group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Łukasz Zemczak <1891810@xxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Mar 2021 09:16:10 -0000
Reply-to: Bug 1891810 <1891810@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I see systemd has a 'fix' for this bug in the focal upload so adding the
systemd task to the bug as well. Should we assume the systemd parts are
already there for hirsute and groovy? I'd like someone to check.

** Also affects: systemd (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: systemd (Ubuntu Focal)
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1891810

Title:
  Backport 2.5.1 to fix missing openat2 syscall, causing problems for
  fuse-overlayfs in nspawn containers

Status in libseccomp package in Ubuntu:
  Fix Released
Status in systemd package in Ubuntu:
  New
Status in libseccomp source package in Xenial:
  In Progress
Status in systemd source package in Xenial:
  New
Status in libseccomp source package in Bionic:
  In Progress
Status in systemd source package in Bionic:
  New
Status in libseccomp source package in Focal:
  Fix Committed
Status in systemd source package in Focal:
  Fix Committed
Status in libseccomp source package in Groovy:
  Fix Committed
Status in systemd source package in Groovy:
  New
Status in libseccomp source package in Hirsute:
  Fix Released
Status in systemd source package in Hirsute:
  New

Bug description:
  [Impact]

  The version of libseccomp2 in X/B/F/G does not know about the openat2
  syscall. As such applications that use libseccomp cannot specify a
  system-call filter against this system-call and so it cannot be
  mediated.

  [Test Plan]

  This can be tested by simply running scmp_sys_resolver from the
  seccomp binary package and specifying this system-call:

  Existing behaviour:

  $ scmp_sys_resolver openat2
  -1

  Expected behaviour:

  $ scmp_sys_resolver openat2
  437

  (Note this value will be different on other architectures)

  [Where problems could occur]

  In version 2.5.1 of libseccomp which adds this new system-call,
  changes were also made in the way the socket system-call is handled by
  libseccomp on PPC platforms - this resulted in a change in the
  expected behaviour and so this has already been noticed and a fix is
  required for the systemd unit tests as a result
  https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696

  There was also a similar change for s390x but so far no regressions
  have been observed as a result as systemd already expected that
  behaviour from libseccomp, it was only PPC that was missing.

  In the event that a regression is observed however, we can easily
  either patch the affected package to cope with the new behaviour of
  this updated libseccomp since in each case the change in behaviour
  only affects a few system calls on particular architectures, or we can
  revert this update.

  [Other Info]

   * As usual thorough testing of this update has been performed both
  manually via the QA Regression Testing scripts, and via the
  autopkgtest infrastructure against packages in the Ubuntu Security
  Proposed PPA https://launchpad.net/~ubuntu-security-
  proposed/+archive/ubuntu/ppa/ with results seen
  https://people.canonical.com/~platform/security-britney/current/

  I have attached debdiffs of the prepared updates which are also
  sitting in the Ubuntu Security Proposed PPA.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions