** Summary changed: - Backport seccomp sandbox fixes to 16.04 + Backport seccomp sandbox fixes to 18.04
** Description changed: I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I - think they would all be worth backporting to 16.04. They're all corner + think they would all be worth backporting to 18.04. They're all corner cases, but at least the second and third of them turned up in an AskUbuntu post (https://askubuntu.com/questions/1039629/setting-up-man- db-crashes-system-with-bad-system-calls) and I had a fair amount of email responses to requests for details about it. Here are the details: - * sandbox: Allow sched_setaffinity - https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e + * sandbox: Allow sched_setaffinity + https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e - It's possible to run into this if reading xz-compressed manual pages + It's possible to run into this if reading xz-compressed manual pages with (e.g.) XZ_DEFAULTS=--threads=0 set in the environment. - * sandbox: Allow some shared memory operations - https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=5e08ee9a4e563abedbdd2768c8bbfd96b57c1859 + * sandbox: Allow some shared memory operations + https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=5e08ee9a4e563abedbdd2768c8bbfd96b57c1859 - Some unusual software that installs itself in /etc/ld.so.preload + Some unusual software that installs itself in /etc/ld.so.preload breaks man without this patch, such as the Astrill VPN. - * sandbox: Improve ESET compatibility further - https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=7582fb9d69a126a53ee11223b12346d38c0f333a + * sandbox: Improve ESET compatibility further + https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=7582fb9d69a126a53ee11223b12346d38c0f333a - This is a refinement to some previous work I did to cope with ESET + This is a refinement to some previous work I did to cope with ESET File Security (an antivirus program that installs itself in /etc/ld.so.preload). [Test Case] The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=--threads=0 before trying to read it. The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works. [Regression Potential] This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785414 Title: Backport seccomp sandbox fixes to 18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
