kernel-packages team mailing list archive

Thread
Date

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Andy Whitcroft <apw@xxxxxxxxxxxxx>
Date: Wed, 16 Dec 2015 09:29:51 -0000
Reply-to: Bug 1526358 <1526358@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

So in the commit below we switched how the socket family of calls are
exposed at the syscall level (which was a 4.3-rc1 change):

  commit 9dea5dc921b5f4045a18c63eb92e84dc274d17eb
  Author: Andy Lutomirski <luto@xxxxxxxxxx>
  Date:   Tue Jul 14 15:24:24 2015 -0700

    x86/entry/syscalls: Wire up 32-bit direct socket calls

One of the stated goals of this was to expose these calls for seccomp
mediation and to bring 32bit in line with 64bit.  So it is cirtain we
never did do seccomp mediation on these before.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1526358

Title:
  adding seccomp rule for socket() fails on i386 since kernel 4.3

Status in libseccomp package in Ubuntu:
  New
Status in linux package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Triaged

Bug description:
  Four days ago, on Dec 10,
  http://autopkgtest.ubuntu.com/packages/s/systemd/xenial/i386/ started
  failing:

  ======================================================================
  FAIL: test_boot (__main__.NspawnTest)
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "/tmp/adt-run.IG1dKn/build.Yzd/systemd-228/debian/tests/boot-and-services", line 204, in test_boot
      self.assertIn(b'fake container started', out)
  AssertionError: b'fake container started' not found in b'Spawning container c1 on /tmp/tmpl04y_tf8/c1.\nPress ^] three times within 1s to kill container.\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to add audit seccomp rule: Bad address\n'

  This is reproducible in xenial-release, i. e. it already slipped
  through -proposed.

  This can be reproduced easily on a xenial i386 VM:

    sudo apt-get install busybox-static
    mkdir -p /tmp/c/sbin /tmp/c/etc /tmp/c/bin/
    cp /bin/busybox /tmp/c/bin/
    ln -s ../bin/busybox /tmp/c/sbin/init
    ln -s busybox /tmp/c/bin/sh
    cp /etc/os-release /tmp/c/etc
    sudo systemd-nspawn -b -D /tmp/c

  This should normally boot a busybox container; you'll get a few error
  messages as there's no SysV init stuff there, but it should start and
  pressing enter should get you into a shell. But on i386 it fails with

  $   sudo systemd-nspawn -b -D /tmp/c
  Spawning container c on /tmp/c.
  Press ^] three times within 1s to kill container.
  Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system
  Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system
  Failed to add audit seccomp rule: Bad address

  which is what the test case fails on too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1526358/+subscriptions