Bug 1777054

Summary: login to ssh fails with seccomp denial
Product: [Fedora] Fedora Reporter: Paul Whalen <pwhalen>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, fweimer, jfch, jjelen, lkundrak, mattias.ellert, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: arm   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-8.1p1-3.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-27 12:03:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Whalen 2019-11-26 20:25:58 UTC 
Hitting this in Rawhide on armhfp when attempting to login to a newly installed system via ssh

ssh pwhalen@bpi
Connection closed by 192.168.0.55 port 22

On the remote host:

Nov 26 15:09:04 bpi audit[814]: CRYPTO_KEY_USER pid=814 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:87:a2:84:e2:65:bd:bd:60:be:81:83:af:6c:81:a2:00:1f:bc:d6:7d:8'
Nov 26 15:09:04 bpi audit[813]: CRYPTO_SESSION pid=813 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-gcm ksize=256 mac=<implicit> pfs=curve'
Nov 26 15:09:04 bpi audit[813]: CRYPTO_SESSION pid=813 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes256-gcm ksize=256 mac=<implicit> pfs=curve'

Nov 26 15:09:04 bpi audit[814]: SECCOMP auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=814 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000028 syscall=407 compat=0 ip=0xb68a9550 code=00
Nov 26 15:09:04 bpi audit[814]: ANOM_ABEND auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=814 comm="sshd" exe="/usr/sbin/sshd" sig=31 res=1

Nov 26 15:09:04 bpi audit[813]: USER_ERR pid=813 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=192.168.0.11 addr=192.168.0.11 ter'
Nov 26 15:09:04 bpi audit[813]: CRYPTO_KEY_USER pid=813 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:87:a2:84:e2:65:bd:bd:60:be:81:83:af:6c:81:a2:00:1f:bc:d6:7d:8'
Nov 26 15:09:04 bpi audit[813]: USER_LOGIN pid=813 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="pwhalen" exe="/usr/sbin/sshd" hostname=? addr=192.168.0.11 terminal=ssh res=failed'

[root@bpi ~]# rpm -q openssh libseccomp glibc
openssh-8.1p1-2.fc32.armv7hl
libseccomp-2.4.2-1.fc32.armv7hl
glibc-2.30.9000-19.fc32.armv7hl

This looks very similar to BZ#1771946 however the syscall(407) in this case is for clock_nanosleep_time64, but the result is the same.
Comment 1 Jakub Jelen 2019-11-27 10:17:49 UTC 
Thank you for the report. It looks like your architecture has different syscalls in the latest glibc. I will add also this one to the whitelist (and reported upstream).

If somebody (Florian?) can point out a good reference to add also other syscalls that are equivalent to the clock_nanosleep() on other architectures, it would be very helpful so we would not have to wait until it breaks there too.
Comment 2 Jakub Jelen 2019-11-27 12:03:26 UTC 
The issue should be addressed with the latest build:

https://koji.fedoraproject.org/koji/taskinfo?taskID=39374262
Comment 3 Paul Whalen 2019-11-27 19:27:18 UTC 
Thanks, confirmed working with openssh-8.1p1-3.fc32.armv7hl.