** Description changed: - Several syscalls were discovered to be missing when using the launcher - on snappy. These should be added so we may properly support seccomp - filtering. + [Impact] + Several syscalls were discovered to be missing when using the launcher on snappy. These should be added so we may properly support seccomp filtering. + [Test Case] + seccomp itself has a comprehensive testsuite, and while it doesn't fail the build, regressions can be seen by looking at the build log. Eg: + + Regression Test Summary + tests run: 6494 + tests skipped: 52 + tests passed: 6494 + tests failed: 0 + tests errored: 0 + + + Furthermore, on a snappy system, perform: + $ sudo snappy install hello-world + $ hello-world.env + + It should show the environment. On an arm system with 2.1.1-1 from the archive, this will fail due to a seccomp denial: + audit: type=1326 audit(1430766107.122:16): auid=1000 uid=1000 gid=1000 ses=15 pid=1491 comm="env" exe="/bin/bash" sig=31 arch=40000028 syscall=983045 compat=0 ip=0xb6fb0bd6 code=0x0 + + (note, snappy images have a ppa fix for this, see notes below). + + + To test the segfault fix, do: + $ scmp_sys_resolver 1024 + Segmentation fault + + It should return: + $ scmp_sys_resolver 1024 + UNKNOWN + + + For the new 3.19 syscalls: + $ scmp_sys_resolver getrandom + -1 + + it should return something like (actual number depends on arch, this is on armhf): + $ scmp_sys_resolver getrandom + 384 + + + autopkgtests for libseccomp have been added as part of this update to verify that the library recognizes all the syscalls from 3.19 and the private syscalls. These tests can be run like so (assuming you are in the unpacked source and the binaries are in ../binary): + $ export REL=vivid + $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-$REL-amd64 || echo "** AUTOPKGTESTS FAILED" + + Alternatively, if you don't have autopkgtest setup, you can do: + $ apt-get install dpkg-dev build-essential linux-libc-dev libseccomp-dev seccomp + $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-filter + ... + PASS + $ export ADTTMP=/tmp/foo ; mkdir -p "$ADTTMP" ; sh ./debian/tests/test-scmp_sys_resolver + ... + PASS + + + Lastly, seccomp is used by lxc. lxc can be tested by using the test case as outlined in step 4 of https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor#Desktop_only. + + + [Regression Potential] + If the above tests, regression potential is considered low. Unknown syscalls will continue to be handled as before. + + + Description of changes: add finit_module: https://github.com/seccomp/libseccomp/commit/64152018ffdf971efefd84466db4a92002bb8b15 sync the syscall table entries - 3.16 https://github.com/seccomp/libseccomp/commit/9186136be7696ed63a8ddc06c9b397057abc5c75 https://github.com/seccomp/libseccomp/commit/3f319a9a5bc2e32f5a3c296fb0476c040b6f46c4 https://github.com/seccomp/libseccomp/commit/689f19e7488535c775c1db415b8d9895905ef8dd https://github.com/seccomp/libseccomp/commit/ac6802b300922ef2ad3e95e2c80f89b575073aeb https://github.com/seccomp/libseccomp/commit/c6205d9600983aa3fa68ca952b7624f2fec86718 https://github.com/seccomp/libseccomp/commit/76739812a3e23182504cde43403ddb9921e0e05a sync the syscall table entries - 3.17 https://github.com/seccomp/libseccomp/commit/6354f8cab5ac82a8d567005e58a9e7ff9dd843a9 sync the syscall table entries - 3.19 https://github.com/seccomp/libseccomp/commit/7b80fb2fb683cafaf5dc9ff7692437ba86e598a3 - This should also be applied (fix a segfault for invalid syscall numbers): + This should also be applied (fix a segfault for invalid syscall numbers): https://github.com/seccomp/libseccomp/commit/2d09a74c7f04d29ae740db1e2187ff1a1886b2c3 + + In addition, add-missing-arm-private-syscalls.patch is add to add 5 + private ARM syscalls. These are absolutely required on snappy. This + portion of the patch has been well tested and is included by default in + stable snappy images via the snappy image PPA.
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1450642 Title: seccomp missing many new syscalls To manage notifications about this bug go to: https://bugs.launchpad.net/snappy-ubuntu/+bug/1450642/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
