[regression] sched_setscheduler denied with Qt/QML applications

Bug #1661265 reported by Jamie Strandboge on 2017-02-02
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Critical
Pat McGowan
Snappy
Critical
Jamie Strandboge
snapd (Ubuntu)
Critical
Michael Vogt
Trusty
Critical
Michael Vogt
Xenial
Critical
Michael Vogt
Yakkety
Critical
Michael Vogt
Zesty
Critical
Michael Vogt

Bug Description

2.22 added stricter mediation of sched_setscheduler which requires use of 'process-control' with certain invocations of sched_setsceduler. Testing and code searches for sched_setscheduler showed that this was not an issue for most applications and existing snaps, but after 2.22 was released it was found that qtbase-opensource-src uses sched_setscheduler indirectly as part of QThread::Priority, and QThread::Priority is used extensively under the hood by the libraries to support (at least) QML applications.

The fix is simple, adjust interfaces/seccomp/template.go from this:
  sched_setscheduler 0 - -

back to:
  sched_setscheduler

Changed in snapd (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Critical
status: New → In Progress
description: updated
tags: added: snapd-interface
Changed in canonical-devices-system-image:
assignee: nobody → Pat McGowan (pat-mcgowan)
importance: Undecided → Critical
milestone: none → p2
status: New → In Progress
Changed in snapd (Ubuntu):
status: In Progress → Fix Committed
status: Fix Committed → Triaged
Changed in snappy:
status: New → Fix Committed
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in snapd (Ubuntu):
status: Triaged → In Progress
assignee: Jamie Strandboge (jdstrand) → Michael Vogt (mvo)
tags: added: personal
Andy Whitcroft (apw) on 2017-02-03
Changed in snapd (Ubuntu Yakkety):
importance: Undecided → Critical
Changed in snapd (Ubuntu Xenial):
importance: Undecided → Critical
Changed in snapd (Ubuntu Trusty):
importance: Undecided → Critical
Changed in snapd (Ubuntu Yakkety):
assignee: nobody → Michael Vogt (mvo)
Changed in snapd (Ubuntu Xenial):
assignee: nobody → Michael Vogt (mvo)
Changed in snapd (Ubuntu Trusty):
assignee: nobody → Michael Vogt (mvo)

Hello Jamie, or anyone else affected,

Accepted snapd into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.22.2+16.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in snapd (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed
Changed in snapd (Ubuntu Xenial):
status: New → Fix Committed
Andy Whitcroft (apw) wrote :

Hello Jamie, or anyone else affected,

Accepted snapd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.22.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in snapd (Ubuntu Trusty):
status: New → Fix Committed
Andy Whitcroft (apw) wrote :

Hello Jamie, or anyone else affected,

Accepted snapd into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.22.2~14.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in snapd (Ubuntu Zesty):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (5.6 KiB)

This bug was fixed in the package snapd - 2.22.2+17.04

---------------
snapd (2.22.2+17.04) zesty; urgency=medium

  * New upstream release, LP: #1659522
    - cherry pick fix for sched_setscheduler regression
      (LP: #1661265)

snapd (2.22.1) xenial; urgency=medium

  * New upstream release, LP: #1659522
    - cherry pick fix for snapctl auth.json handling

snapd (2.22) xenial; urgency=medium

  * New upstream release, LP: #1659522
    - many: make ubuntu-core-launcher mostly go
    - interfaces/builtin: add account-control interface
    - interfaces/builtin: add missing syscalls to core-support needed
      for systemctl
    - interfaces/builtin: rework core-support to only allow full access
      to systemctl
    - debian/tests: drop stale autopkgtest dependencies.
    - tests: make the debugging of c-unit-tests more useful
    - store: retry auth-related requests
    - tests: integration test for system reload
    - snap: be more helpful in the `snap install <already-installed>`
      error message
    - tests: set SNAPPY_USE_STAGING_STORE in su call
    - tests: use test snap
    - spread: set SNAPD_DEBUG=1 in the core snap as well
    - tests: add extra debugging to security-setuid-root test
    - cmd,snap,wrappers: systemd reload command support
    - interfaces: builtin: mir: Allow recv and send
    - overlord/ifacestate: use ParseConnRef
    - overlord/snapstate,overlord/ifacestate: add automatic ubuntu-core
      -> core transition
    - debian: remove aliases as well in snapd.postrm
    - many: change interfaces.ParseID to return value
    - interfaces/opengl: allow access to the nvidia abstract socket
    - overlord, daemon: flag failures feature fancy forms.
    - many: add --classic support to try and revert, and make missing
      these things a little harder
    - interfaces: allow reading non-PCI-attached usb devices via raw-usb
    - many: rename snap-alter-ns to snap-update-ns
    - interfaces/builtin: add core-support
    - store: increase the retry.LimitTime()
    - debian: move the packaging out into package/$id-$version_id
    - overlord/stapstate: don't use unkeyed fields
    - many: add stub implementation of snap-alter-ns
    - asserts: improve error message when key is not valid at the given
      time
    - snapstate, ifacestate: add snapstate.CheckChangeConflict() to
      ifacestate.{Connect,Disconnect}
    - debian: remove trusty specific bits
    - docs: Add a note about building snapd.
    - interfaces: miscellaneous updates for default and network-control
    - daemon: bubble out store.ErrSnapNotFound in the findOne codepath
    - store: add retry logging into download as well
    - snap: show price in `snap info`
    - cmd: add fault injection support code
    - interfaces: network-manager: allow rw access to /etc/netplan
    - debian: move systemd files out of ./debian and into ./data/systemd
    - asserts: implement SuggestFormat to help avoid specifying the
      wrong format iteration for an assertion
    - many: detect potentially insecure use of snap-confine
    - interfaces: allow querying added security backends
    - cmd: ensure that all .c files have a -test.c file
    - asserts: don't use 'con...

Read more...

Changed in snapd (Ubuntu Zesty):
status: Fix Committed → Fix Released

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of snapd from xenial-proposed was performed and bug 1664377 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1664377 (not this bug). Thanks!

tags: added: verification-failed
tags: added: regression-proposed
Jean-Baptiste Lallement (jibel) wrote :

According to errors.u.c bug 1664377 was already happening with 2.21 and is not a regression in 2.22, so I'm untagging this report. However it is a frequent cause of failure that needs a closer look (snapd from trusty proposed failing on xenial, maybe an upgrade situation?)

tags: removed: regression-proposed verification-failed
Dave Morley (davmor2) on 2017-02-16
tags: added: verification-done
removed: verification-needed

The verification of the Stable Release Update for snapd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :
Download full text (5.5 KiB)

This bug was fixed in the package snapd - 2.22.2

---------------
snapd (2.22.2) xenial; urgency=medium

  * New upstream release, LP: #1659522
    - cherry pick fix for sched_setscheduler regression
      (LP: #1661265)

snapd (2.22.1) xenial; urgency=medium

  * New upstream release, LP: #1659522
    - cherry pick fix for snapctl auth.json handling

