kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #151595
[Bug 1526358] Re: xenial/i386 regression: nspawn fails with "Failed to add audit seccomp rule: Bad address"
I now isolated this seccomp failure into a tiny .c file which reproduces
this. On amd64 it works:
$ gcc -o /tmp/o ~/seccomp-socket-filter.c -lseccomp && /tmp/o
SCMP_SYS(socket) == 41 == 29
Success
and on i386 it reproduces the error:
$ gcc -o /tmp/o ~/seccomp-socket-filter.c -lseccomp && /tmp/o
SCMP_SYS(socket) == 359 == 167
seccomp_rule_add failed: Bad address
So what systemd is trying to do is to first initialize seccomp with
possible alternative architectures (running 32 bit container on 64 bit
host, and vice versa if you have a 64 bit kernel) and then disallow
opening socket()s to the netlink audit subsystem, as audit is broken for
containers. The gist of it is
seccomp = seccomp_init(SCMP_ACT_ALLOW);
seccomp_arch_add(seccomp, SCMP_ARCH_X86_64);
seccomp_rule_add(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
SCMP_SYS(socket),
2,
SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
This has worked on both arches until __NR_socket got defined on i386, before it used that autogenerated value.
** Attachment added: "standalone reproducer C file"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1526358/+attachment/4535516/+files/seccomp-socket-filter.c
** Also affects: libseccomp (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- xenial/i386 regression: nspawn fails with "Failed to add audit seccomp rule: Bad address"
+ adding seccomp rule for socket() fails on i386 since kernel 4.3
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1526358
Title:
adding seccomp rule for socket() fails on i386 since kernel 4.3
Status in libseccomp package in Ubuntu:
New
Status in linux package in Ubuntu:
Confirmed
Status in systemd package in Ubuntu:
Triaged
Bug description:
Four days ago, on Dec 10,
http://autopkgtest.ubuntu.com/packages/s/systemd/xenial/i386/ started
failing:
======================================================================
FAIL: test_boot (__main__.NspawnTest)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/tmp/adt-run.IG1dKn/build.Yzd/systemd-228/debian/tests/boot-and-services", line 204, in test_boot
self.assertIn(b'fake container started', out)
AssertionError: b'fake container started' not found in b'Spawning container c1 on /tmp/tmpl04y_tf8/c1.\nPress ^] three times within 1s to kill container.\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to add audit seccomp rule: Bad address\n'
This is reproducible in xenial-release, i. e. it already slipped
through -proposed.
This can be reproduced easily on a xenial i386 VM:
sudo apt-get install busybox-static
mkdir -p /tmp/c/sbin /tmp/c/etc /tmp/c/bin/
cp /bin/busybox /tmp/c/bin/
ln -s ../bin/busybox /tmp/c/sbin/init
ln -s busybox /tmp/c/bin/sh
cp /etc/os-release /tmp/c/etc
sudo systemd-nspawn -b -D /tmp/c
This should normally boot a busybox container; you'll get a few error
messages as there's no SysV init stuff there, but it should start and
pressing enter should get you into a shell. But on i386 it fails with
$ sudo systemd-nspawn -b -D /tmp/c
Spawning container c on /tmp/c.
Press ^] three times within 1s to kill container.
Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system
Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system
Failed to add audit seccomp rule: Bad address
which is what the test case fails on too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1526358/+subscriptions
