Hello
>Sandbox enabled:
>stat("/sys/fs/cgroup/cpuset/chrome", 0x7f9068a987c0) = -1 ENOSYS (Function not
>implemented)
>Sandbox disabled:
>stat("/sys/fs/cgroup/cpuset/chrome", 0x7f9e3a03a7c0) = -1 ENOENT (No such file
>or directory)
>You have updated the kernel, but did you update your libseccomp security
>profile as well? (IOW: Have you updated your userspace as well?)
>I know about some problems in the past where similar affects were observed
>when using syscalls that were not known to the security profile in use. The
>stat call is not new, but ENOSYS is unexpected.
Yes I checked. My seccomp version is 2.5.1-1ubuntu1~18.04.1.
Is there anything else I need to do to update the security profile of
libseccomp?
Yuta Ando
-----Original Message-----
From: Bezdeka, Florian <florian.bezd...@siemens.com>
Sent: Thursday, November 11, 2021 6:09 PM
To: xenomai@xenomai.org; Ando Yuta <andouyu...@yamaha-motor.co.jp>;
jan.kis...@siemens.com
Subject: Re: Trying Xenomai3.2 and has some web browser problem
On Thu, 2021-11-11 at 04:46 +0000, Ando Yuta via Xenomai wrote:
> Hello Jan
>
> Thanks for the reply.
>
> > x86?
>
> Sorry I forgot to write the CPU info.
> My CPU is x86_64(11th Gen Intel i5)
>
> > Can you generate a trace (strace or maybe even kernel event trace) of both
> > good an bad cases? To see where the behaviour diverges.
> > Or is there something that reproduces this without requiring a full UI for
> > the browser?
>
> Yes, I found that the same phenomenon occurs when I specify "--disable-gpu"
> in headless mode chrome.
>
> There are the command to reproduce.
> 1 chrome --headless --disable-gpu
> https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> google.com%2F&data=04%7C01%7Candouyuuta%40yamaha-motor.co.jp%7C42b
> 7cfc69345461303a108d9a4f2e22f%7C76684a67d81643ce93f929b6f72f823f%7C1%7
> C0%7C637722185358222963%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
> JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=d5K%2BuP
> 31DcmB3cCvYv8aHIjEHYCaj6%2FFKczgq5qTM2I%3D&reserved=0 (in dovetail
> browser crash, in generic works properly)
> 2 chrome --headless --disable-gpu --disable-seccomp-filter-sandbox
> https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> google.com%2F&data=04%7C01%7Candouyuuta%40yamaha-motor.co.jp%7C42b
> 7cfc69345461303a108d9a4f2e22f%7C76684a67d81643ce93f929b6f72f823f%7C1%7
> C0%7C637722185358232954%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
> JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FeCuoU%2
> BojmsoaLbDIO2Q%2BovZ88u1A5JPfql9RtXu8nc%3D&reserved=0 (disable
> sandbox, this works in both dovetail and generic but unsafe)
>
> Attached files are the results of strace and kernel event trace in headless
> mode above.
> They are generic, dovetail with sandbox enabled, and dovetail with sandbox
> disabled.
Sandbox enabled:
stat("/sys/fs/cgroup/cpuset/chrome", 0x7f9068a987c0) = -1 ENOSYS (Function not
implemented)
Sandbox disabled:
stat("/sys/fs/cgroup/cpuset/chrome", 0x7f9e3a03a7c0) = -1 ENOENT (No such file
or directory)
You have updated the kernel, but did you update your libseccomp security
profile as well? (IOW: Have you updated your userspace as
well?)
I know about some problems in the past where similar affects were observed when
using syscalls that were not known to the security profile in use. The stat
call is not new, but ENOSYS is unexpected.
>
> Yuta Ando
>
> -----Original Message-----
> From: Jan Kiszka <jan.kis...@siemens.com>
> Sent: Wednesday, November 10, 2021 8:16 PM
> To: Ando Yuta <andouyu...@yamaha-motor.co.jp>; xenomai@xenomai.org
> Subject: Re: Trying Xenomai3.2 and has some web browser problem
>
> On 10.11.21 07:33, Ando Yuta via Xenomai wrote:
> > Hello
> >
> > We are now testing xenomai3.2 with dovetail core(kernel ver5.10.70)
>
> x86?
>
> > The kernel build was successful with some modifications to the ipipe
> > configuration we had been using.
> > Building our application was also successful without any problems, just by
> > slightly changing the flags in cmake.
> > So our application is working well, except for one thing.
> >
> > When using xenomai 3.1 with ipipe patch 5.4.77, there was no
> > problem, but when using 5.10.70 dovetail, the web browser started to crash.
> >
> > Firefox didn't work at all.
> > When using Google Chrome and chromium, some pages don't crash and
> > some, in particular, video sites like youtube and sites that require login
> > such as github did.
> >
> > Attached below are the results of strace when using chrome.
> > The problem seems to be around seccomp.
> >
> > If we follow this
> > web(https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%
> > 2F
> > chromium.googlesource.com%2Fchromium%2Fsrc%2F%2B%2Frefs%2Fheads%2Fma
> > in
> > %2Fdocs%2Flinux%2Fsandboxing.md&data=04%7C01%7Candouyuuta%40yama
> > ha
> > -motor.co.jp%7C9d666629b66d41c1cad908d9a43b70b4%7C76684a67d81643ce93
> > f9
> > 29b6f72f823f%7C1%7C0%7C637721397467929645%7CUnknown%7CTWFpbGZsb3d8ey
> > JW
> > IjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C100
> > 0&
> > amp;sdata=B0%2BqIC8MVLBc%2FxdqkCWmb2skU6NDLv2793FFvQTZGLQ%3D&res
> > er
> > ved=0) and specify --disable-seccomp-filter-sandbox, the crash was
> > apparently avoided.
