are all fixed in 2.8.4-1; cosmic has 2.8.4-2.

Changed in man-db (Ubuntu):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → High
status: New → Fix Released
Changed in man-db (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
summary: - Backport seccomp sandbox fixes to 16.04
+ Backport seccomp sandbox fixes to 18.04
description: updated

Hello Colin, or anyone else affected,

Accepted man-db into bionic-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at . Thank you in advance!

Changed in man-db (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers