test-seccomp fails test_restrict_suid_sgid on arm64 on Bionic

Bug #1870589 reported by Dan Streetman on 2020-04-03
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Dan Streetman

Bug Description


RestrictSUIDSGID (backported to Bionic in security CVE) fails 100% of the time on arm64, and testcase failure indicates this as well.

[test case]

check autopkgtest logs, e.g.

/* test_restrict_suid_sgid */
Failed to add suid/sgid rule for architecture arm64, skipping: Numerical argument out of domain
Assertion 'chmod(path, 0775 | S_ISUID) < 0 && errno == EPERM' failed at ../src/test/test-seccomp.c:823, function test_restrict_suid_sgid(). Aborting.
suidsgidseccomp terminated by signal ABRT.
Assertion 'wait_for_terminate_and_check("suidsgidseccomp", pid, WAIT_LOG) == EXIT_SUCCESS' failed at ../src/test/test-seccomp.c:889, function test_restrict_suid_sgid(). Aborting.
FAIL: test-seccomp (code: 134)
Aborted (core dumped)

[regression potential]

this improves the function that (tries to) install seccomp suid/sgid filters, so and regression would involve failure to restrict suid/sgid with seccomp filters; however on arm64, the this functionality already fails 100% of the time (which is what the failed test case was pointing out).


this fails only in Bionic, and this specific feature and testcase was backported in patches for CVE-2019-384x. It does not appear that the backported feature, or its testcase, ever passed in Bionic on arm64.

[other info]

systemd bionic arm64 autopkgtests have failed forever, but we should fix that.

Dan Streetman (ddstreet) on 2020-04-03
Changed in systemd (Ubuntu):
status: New → Fix Released
Changed in systemd (Ubuntu Bionic):
assignee: nobody → Dan Streetman (ddstreet)
importance: Undecided → Low
status: New → In Progress
Dan Streetman (ddstreet) on 2020-04-20
description: updated
description: updated
Changed in systemd (Ubuntu Bionic):
importance: Low → Medium

Hello Dan, or anyone else affected,

Accepted systemd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.40 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in systemd (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic

All autopkgtests for the newly accepted systemd (237-3ubuntu10.40) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.36.1-0ubuntu1.3.3 (amd64)
prometheus-postgres-exporter/unknown (armhf)
systemd/237-3ubuntu10.40 (i386, ppc64el)
umockdev/0.11.1-1 (armhf)
linux-hwe-5.0/5.0.0-47.51~18.04.1 (armhf)
kde4libs/4:4.14.38-0ubuntu3.1 (armhf)
util-linux/unknown (armhf)
nftables/unknown (armhf)
linux-raspi2-5.3/5.3.0-1023.25~18.04.1 (armhf)
netplan.io/0.98-0ubuntu1~18.04.1 (i386)
openssh/1:7.6p1-4ubuntu0.3 (arm64, i386, armhf, ppc64el, s390x, amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].


[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Dan Streetman (ddstreet) wrote :
tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 237-3ubuntu10.40

systemd (237-3ubuntu10.40) bionic; urgency=medium

  * d/t/logind: skip if nonexistent /sys/power/state (LP: #1862657)
  * d/p/lp1839290-Change-job-mode-of-manager-triggered-restarts-to-JOB.patch:
    - when restarting service after failure, replace existing queued jobs
      (LP: #1839290)
  * d/p/lp1867421-70-mouse.hwdb-Set-DPI-for-MS-Classic-IntelliMouse.patch:
    - fix resolution of IntelliMouse (LP: #1867421)
  * d/p/lp1858412-journalctl-allow-running-vacuum-on-remote-journals-t.patch:
    - allow vacuuming journal 'root' dir (LP: #1858412)
  * d/p/lp1862232/0001-network-add-more-log-messages-in-configuring-DHCP4-c.patch,
    - do not fail network setup if hostname is not valid (LP: #1862232)
  * d/t/systemd-fsckd: Skip test on arm64 (LP: #1870194)
  * d/p/lp1870589-seccomp-rework-how-the-S-UG-ID-filter-is-installed.patch:
    - fix test-seccomp failure (LP: #1870589)
  * d/rules: use meson --print-errorlogs instead of cat testlog
    - (LP: #1870811)
  * d/p/lp1776654-test-Synchronize-journal-before-reading-from-it.patch:
    - sync journal before reading from it (LP: #1776654)
  * d/p/lp1837914-journal-do-not-trigger-assertion-when-journal_file_c.patch:
    - do not crash if NULL passted to journal destructor (LP: #1837914)
  * d/e/initramfs-tools/hooks/udev:
    - Follow symlinks when finding link files to copy into initramfs
      (LP: #1868892)

 -- Dan Streetman <email address hidden> Mon, 20 Apr 2020 10:12:49 -0400

Changed in systemd (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for systemd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers