Bug 1978397

Summary: seccomp whitelist missing statfs64 syscall for s390x and ppc64
Product: Red Hat Enterprise Linux 9 Reporter: Ondrej Moriš <omoris>
Component: libreswanAssignee: Daiki Ueno <dueno>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 9.0Keywords: Triaged
Target Milestone: betaFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libreswan-4.9-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 07:48:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Moriš 2021-07-01 17:43:02 UTC 
Description of problem:

If seccomp is set to either tolerant or enabled then connection cannot be established (with seccomp=disabled) it work fine. Switching selinux to permissive mode does not make any difference.

Version-Release number of selected component (if applicable):

libreswan-4.2-1.el9 as well as libreswan-4.4-1.el9

How reproducible:

100%

Steps to Reproduce:

1. Configure client and server as follows:

version 2.0

config setup
 plutodebug="all"
 logappend=no
 plutostderrlog="/tmp/pluto.log"
 protostack=netkey
 seccomp=tolerant # or enabled
 
conn test
 authby=secret
 left=<CLIENT>
 right=<SERVER>
 keyingtries=1
 ikev2=insist 
 auto=add

2. Start ipsec service on both sides and initiate connection from client:

# ipsec auto --up test
181 "test" #1: initiating IKEv2 connection
181 "test" #1: sent IKE_SA_INIT request
182 "test" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
010 "test" #2: STATE_PARENT_I2: retransmission; will wait 0.5 seconds for response
010 "test" #2: STATE_PARENT_I2: retransmission; will wait 1 seconds for response
010 "test" #2: STATE_PARENT_I2: retransmission; will wait 2 seconds for response
010 "test" #2: STATE_PARENT_I2: retransmission; will wait 4 seconds for response
010 "test" #2: STATE_PARENT_I2: retransmission; will wait 8 seconds for response
010 "test" #2: STATE_PARENT_I2: retransmission; will wait 16 seconds for response
010 "test" #2: STATE_PARENT_I2: retransmission; will wait 32 seconds for response
031 "test" #2: STATE_PARENT_I2: 60 second timeout exceeded after 7 retransmits.  Possible authentication failure: no acceptable response to our first encrypted message
002 "test" #1: deleting state (STATE_PARENT_I2) aged 64.043009s and NOT sending notification
003 "test" #2: reschedule pending CHILD SA - the IKE SA #1 is going away
002 "test" #1: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS

Actual results:

See above. The only AVC on the system is already described in BZ#1940843.

Expected results:

Connection can be established and used regardless of seccomp setting.

Additional info:

In the past we were experiencing these issues when some syscalls were missing in allow-lists but it only broke connection when seccomp was set to enabled. Now we see it fails even for seccomp=tolerant and even in permissive selinux mode.
Comment 1 Ondrej Moriš 2022-02-12 15:45:09 UTC 
Update for libreswan-4.6. Connections can be established correctly for both tolerand and enabled seccomp settings but on s390x and ppc64le two syscals getsid and statfs64:

type=SECCOMP msg=audit(02/12/2022 07:28:49.905:1479) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_mgmt_t:s0 pid=75711 comm=sed exe=/usr/bin/sed sig=SIGSYS arch=s390x syscall=statfs64 compat=0 ip=0x3ff8f88d2de code=kill 
type=SECCOMP msg=audit(02/12/2022 07:23:00.495:1411) : auid=unset uid=root gid=root ses=unset subj=system_u:system_r:ipsec_t:s0 pid=74982 comm=pluto exe=/usr/libexec/ipsec/pluto sig=SIGSYS arch=s390x syscall=getsid compat=0 ip=0x3ff97c36ef2 code=kill
Comment 2 Daiki Ueno 2022-06-24 06:09:30 UTC 
Ondrej, could we consider this bug as verified and close it as CURRENTRELEASE?
Comment 3 Ondrej Moriš 2022-06-27 15:52:26 UTC 
Even though the connection works with 4.6 I think we should not see those SECCOMP audit events on s390x and ppc64le. I did a bit of investigation and getsid syscall SECCOMP can actually be ignored because it is caused by "ipsec whack --seccomp-crashtest" done in the test (they use this particular syscall to test that seccomp works and this whack --seccomp-crashtest option is the test). However, that is not the case of statfs64 syscall. This one needs to be added (I see statfs already included [1]).

Since we ruled out getsid() I am updating the bug summary.

[1] https://github.com/libreswan/libreswan/blob/004ef1508be1a9a6c427f04df3e6647d3380dac7/programs/pluto/pluto_seccomp.c#L160
Comment 4 Ondrej Moriš 2022-06-28 07:58:21 UTC 
I filed https://github.com/libreswan/libreswan/pull/782 to address this upstream.
Comment 6 Daiki Ueno 2022-12-06 12:19:32 UTC 
(In reply to Ondrej Moriš from comment #4)
> I filed https://github.com/libreswan/libreswan/pull/782 to address this
> upstream.

Thank you; as the PR has been merged in 4.8, this bug should be closed once we update the package to that version.
Comment 12 errata-xmlrpc 2023-05-09 07:48:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libreswan bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2355