> > However, this option disables sandbox, which causes a security problem.
> > Therefore, we do not want to disable sandbox if possible.
> >
> > This browser crash does not occur on the same 5.10.70 kernel unless
> > we enable the dovetail realtime kernel, so It seems to be an issue with a
> > system call related to dovetail's seccomp.
> > Is there any way to solve this problem?
> >
> > The strace results are as follows
> >
>
> Can you generate a trace (strace or maybe even kernel event trace) of both
> good an bad cases? To see where the behaviour diverges.
>
> Or is there something that reproduces this without requiring a full UI for
> the browser?
>
> Thanks for reporting!
>
> Jan
>
> --
> Siemens AG, T RDA IOT
> Corporate Competence Center Embedded Linux
> -------------- next part -------------- An embedded and
> charset-unspecified text was scrubbed...
> Name: generic_kernel_event_trace.txt
> URL:
> <https://jpn01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fxeno
> mai.org%2Fpipermail%2Fxenomai%2Fattachments%2F20211111%2Fe72ff993%2Fat
> tachment.txt&data=04%7C01%7Candouyuuta%40yamaha-motor.co.jp%7C42b7
> cfc69345461303a108d9a4f2e22f%7C76684a67d81643ce93f929b6f72f823f%7C1%7C
> 0%7C637722185358232954%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ
> QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WIBfYVivj
> d5t7BbAqPDxfnwCzcvNIwNhHisrC%2Fe4n%2Bs%3D&reserved=0>
> -------------- next part -------------- An embedded and
> charset-unspecified text was scrubbed...
> Name: generic_strace.txt
> URL:
> <https://jpn01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fxeno
> mai.org%2Fpipermail%2Fxenomai%2Fattachments%2F20211111%2Fe72ff993%2Fat
> tachment-0001.txt&data=04%7C01%7Candouyuuta%40yamaha-motor.co.jp%7
> C42b7cfc69345461303a108d9a4f2e22f%7C76684a67d81643ce93f929b6f72f823f%7
> C1%7C0%7C637722185358232954%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
> AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jWYe
> qJfFZtSexiqlg5qTANWUptrCcVckGK4wyvBFNug%3D&reserved=0>
> -------------- next part -------------- An embedded and
> charset-unspecified text was scrubbed...
> Name: dovetail_kernel_event_trace.txt
> URL:
> <https://jpn01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fxeno
> mai.org%2Fpipermail%2Fxenomai%2Fattachments%2F20211111%2Fe72ff993%2Fat
> tachment-0002.txt&data=04%7C01%7Candouyuuta%40yamaha-motor.co.jp%7
> C42b7cfc69345461303a108d9a4f2e22f%7C76684a67d81643ce93f929b6f72f823f%7
> C1%7C0%7C637722185358232954%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
> AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=yxRN
> KP5dzcjpnJYBxZohT7iXIXKsayKQXAA6zZHg3tU%3D&reserved=0>
> -------------- next part -------------- An embedded and
> charset-unspecified text was scrubbed...
> Name: dovetail_kernel_event_trace_disable_sandbox.txt
> URL:
> <https://jpn01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fxeno
> mai.org%2Fpipermail%2Fxenomai%2Fattachments%2F20211111%2Fe72ff993%2Fat
> tachment-0003.txt&data=04%7C01%7Candouyuuta%40yamaha-motor.co.jp%7
> C42b7cfc69345461303a108d9a4f2e22f%7C76684a67d81643ce93f929b6f72f823f%7
> C1%7C0%7C637722185358232954%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
> AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=R0nq
> dSH8z9T2FPTv5fEN1zq7%2BWSv0Gw2tEzWjNKnGcc%3D&reserved=0>
> -------------- next part -------------- An embedded and
> charset-unspecified text was scrubbed...
> Name: dovetail_strace.txt
> URL:
> <https://jpn01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fxeno
> mai.org%2Fpipermail%2Fxenomai%2Fattachments%2F20211111%2Fe72ff993%2Fat
> tachment-0004.txt&data=04%7C01%7Candouyuuta%40yamaha-motor.co.jp%7
> C42b7cfc69345461303a108d9a4f2e22f%7C76684a67d81643ce93f929b6f72f823f%7
> C1%7C0%7C637722185358232954%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
> AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2Bj
> 4eeKTcAZIphWYiJ406bnhYRQsrsSdgtRQJdqo2Bok%3D&reserved=0>
> -------------- next part -------------- An embedded and
> charset-unspecified text was scrubbed...
> Name: dovetail_strace_disable_sandbox.txt
> URL:
> <https://jpn01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fxeno
> mai.org%2Fpipermail%2Fxenomai%2Fattachments%2F20211111%2Fe72ff993%2Fat
> tachment-0005.txt&data=04%7C01%7Candouyuuta%40yamaha-motor.co.jp%7
> C42b7cfc69345461303a108d9a4f2e22f%7C76684a67d81643ce93f929b6f72f823f%7
> C1%7C0%7C637722185358232954%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMD
> AiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YX9A
> 86Uza%2Bk8bcsuuZHQm9yDy5upAfj6l%2FnqvWy2W0I%3D&reserved=0>