snapd (2.22) xenial; urgency=medium

  * New upstream release, LP: #1659522
    - many: make ubuntu-core-launcher mostly go
    - interfaces/builtin: add account-control interface
    - interfaces/builtin: add missing syscalls to core-support needed
      for systemctl
    - interfaces/builtin: rework core-support to only allow full access
      to systemctl
    - debian/tests: drop stale autopkgtest dependencies.
    - tests: make the debugging of c-unit-tests more useful
    - store: retry auth-related requests
    - tests: integration test for system reload
    - snap: be more helpful in the `snap install <already-installed>`
      error message
    - tests: set SNAPPY_USE_STAGING_STORE in su call
    - tests: use test snap
    - spread: set SNAPD_DEBUG=1 in the core snap as well
    - tests: add extra debugging to security-setuid-root test
    - cmd,snap,wrappers: systemd reload command support
    - interfaces: builtin: mir: Allow recv and send
    - overlord/ifacestate: use ParseConnRef
    - overlord/snapstate,overlord/ifacestate: add automatic ubuntu-core
      -> core transition
    - debian: remove aliases as well in snapd.postrm
    - many: change interfaces.ParseID to return value
    - interfaces/opengl: allow access to the nvidia abstract socket
    - overlord, daemon: flag failures feature fancy forms.
    - many: add --classic support to try and revert, and make missing
      these things a little harder
    - interfaces: allow reading non-PCI-attached usb devices via raw-usb
    - many: rename snap-alter-ns to snap-update-ns
    - interfaces/builtin: add core-support
    - store: increase the retry.LimitTime()
    - debian: move the packaging out into package/$id-$version_id
    - overlord/stapstate: don't use unkeyed fields
    - many: add stub implementation of snap-alter-ns
    - asserts: improve error message when key is not valid at the given
      time
    - snapstate, ifacestate: add snapstate.CheckChangeConflict() to
      ifacestate.{Connect,Disconnect}
    - debian: remove trusty specific bits
    - docs: Add a note about building snapd.
    - interfaces: miscellaneous updates for default and network-control
    - daemon: bubble out store.ErrSnapNotFound in the findOne codepath
    - store: add retry logging into download as well
    - snap: show price in `snap info`
    - cmd: add fault injection support code
    - interfaces: network-manager: allow rw access to /etc/netplan
    - debian: move systemd files out of ./debian and into ./data/systemd
    - asserts: implement SuggestFormat to help avoid specifying the
      wrong format iteration for an assertion
    - many: detect potentially insecure use of snap-confine
    - interfaces: allow querying added security backends
    - cmd: ensure that all .c files have a -test.c file
    - asserts: don't use 'context' for t...

Read more...

Changed in snapd (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (5.6 KiB)

This bug was fixed in the package snapd - 2.22.2~14.04

---------------
snapd (2.22.2~14.04) trusty; urgency=medium

  * New upstream release, LP: #1659522
    - cherry pick fix for sched_setscheduler regression
      (LP: #1661265)

snapd (2.22.1~14.04) trusty; urgency=medium

  * New upstream release, LP: #1659522
    - cherry pick fix for snapctl auth.json handling

snapd (2.22~14.04) trusty; urgency=medium

  * New upstream release, LP: #1659522
    - many: make ubuntu-core-launcher mostly go
    - interfaces/builtin: add account-control interface
    - interfaces/builtin: add missing syscalls to core-support needed
      for systemctl
    - interfaces/builtin: rework core-support to only allow full access
      to systemctl
    - debian/tests: drop stale autopkgtest dependencies.
    - tests: make the debugging of c-unit-tests more useful
    - store: retry auth-related requests
    - tests: integration test for system reload
    - snap: be more helpful in the `snap install <already-installed>`
      error message
    - tests: set SNAPPY_USE_STAGING_STORE in su call
    - tests: use test snap
    - spread: set SNAPD_DEBUG=1 in the core snap as well
    - tests: add extra debugging to security-setuid-root test
    - cmd,snap,wrappers: systemd reload command support
    - interfaces: builtin: mir: Allow recv and send
    - overlord/ifacestate: use ParseConnRef
    - overlord/snapstate,overlord/ifacestate: add automatic ubuntu-core
      -> core transition
    - debian: remove aliases as well in snapd.postrm
    - many: change interfaces.ParseID to return value
    - interfaces/opengl: allow access to the nvidia abstract socket
    - overlord, daemon: flag failures feature fancy forms.
    - many: add --classic support to try and revert, and make missing
      these things a little harder
    - interfaces: allow reading non-PCI-attached usb devices via raw-usb
    - many: rename snap-alter-ns to snap-update-ns
    - interfaces/builtin: add core-support
    - store: increase the retry.LimitTime()
    - debian: move the packaging out into package/$id-$version_id
    - overlord/stapstate: don't use unkeyed fields
    - many: add stub implementation of snap-alter-ns
    - asserts: improve error message when key is not valid at the given
      time
    - snapstate, ifacestate: add snapstate.CheckChangeConflict() to
      ifacestate.{Connect,Disconnect}
    - debian: remove trusty specific bits
    - docs: Add a note about building snapd.
    - interfaces: miscellaneous updates for default and network-control
    - daemon: bubble out store.ErrSnapNotFound in the findOne codepath
    - store: add retry logging into download as well
    - snap: show price in `snap info`
    - cmd: add fault injection support code
    - interfaces: network-manager: allow rw access to /etc/netplan
    - debian: move systemd files out of ./debian and into ./data/systemd
    - asserts: implement SuggestFormat to help avoid specifying the
      wrong format iteration for an assertion
    - many: detect potentially insecure use of snap-confine
    - interfaces: allow querying added security backends
    - cmd: ensure that all .c files have a -test.c file
    - asserts: d...

Read more...

Changed in snapd (Ubuntu Trusty):
status: Fix Committed → Fix Released
Dave Morley (davmor2) wrote :

This was tested as part of 2.22.2 testing. I installed the snaps that jamie recommended and ensured there were no issues seen. Tested with Codebreakers, telegram and some kde app incase they triggered it.

Launchpad Janitor (janitor) wrote :
Download full text (5.6 KiB)

This bug was fixed in the package snapd - 2.22.2+16.10

---------------
snapd (2.22.2+16.10) yakkety; urgency=medium

  * New upstream release, LP: #1659522
    - cherry pick fix for sched_setscheduler regression
      (LP: #1661265)

snapd (2.22.1) xenial; urgency=medium

  * New upstream release, LP: #1659522
    - cherry pick fix for snapctl auth.json handling

snapd (2.22) xenial; urgency=medium

  * New upstream release, LP: #1659522
    - many: make ubuntu-core-launcher mostly go
    - interfaces/builtin: add account-control interface
    - interfaces/builtin: add missing syscalls to core-support needed
      for systemctl
    - interfaces/builtin: rework core-support to only allow full access
      to systemctl
    - debian/tests: drop stale autopkgtest dependencies.
    - tests: make the debugging of c-unit-tests more useful
    - store: retry auth-related requests
    - tests: integration test for system reload
    - snap: be more helpful in the `snap install <already-installed>`
      error message
    - tests: set SNAPPY_USE_STAGING_STORE in su call
    - tests: use test snap
    - spread: set SNAPD_DEBUG=1 in the core snap as well
    - tests: add extra debugging to security-setuid-root test
    - cmd,snap,wrappers: systemd reload command support
    - interfaces: builtin: mir: Allow recv and send
    - overlord/ifacestate: use ParseConnRef
    - overlord/snapstate,overlord/ifacestate: add automatic ubuntu-core
      -> core transition
    - debian: remove aliases as well in snapd.postrm
    - many: change interfaces.ParseID to return value
    - interfaces/opengl: allow access to the nvidia abstract socket
    - overlord, daemon: flag failures feature fancy forms.
    - many: add --classic support to try and revert, and make missing
      these things a little harder
    - interfaces: allow reading non-PCI-attached usb devices via raw-usb
    - many: rename snap-alter-ns to snap-update-ns
    - interfaces/builtin: add core-support
    - store: increase the retry.LimitTime()
    - debian: move the packaging out into package/$id-$version_id
    - overlord/stapstate: don't use unkeyed fields
    - many: add stub implementation of snap-alter-ns
    - asserts: improve error message when key is not valid at the given
      time
    - snapstate, ifacestate: add snapstate.CheckChangeConflict() to
      ifacestate.{Connect,Disconnect}
    - debian: remove trusty specific bits
    - docs: Add a note about building snapd.
    - interfaces: miscellaneous updates for default and network-control
    - daemon: bubble out store.ErrSnapNotFound in the findOne codepath
    - store: add retry logging into download as well
    - snap: show price in `snap info`
    - cmd: add fault injection support code
    - interfaces: network-manager: allow rw access to /etc/netplan
    - debian: move systemd files out of ./debian and into ./data/systemd
    - asserts: implement SuggestFormat to help avoid specifying the
      wrong format iteration for an assertion
    - many: detect potentially insecure use of snap-confine
    - interfaces: allow querying added security backends
    - cmd: ensure that all .c files have a -test.c file
    - asserts: don't use 'c...

Read more...

Changed in snapd (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Changed in snappy:
status: Fix Committed → Fix Released
Changed in canonical-devices-system-image:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers