Ubuntu
libcap2 package

libcap2 seems to not work correctly when linked with -Bsymbolic-functions

Bug #2003892 reported by Danilo Egea Gondolfo
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcap2 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Ubuntu will include -Wl,-Bsymbolic-functions in the build flags by default. This option seems to break libcap2.

One of the autopkgtests that is supposed to prevent an exploitation instance using capabilities fails: https://autopkgtest.ubuntu.com/results/autopkgtest-lunar/lunar/amd64/libc/libcap2/20230123_094238_95088@/log.gz

The solution is to exclude this flag from the set of flags:

debian/rules:
export DEB_LDFLAGS_MAINT_STRIP = -Wl,-Bsymbolic-functions

Debian seems to not be affected by that as they don't include this flag in their build: https://buildd.debian.org/status/fetch.php?pkg=libcap2&arch=amd64&ver=1%3A2.66-3&stamp=1671660323&raw=0

Related branches

~danilogondolfo/ubuntu/+source/libcap2:merge-lp2020460-mantic
William Wilson (community): Approve
git-ubuntu import: Pending requested
Diff: 84 lines (+34/-2)
4 files modified
debian/changelog (+26/-0)
debian/control (+2/-1)
debian/rules (+3/-0)
debian/tests/upstream-root (+3/-1)
~danilogondolfo/ubuntu/+source/libcap2:fix_autopkgtest_armhf
Ubuntu Sponsors: Pending requested
git-ubuntu import: Pending requested
Diff: 32 lines (+12/-1)
2 files modified
debian/changelog (+9/-0)
debian/tests/upstream-root (+3/-1)
~danilogondolfo/ubuntu/+source/libcap2:lp2003892
Lukas Märdian (community): Approve
git-ubuntu import: Pending requested
Diff: 42 lines (+11/-1)
3 files modified
debian/changelog (+6/-0)
debian/control (+2/-1)
debian/rules (+3/-0)
Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

Note: when testing this package with autopkgtest (or sbuild) locally, you need to remove the .git directory (if there is one) or the build will fail. One of the make files will detect the directory exists and set the environment variable DYNAMIC to no. Because of that, static binaries will be generated and the command chrpath in debian/rules will fail.

Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

More cases where the same linker flags caused issues

https://bugs.launchpad.net/ubuntu/+source/openblas/+bug/1860601

https://bugs.launchpad.net/ubuntu/+source/bacula/+bug/1898006

Lukas Märdian (slyon)
Changed in libcap2 (Ubuntu):
status: New → In Progress
Revision history for this message
Lukas Märdian (slyon) wrote :

There's now an additional failure on armhf only, which is most probably related to the armhf test runners being executed as LXD containers on a base system using an older kernel:

autopkgtest [09:46:55]: test upstream-root: [-----------------------
@@@ Running upstream tests (root required) @@@
## Preparation ##
## libcap2 tests ##
user namespace launched exploit worked - upgrade kernel
autopkgtest [09:46:58]: test upstream-root: -----------------------]
autopkgtest [09:47:02]: test upstream-root: - - - - - - - - - - results - - - - - - - - - -
upstream-root FAIL non-zero exit status 1

That "upstream-root" test is a new case, which is not yet available in the -release version of libcap2 (1:2.44-1build3), therefore this should not be considered a regression, but rather an issue with the test infrastructure. IMO this test case should be skipped or hinted on armhf.

Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

More specifically, this test [1] is failing. It uses clone() to create a process in a new user namespace and apparently it should fail.

I can't reproduce it with a LXD arhmf container on my own environment. All the tests pass.

[1] - https://git.launchpad.net/ubuntu/+source/libcap2/tree/tests/uns_test.c

Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

The problem is reproducible on Focal (kernel 5.4) in an armhf LXD container. The armhf architecture seems to be the only one using hosts with kernel 5.4. I believe the best approach is to skip only the test that is failing rather than the entire test script. So we will need to patch d/t/upstream-root. Once we upgrade the hosts used for armhf tests we can drop the patch.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libcap2 - 1:2.66-3ubuntu2

---------------
libcap2 (1:2.66-3ubuntu2) lunar; urgency=medium

  * Skip the test uns_test to fix autopkgtest on armhf.
    It's failing on armhf because we are using an older kernel in the armhf
    builders. This test succeeds on newer versions. Once we upgrade our
    hosts this patch can be dropped. See LP#2003892

 -- Danilo Egea Gondolfo <email address hidden> Fri, 03 Feb 2023 11:18:40 +0000

Changed in libcap2 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.