touch-packages team mailing list archive

Thread
Date

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Andy Whitcroft <apw@xxxxxxxxxxxxx>
Date: Wed, 16 Dec 2015 14:29:55 -0000
Reply-to: Bug 1526358 <1526358@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Running the example above the EFAULT is being generated in userspace.
Looking at libseccomp it seems we have a literal copy of the systemcall
table mapping call strings to local numbers.  For 32bit the new system
calls are not filled in so they will fail.  Esentially libseccomp and
the kernel headers are out of sync, so systemd thinks it can use real
mitigation on socket() but libseccomp does not think 32bit supports it.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1526358

Title:
  adding seccomp rule for socket() fails on i386 since kernel 4.3

Status in libseccomp package in Ubuntu:
  Triaged
Status in linux package in Ubuntu:
  Confirmed
Status in systemd package in Ubuntu:
  Triaged

Bug description:
  Four days ago, on Dec 10,
  http://autopkgtest.ubuntu.com/packages/s/systemd/xenial/i386/ started
  failing:

  ======================================================================
  FAIL: test_boot (__main__.NspawnTest)
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "/tmp/adt-run.IG1dKn/build.Yzd/systemd-228/debian/tests/boot-and-services", line 204, in test_boot
      self.assertIn(b'fake container started', out)
  AssertionError: b'fake container started' not found in b'Spawning container c1 on /tmp/tmpl04y_tf8/c1.\nPress ^] three times within 1s to kill container.\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to create directory /tmp/tmpl04y_tf8/c1/sys/fs/selinux: Read-only file system\nFailed to add audit seccomp rule: Bad address\n'

  This is reproducible in xenial-release, i. e. it already slipped
  through -proposed.

  This can be reproduced easily on a xenial i386 VM:

    sudo apt-get install busybox-static
    mkdir -p /tmp/c/sbin /tmp/c/etc /tmp/c/bin/
    cp /bin/busybox /tmp/c/bin/
    ln -s ../bin/busybox /tmp/c/sbin/init
    ln -s busybox /tmp/c/bin/sh
    cp /etc/os-release /tmp/c/etc
    sudo systemd-nspawn -b -D /tmp/c

  This should normally boot a busybox container; you'll get a few error
  messages as there's no SysV init stuff there, but it should start and
  pressing enter should get you into a shell. But on i386 it fails with

  $   sudo systemd-nspawn -b -D /tmp/c
  Spawning container c on /tmp/c.
  Press ^] three times within 1s to kill container.
  Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system
  Failed to create directory /tmp/c/sys/fs/selinux: Read-only file system
  Failed to add audit seccomp rule: Bad address

  which is what the test case fails on too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1526358/+subscriptions

References

[Bug 1526358] [NEW] xenial/i386 regression: nspawn fails with "Failed to add audit seccomp rule: Bad address"
From: Martin Pitt, 2015-12-15