kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #151671
[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3
Running the example above the EFAULT is being generated in userspace.
Looking at libseccomp it seems we have a literal copy of the systemcall
table mapping call strings to local numbers. For 32bit the new system
calls are not filled in so they will fail. Esentially libseccomp and
the kernel headers are out of sync, so systemd thinks it can use real
mitigation on socket() but libseccomp does not think 32bit supports it.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1526358
Title:
adding seccomp rule for socket() fails on i386 since kernel 4.3
Status in libseccomp package in Ubuntu:
Triaged
Status in linux package in Ubuntu:
Confirmed
Status in systemd package in Ubuntu:
Triaged
Bug description:
Four days ago, on Dec 10,
http://autopkgtest.ubuntu.com/packages/s/systemd/xenial/i386/ started
failing:
======================================================================
FAIL: test_boot (__main__.NspawnTest)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/tmp/adt-run.IG1dKn/build.Yzd/systemd-228/debian/tests/boot-and-services", line 204, in test_boot
self.assertIn(b'fake container started', out)
AssertionError: b'fake container started' not found in b'Spawning container c1 on /tmp/tmpl04y_tf8/c1.\nPress ^] three times within 1s to kill container.\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to add audit seccomp rule: Bad address\n'
This is reproducible in xenial-release, i. e. it already slipped
through -proposed.
This can be reproduced easily on a xenial i386 VM:
sudo apt-get install busybox-static
mkdir -p /tmp/c/sbin /tmp/c/etc /tmp/c/bin/
cp /bin/busybox /tmp/c/bin/
ln -s ../bin/busybox /tmp/c/sbin/init
ln -s busybox /tmp/c/bin/sh
cp /etc/os-release /tmp/c/etc
sudo systemd-nspawn -b -D /tmp/c
This should normally boot a busybox container; you'll get a few error
messages as there's no SysV init stuff there, but it should start and
pressing enter should get you into a shell. But on i386 it fails with
$ sudo systemd-nspawn -b -D /tmp/c
Spawning container c on /tmp/c.
Press ^] three times within 1s to kill container.
Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system
Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system
Failed to add audit seccomp rule: Bad address
which is what the test case fails on too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1526358/+subscriptions