Ubuntu
systemd package

Comment 11 for bug 1821625

Revision history for this message

Dan Streetman (ddstreet) wrote on 2019-07-05:

#11

> @Dan did that already contain the fix you expect or would considering a seccomp be useful?

For libseccomp, it looks like it doesn't need a rebuild; it appears to only reference the symbol in its header (which is what causes this problem for other packages that pull in that header); in its code, the only reference is where its syscall number is defined is inside its ppc64_syscall_table (and ppc_syscall_table), where it is defined correctly.

ddstreet@thorin:~/bugs/lp1821625/sym-check/libseccomp/libseccomp-2.4.1$ grep -r pkey_mprotect
include/seccomp.h.in:#define __PNR_pkey_mprotect -10201
include/seccomp.h.in:#ifndef __NR_pkey_mprotect
include/seccomp.h.in:#define __NR_pkey_mprotect __PNR_pkey_mprotect
include/seccomp.h.in:#endif /* __NR_pkey_mprotect */
include/seccomp.h:#define __PNR_pkey_mprotect -10201
include/seccomp.h:#ifndef __NR_pkey_mprotect
include/seccomp.h:#define __NR_pkey_mprotect __PNR_pkey_mprotect
include/seccomp.h:#endif /* __NR_pkey_mprotect */
src/arch-ppc-syscalls.c: { "pkey_mprotect", 386 },
src/arch-x32-syscalls.c: { "pkey_mprotect", (X32_SYSCALL_BIT + 329) },
src/arch-mips-syscalls.c: { "pkey_mprotect", (__SCMP_NR_BASE + 363) },
src/arch-x86-syscalls.c: { "pkey_mprotect", 380 },
src/arch-s390-syscalls.c: { "pkey_mprotect", __PNR_pkey_mprotect },
src/arch-parisc-syscalls.c: { "pkey_mprotect", __PNR_pkey_mprotect },
src/arch-s390x-syscalls.c: { "pkey_mprotect", __PNR_pkey_mprotect },
src/arch-ppc64-syscalls.c: { "pkey_mprotect", 386 },
src/arch-aarch64-syscalls.c: { "pkey_mprotect", 288 },
src/arch-arm-syscalls.c: { "pkey_mprotect", (__SCMP_NR_BASE + 394) },
src/arch-mips64-syscalls.c: { "pkey_mprotect", (__SCMP_NR_BASE + 323) },
src/arch-x86_64-syscalls.c: { "pkey_mprotect", 329 },
src/arch-mips64n32-syscalls.c: { "pkey_mprotect", (__SCMP_NR_BASE + 327) },

I still don't understand why libseccomp ever decided to define __NR_pkey_mprotect to a negative number (if the kernel header doesn't define it) in its public header file. IMHO that should be done in its code, or at least in a private header file.

> @Dan did that already contain the fix you expect or would considering a seccomp be useful?

ddstreet@thorin:~/bugs/lp1821625/sym-check/libseccomp/libseccomp-2.4.1$ grep -r pkey_mprotect
include/seccomp.h.in:#define __PNR_pkey_mprotect	-10201
include/seccomp.h.in:#ifndef __NR_pkey_mprotect
include/seccomp.h.in:#define __NR_pkey_mprotect	__PNR_pkey_mprotect
include/seccomp.h.in:#endif /* __NR_pkey_mprotect */
include/seccomp.h:#define __PNR_pkey_mprotect	-10201
include/seccomp.h:#ifndef __NR_pkey_mprotect
include/seccomp.h:#define __NR_pkey_mprotect	__PNR_pkey_mprotect
include/seccomp.h:#endif /* __NR_pkey_mprotect */
src/arch-ppc-syscalls.c:	{ "pkey_mprotect", 386 },
src/arch-x32-syscalls.c:	{ "pkey_mprotect", (X32_SYSCALL_BIT + 329) },
src/arch-mips-syscalls.c:	{ "pkey_mprotect", (__SCMP_NR_BASE + 363) },
src/arch-x86-syscalls.c:	{ "pkey_mprotect", 380 },
src/arch-s390-syscalls.c:	{ "pkey_mprotect", __PNR_pkey_mprotect },
src/arch-parisc-syscalls.c:	{ "pkey_mprotect",	__PNR_pkey_mprotect },
src/arch-s390x-syscalls.c:	{ "pkey_mprotect", __PNR_pkey_mprotect },
src/arch-ppc64-syscalls.c:	{ "pkey_mprotect", 386 },
src/arch-aarch64-syscalls.c:	{ "pkey_mprotect", 288 },
src/arch-arm-syscalls.c:	{ "pkey_mprotect", (__SCMP_NR_BASE + 394) },
src/arch-mips64-syscalls.c:	{ "pkey_mprotect", (__SCMP_NR_BASE + 323) },
src/arch-x86_64-syscalls.c:	{ "pkey_mprotect", 329 },
src/arch-mips64n32-syscalls.c:	{ "pkey_mprotect", (__SCMP_NR_BASE + 327) },

I still don't understand why libseccomp ever decided to define __NR_pkey_mprotect to a negative number (if the kernel header doesn't define it) in its public header file.  IMHO that should be done in its code, or at least in a private header file.

Ubuntusystemd package

Comment 11 for bug 1821625

Ubuntu
systemd package