Bug 1771946

Summary: glibc-2.30.9000-18.fc32: Login fails with a seccomp denial on clock_nanosleep() syscall: ANOM_ABEND exe="/usr/sbin/sshd" sig=31 res=1
Product: [Fedora] Fedora Reporter: Petr Pisar <ppisar>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: bgoncalv, dwalsh, fweimer, gentoo_eshoes, jfch, jjelen, lkundrak, mattias.ellert, plautrba, tmraz, vbenes
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-8.1p1-2.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-14 08:37:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Pisar 2019-11-13 10:04:29 UTC 
After updating glibc from 2.30.9000-17.fc32 to 2.30.9000-18.fc32 I cannot log in via SSH to the machine. An Audit log contains:

Nov 13 10:53:23 fedora-32 audit[4230]: SECCOMP auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=4230 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c000003e syscall=230 compat=0 ip=0x7f5e6aafa55e code=0x0
Nov 13 10:53:23 fedora-32 kernel: audit: type=1326 audit(1573638803.809:210): auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=4230 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c000003e syscall=230 compat=0 ip=0x7f5e6aafa55e code=0x0
Nov 13 10:53:23 fedora-32 audit[4230]: ANOM_ABEND auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=4230 comm="sshd" exe="/usr/sbin/sshd" sig=31 res=1
Nov 13 10:53:23 fedora-32 kernel: audit: type=1701 audit(1573638803.809:211): auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=4230 comm="sshd" exe="/usr/sbin/sshd" sig=31 res=1
Nov 13 10:53:23 fedora-32 kernel: audit: type=1109 audit(1573638803.811:212): pid=4229 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=2620:52:0:2b02:1aa9:5ff:feb6:209b addr=2620:52:0:2b02:1aa9:5ff:feb6:209b terminal=ssh res=failed'

syscall 230 is clock_nanosleep(). ANOM_ABEND means a process received a fatal signal. Signal 31 is SIGSYS.

These glibc RPM changelog entries look suspicious:

- nptl: Move nanosleep implementation to libc
- Refactor nanosleep in terms of clock_nanosleep

I believe sshd needs to update its seccomp policy to allow clock_nanosleep(2) syscall to work with recent glibc correctly.
Comment 1 Petr Pisar 2019-11-13 10:06:04 UTC 
I have openssh-server-8.1p1-1.fc32.x86_64.
Comment 2 Jakub Jelen 2019-11-13 12:07:15 UTC 
Thank you for the report. Can you try the following scratch build whether it addresses the issue:

https://koji.fedoraproject.org/koji/taskinfo?taskID=38964144

(added the clock_nanosleep() to the seccomp whitelist)
Comment 3 Petr Pisar 2019-11-14 07:11:36 UTC 
I confirm the scratch build fixes the issue for me.
Comment 4 Jakub Jelen 2019-11-14 08:25:28 UTC 
Thank you for verifying the fix. I will push the rawhide update now.
Comment 5 Florian Weimer 2019-11-19 11:16:20 UTC 
*** Bug 1773912 has been marked as a duplicate of this bug. ***
Comment 6 Jakub Jelen 2019-11-22 09:09:29 UTC 
*** Bug 1775533 has been marked as a duplicate of this bug. ***