Bug 1702169
Summary: | seccomp argument filtering not working properly with libseccomp-golang 0.9.0 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Maciek Borzecki <maciek.borzecki> |
Component: | golang-github-seccomp-libseccomp-golang | Assignee: | Robert-André Mauchin 🐧 <zebob.m> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | go-sig, jchaloup, ngompa13, zebob.m |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-06 00:45:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Maciek Borzecki
2019-04-23 06:53:58 UTC
You need an update ASAP? (In reply to Robert-André Mauchin from comment #1) > You need an update ASAP? Yes, that would be great. The problem is that, when constructing a rule for a syscall that matches more than one argument, the generated seccomp rule does not AND the conditions for each argument. Effectively, the resulting BPF will be incorrect, and a call that ought to be blocked will be allowed by seccomp. golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bde7ac3a13 Thank you for pushing out an update for F30. Would it be possible update the package in F29 too? golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-773508199b (In reply to Maciek Borzecki from comment #4) > Thank you for pushing out an update for F30. Would it be possible update the > package in F29 too? Yes it's done. But snapd probably needs a rebuild so that the change are integrated in the final binary. I could do it but I would prefer the maintainer Neal Gompa take care of it. Thanks for the updates. I'll grab the built packages, double check locally and post back karma. golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bde7ac3a13 golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-773508199b (In reply to Maciek Borzecki from comment #7) > Thanks for the updates. I'll grab the built packages, double check locally > and post back karma. I've rebuild snapd for F29-F31. golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |