I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I think they would all be worth backporting to 16.04. They're all corner cases, but at least the second and third of them turned up in an AskUbuntu post (https://askubuntu.com/questions/1039629/setting-up-man-db-crashes-system-with-bad-system-calls) and I had a fair amount of email responses to requests for details about it. Here are the details:
This is a refinement to some previous work I did to cope with ESET File Security (an antivirus program that installs itself in /etc/ld.so.preload).
[Test Case]
The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=--threads=0 before trying to read it. The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works.
[Regression Potential]
This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions.
I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I think they would all be worth backporting to 16.04. They're all corner cases, but at least the second and third of them turned up in an AskUbuntu post (https:/ /askubuntu. com/questions/ 1039629/ setting- up-man- db-crashes- system- with-bad- system- calls) and I had a fair amount of email responses to requests for details about it. Here are the details:
* sandbox: Allow sched_setaffinity /git.savannah. gnu.org/ cgit/man- db.git/ commit/ ?id=8fa6fb5eca6 12600b3a3d8da81 1f8345afec102e
https:/
It's possible to run into this if reading xz-compressed manual pages with (e.g.) XZ_DEFAULTS= --threads= 0 set in the environment.
* sandbox: Allow some shared memory operations /git.savannah. gnu.org/ cgit/man- db.git/ commit/ ?id=5e08ee9a4e5 63abedbdd2768c8 bbfd96b57c1859
https:/
Some unusual software that installs itself in /etc/ld.so.preload breaks man without this patch, such as the Astrill VPN.
* sandbox: Improve ESET compatibility further /git.savannah. gnu.org/ cgit/man- db.git/ commit/ ?id=7582fb9d69a 126a53ee11223b1 2346d38c0f333a
https:/
This is a refinement to some previous work I did to cope with ESET File Security (an antivirus program that installs itself in /etc/ld. so.preload) .
[Test Case] --threads= 0 before trying to read it. The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works.
The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=
[Regression Potential]
This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions.