Backport seccomp sandbox fixes to 18.04
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
man-db (Ubuntu) |
Fix Released
|
High
|
Colin Watson | ||
Bionic |
Fix Released
|
High
|
Colin Watson |
Bug Description
I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I think they would all be worth backporting to 18.04. They're all corner cases, but at least the second and third of them turned up in an AskUbuntu post (https:/
* sandbox: Allow sched_setaffinity
https:/
It's possible to run into this if reading xz-compressed manual pages with (e.g.) XZ_DEFAULTS=
* sandbox: Allow some shared memory operations
https:/
Some unusual software that installs itself in /etc/ld.so.preload breaks man without this patch, such as the Astrill VPN.
* sandbox: Improve ESET compatibility further
https:/
This is a refinement to some previous work I did to cope with ESET File Security (an antivirus program that installs itself in /etc/ld.
[Test Case]
The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=
[Regression Potential]
This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions.
summary: |
- Backport seccomp sandbox fixes to 16.04 + Backport seccomp sandbox fixes to 18.04 |
description: | updated |
These are all fixed in 2.8.4-1; cosmic has 2.8.4-2.