Ubuntu
libseccomp package

backport time64 syscalls whitelist

Bug #1868720 reported by xantares on 2020-03-24

This bug report is a duplicate of: Bug #1876055: SRU: Backport 2.4.3-1ubuntu3 from groovy to focal/eoan/bionic/xenial for newer syscalls for core20 base and test suite robustness. Edit Remove

10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	docker.io (Ubuntu)	New	Undecided	Unassigned
	Bionic	New	Undecided	Unassigned
	Disco	Won't Fix	Undecided	Unassigned
	Eoan	New	Undecided	Unassigned
	Focal	New	Undecided	Unassigned
	libseccomp (Ubuntu)	Fix Released	Undecided	Unassigned
	Bionic	Triaged	Undecided	Unassigned
	Disco	Won't Fix	Undecided	Unassigned
	Eoan	Triaged	Undecided	Unassigned
	Focal	Fix Released	Undecided	Unassigned

Bug Description

A number of new *time64 syscalls are introduced in newer kernel series (>=5.1.x):

403: clock_gettime64
404: clock_settime64
405: clock_adjtime64
406: clock_getres_time64
407: clock_nanosleep_time64
408: timer_gettime64
409: timer_settime64
410: timerfd_gettime64
411: timerfd_settime64
412: utimensat_time64
413: pselect6_time64
414: ppoll_time64

In particular utimensat_time64 is now used inside glibc>=2.31

In turn ubuntu with has trouble running docker images of newer distros.
This problem affects libseccomp<2.4.2, ie bionic (lts), and eoan, but not focal.

See a similar report at Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1770154

A solution could be to backport the related changes from 2.4.2 similarly to what happened for the statx whitelisting (https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1755250).

See original description

Tags:

xantares (xantares09) on 2020-03-24

description:

updated

Revision history for this message

xantares (xantares09) wrote on 2020-03-24:

#1

backport time64 syscalls from 2.4.2 into 2.4.1 Edit (42.8 KiB, text/plain)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2020-03-24:

#2

The attachment "backport time64 syscalls from 2.4.2 into 2.4.1" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Rafael David Tinoco (rafaeldtinoco) wrote on 2020-03-25:

#3

I believe the patch you're mentioning is worth backporting to Bionic and Eoan is this:

$ git log -1 -p be65b26b67099be2b2b4890d736dbd1ad15adf36 | diffstat
include/seccomp-syscalls.h | 208 +++++++++++++++++++++++++++++++++++++++++-
src/arch-aarch64-syscalls.c | 35 ++++++-
src/arch-arm-syscalls.c | 35 ++++++-
src/arch-mips-syscalls.c | 51 ++++++++--
src/arch-mips64-syscalls.c | 31 ++++++
src/arch-mips64n32-syscalls.c | 31 ++++++
src/arch-parisc-syscalls.c | 33 ++++++
src/arch-ppc-syscalls.c | 51 ++++++++--
src/arch-ppc64-syscalls.c | 53 ++++++++--
src/arch-s390-syscalls.c | 57 ++++++++---
src/arch-s390.c | 160 ++++++++++++++++++++++++++++----
src/arch-s390x-syscalls.c | 59 ++++++++---
src/arch-s390x.c | 160 ++++++++++++++++++++++++++++----
src/arch-x32-syscalls.c | 31 ++++++
src/arch-x86-syscalls.c | 105 ++++++++++++++++++---
src/arch-x86.c | 161 ++++++++++++++++++++++++++++----
src/arch-x86_64-syscalls.c | 31 ++++++
17 files changed, 1150 insertions(+), 142 deletions(-)

and to be honest that seems appropriate as it only updates the tables and allows supporting newer system calls for all arches.

Changed in libseccomp (Ubuntu):
status:	New → Triaged
Changed in libseccomp (Ubuntu Focal):
status:	Triaged → Fix Released
Changed in libseccomp (Ubuntu Eoan):
status:	New → Confirmed
Changed in libseccomp (Ubuntu Disco):
status:	New → Won't Fix
Changed in libseccomp (Ubuntu Bionic):
status:	New → Confirmed
tags:	added: server-next
Changed in libseccomp (Ubuntu Bionic):
status:	Confirmed → Triaged
Changed in libseccomp (Ubuntu Eoan):
status:	Confirmed → Triaged

Revision history for this message

Rafael David Tinoco (rafaeldtinoco) wrote on 2020-03-25:

#4

Could you provide a failing test case so we can base the SRU (stable release update) on that use it as a non-regression test ?

Revision history for this message

xantares (xantares09) wrote on 2020-03-25:

#5

of course, you do:

cd /tmp && git clone https://github.com/xantares/test-seccomp-time64.git && docker build test-seccomp-time64

Revision history for this message

xantares (xantares09) wrote on 2020-03-26:

#6

turns ou we may also need this fix in docker: https://github.com/moby/moby/pull/40739

Revision history for this message

xantares (xantares09) wrote on 2020-03-26:

#7

Focal may be affected after all then

Lucas Kanashiro (lucaskanashiro) on 2020-05-27

Changed in docker.io (Ubuntu Disco):
status:	New → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-05-28:

#8

There is actually an SRU in progress for libseccomp: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1876055.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-05-29:

#9

Thanks Jamie, that will fix this bug here as well then, IMHO we should mark it as a dup then.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1876055 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

backport time64 syscalls from 2.4.2 into 2.4.1 Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.