Bug 1690104

Summary: seccomp rules for personality(2) deny lots of normal stuff
Product: [Fedora] Fedora Reporter: Peter Jones <pjones>
Component: skopeoAssignee: Antonio Murdaca <amurdaca>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: amurdaca, bbaude, dwalsh, lsm5, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: skopeo-0.1.37-0.gite079f9d.fc30 skopeo-0.1.37-0.gite079f9d.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-24 00:56:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Jones 2019-03-18 19:29:29 UTC 
Description of problem: seccomp denies every personality(2) flag except PER_LINUX, PER_LINUX32, and -1.  This makes containers with OS userlands exhibiting https://bugzilla.redhat.com/show_bug.cgi?id=1690102 (such as RHEL 7) fail in this awesome way:

[root@daf23c28d8db build]# setarch linux32 -B uname -m
x86_64
[root@daf23c28d8db build]# setarch linux32 uname -m
i686

Version-Release number of selected component (if applicable): 0.1.35-1.git404c5bd.fc29.x86_64

How reproducible: 100%


Steps to Reproduce:
1. build an image with a rhel 7 (or centos 7) root
2. run "setarch linux32 -B uname -m" in it
3. observe the wrong answer, which would be right if ADDR_LIMIT_3G worked

Actual results: personality(2) gives -EPERM instead of working


Expected results: personality(2) works normally without error


Additional info: I'm not really sure what the point of limiting personality(2) flags is - it could really just go on the allowed system calls list.
Comment 1 Daniel Walsh 2019-03-18 19:41:16 UTC 
Peter what exactly does the personality call do?

If you add the syscall to /usr/share/containers/seccomp.json does the rest of the code work correctly?
Comment 2 Peter Jones 2019-03-22 13:44:07 UTC 
It's the syscall that switches out (among other things) what uname returns, limits how much address space you have to 32-bits (or 3 gig in this case), and things of that nature.  If I add more values to its arguments in seccomp.json it does work, or if I add it to the list of calls that are just allowed, it also works.
Comment 3 Daniel Walsh 2019-03-25 10:52:28 UTC 
Could you send me or attach your modified seccomp.json file.  Then I can make the modifications.  If you don't see this is a possible security escallation, then I am willing to take in the changes.
Comment 4 Fedora Update System 2019-06-15 14:12:11 UTC 
FEDORA-2019-96f06abcec has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-96f06abcec
Comment 5 Fedora Update System 2019-06-16 00:54:25 UTC 
skopeo-0.1.37-0.gite079f9d.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e2637b6f18
Comment 6 Fedora Update System 2019-06-16 01:14:44 UTC 
skopeo-0.1.37-0.gite079f9d.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-96f06abcec
Comment 7 Fedora Update System 2019-06-24 00:56:42 UTC 
skopeo-0.1.37-0.gite079f9d.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2019-06-24 10:39:46 UTC 
skopeo-0.1.37-0.gite079f9d.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.