This bug was fixed in the package libseccomp - 2.1.1-1ubuntu1~trusty3
---------------
libseccomp (2.1.1-1ubuntu1~trusty3) trusty-proposed; urgency=medium
* Cherrypick various bpf fixes to support argument filtering on 64-bit
(LP: #1653487)
- debian/patches/bpf-use-state-arch.patch: use state->arch instead of
db->arch in _gen_bpf_arch()
- debian/patches/db-require-filters-to-share-endianess.patch: require all
filters in a collection to share the same endianess
- debian/patches/resolve-issues-caused-by-be.patch: resolve issues caused
by big endian systems
- debian/patches/bpf-accumulator-check.patch: test the bpf accumulator
checking logic
- debian/patches/bpf-track-accumulator-state.patch: track accumulator
state and reload it when necessary. This is the fix for LP: #1653487. The
previous patches are required by this patch.
- debian/patches/ensure-simulator-has-valid-arch.patch: ensure the
simulator always has a valid architecture value. This fixes a regression
in the testsuite introduced by resolve-issues-caused-by-be.patch
- debian/patches/bpf-accumulator-check-indep.patch: fix a regression in the
testsuite introduced by bpf-accumulator-check.patch
- debian/patches/fix-audit-arch-i386.patch: fix arch token for 32-bit x86
not being defined correctly for the tools
libseccomp (2.1.1-1ubuntu1~trusty1) trusty-proposed; urgency=medium
* Bring libseccomp 2.1.1-1ubuntu1~vivid2, from Ubuntu 14.10, to Ubuntu
14.04 and add a couple patches to account for new syscalls found in the
4.4 based hardware enablement kernel. This allows for proper snap seccomp
confinement on Ubuntu 14.04 when using the hardware enablement kernel
(LP: #1450642)
- debian/patches/add-membarrier-and-userfaultfd.patch: Add membarrier and
userfaultfd syscalls
- debian/patches/add-mlock2.patch: Add mlock2 syscall
- debian/tests/data/all-except-s390-4.4.filter: Add autopkgtest that
verifies all syscalls found in the 4.4 kernel, except for the s390
specific syscalls, are supported by libseccomp. The s390 specific
syscalls are not needed since this version of libseccomp does not
support the s390 architecture.
- debian/tests/test-filter: Skip the getrandom filter tests since
SYS_getrandom is not defined in 14.04 environment and the getrandom(2)
syscall is not even available in the 14.04 release kernel.
libseccomp (2.1.1-1ubuntu1~vivid2) vivid-proposed; urgency=medium
* add-finit-module.patch: add finit_module syscalls to x86 and x86-64
syscall tables
* update syscalls for modern kernels (skipping MIPS)
- update syscalls for 3.16:
+ update-x86-syscall-table.patch
+ update-x86_64-syscall-table.patch
+ update-arm-syscall-table.patch
+ update-x32-syscall-table.patch
+ sync-syscall-table-entries.patch
+ sync-syscall-table-entries-fixtypo.patch
- update syscalls for 3.17:
+ sync-syscall-table-entries-3.17.patch
- update syscalls for 3.19:
+ sync-syscall-table-entries-3.19.patch
- LP: #1450642
* fix-segfault-with-unknown.patch: fix segfault when find unknown syscall
* debian/patches/add-missing-arm-private-syscalls.path: add missing private
ARM syscalls
* add autopkgtests for scmp_sys_resolver and filter testing and
SYS_getrandom() testing
libseccomp (2.1.1-1) unstable; urgency=low
* New upstream release (Closes: 733293).
* copyright: add a few missed people.
* rules: adjusted for new test target.
* libseccomp2.symbols: drop accidentally exported functions.
* control:
- bump standards, no changes needed.
- add armel target
-- Jamie Strandboge <[email protected]> Wed, 04 Jan 2017 21:11:30 +0000
** Changed in: libseccomp (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1450642
Title:
seccomp missing many new syscalls
Status in Snappy:
Fix Released
Status in Snappy 15.04 series:
Fix Released
Status in libseccomp package in Ubuntu:
Fix Released
Status in libseccomp source package in Trusty:
Fix Released
Status in libseccomp source package in Vivid:
Fix Released
Status in libseccomp source package in Wily:
Fix Released
Bug description:
[Impact]
Several syscalls were discovered to be missing when using the launcher on
snappy. These should be added so we may properly support seccomp filtering.
[Test Case]
seccomp itself has a comprehensive testsuite, and while it doesn't fail the
build, regressions can be seen by looking at the build log. Eg:
Regression Test Summary
tests run: 6494
tests skipped: 52
tests passed: 6494
tests failed: 0
tests errored: 0
Furthermore, on a snappy system, perform:
# Note, for the 14.04 SRU, you'll have to install snapd from trusty-proposed
and reboot into the lts kernel that it installs
$ sudo snap install hello-world
$ hello-world.env
It should show the environment. On an arm system with 2.1.1-1 from the
archive, this will fail due to a seccomp denial:
audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15
pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045
compat=0 ip=0xb6fb0bd6 code=0x0
(note, snappy images have a ppa fix for this, see notes below).
To test the segfault fix, do:
$ scmp_sys_resolver 1024
Segmentation fault
It should return:
$ scmp_sys_resolver 1024
UNKNOWN
For the new 3.19 syscalls:
$ scmp_sys_resolver getrandom
-1
it should return something like (actual number depends on arch, this is on
armhf):
$ scmp_sys_resolver getrandom
384
For the 14.04 SRU, test the following syscalls (expected results on
amd64 are shown):
$ scmp_sys_resolver getrandom
318
$ scmp_sys_resolver membarrier
324
$ scmp_sys_resolver userfaultfd
323
$ scmp_sys_resolver mlock2
325
autopkgtests for libseccomp have been added as part of this update to verify
that the library recognizes all the syscalls from 3.19 and the private
syscalls. These tests can be run like so (assuming you are in the unpacked
source and the binaries are in ../binary):
$ export REL=vivid
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source
../source/*.dsc --log-file /tmp/adt.out --- adt-virt-schroot
autopkgtest-$REL-amd64 || echo "** AUTOPKGTESTS FAILED"
Alternatively, if you don't have autopkgtest setup, you can do:
$ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev
seccomp
$ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-filter
...
PASS
$ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh
./debian/tests/test-scmp_sys_resolver
...
PASS
Lastly, seccomp is used by lxc. lxc can be tested by using the test
case as outlined in step 4 of
https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only.
[Regression Potential]
If the above tests, regression potential is considered low. Unknown syscalls
will continue to be handled as before.
Description of changes:
add finit_module:
https://github.com/seccomp/libseccomp/commit/64152018ffdf971efefd84466db4a92002bb8b15
sync the syscall table entries - 3.16
https://github.com/seccomp/libseccomp/commit/9186136be7696ed63a8ddc06c9b397057abc5c75
https://github.com/seccomp/libseccomp/commit/3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4
https://github.com/seccomp/libseccomp/commit/689f19e7488535c775c1db415b8d9895905ef8dd
https://github.com/seccomp/libseccomp/commit/ac6802b300922ef2ad3e95e2c80f89b575073aeb
https://github.com/seccomp/libseccomp/commit/c6205d9600983aa3fa68ca952b7624f2fec86718
https://github.com/seccomp/libseccomp/commit/76739812a3e23182504cde43403ddb9921e0e05a
sync the syscall table entries - 3.17
https://github.com/seccomp/libseccomp/commit/6354f8cab5ac82a8d567005e58a9e7ff9dd843a9
sync the syscall table entries - 3.19
https://github.com/seccomp/libseccomp/commit/7b80fb2fb683cafaf5dc9ff7692437ba86e598a3
This should also be applied (fix a segfault for invalid syscall numbers):
https://github.com/seccomp/libseccomp/commit/2d09a74c7f04d29ae740db1e2187ff1a1886b2c3
For the 14.04 SRU so that libseccomp can handle all of the syscalls in the
4.4 based linux-lts-xenial kernel:
- membarrier and userfaultfd syscalls:
https://github.com/seccomp/libseccomp/commit/d2ca11b7cdddbba3782b1e306ceacf19e898faee
- x86 direct socket syscalls
https://github.com/seccomp/libseccomp/commit/24114ca6703036f76be1920a7ba387d6835dd764
- mlock2 syscall
https://github.com/seccomp/libseccomp/commit/173b96ba8d36a4b1954e99570e82f2f932fe056a
In addition, add-missing-arm-private-syscalls.patch is add to add 5
private ARM syscalls. These are absolutely required on snappy. This
portion of the patch has been well tested and is included by default
in stable snappy images via the snappy image PPA.
To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1450642/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
