Bug 2019893

Summary: Update to 2.5.2 or newer
Product: Red Hat Enterprise Linux 8 Reporter: Debarshi Ray <debarshir>
Component: libseccompAssignee: Zoltan Fridrich <zfridric>
Status: CLOSED ERRATA QA Contact: Martin Zelený <mzeleny>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.6CC: dapospis, jafiala, mzeleny, rsroka, tpopela, zfridric
Target Milestone: rcKeywords: Rebase, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libseccomp-2.5.2-1.el8 Doc Type: Enhancement
Doc Text:
.`libseccomp` rebased to 2.5.2 The `libseccomp` packages have been rebased to upstream version 2.5.2. This version provides bug fixes and enhancements, most notably: * Updated the syscall table for Linux to version `v5.14-rc7`. * Added the `get_notify_fd()` function to the Python bindings to get the notification file descriptor. * Consolidated multiplexed syscall handling for all architectures into one location. * Added multiplexed syscall support to the PowerPC (PPC) and MIPS architectures. * Changed the meaning of the `SECCOMP_IOCTL_NOTIF_ID_VALID` operation within the kernel. * Changed the `libseccomp` file descriptor notification logic to support the kernel's previous and new usage of `SECCOMP_IOCTL_NOTIF_ID_VALID`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:21:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Debarshi Ray 2021-11-03 14:53:52 UTC 
Currently, RHEL 8 has libseccomp-2.5.1 which doesn't know about system calls added to recent versions of the Linux kernel.

For example, I see these commits after 2.5.1:

  syscalls: update the syscall table to v5.12-rc7 
  https://github.com/seccomp/libseccomp/commit/c56a00fe173a7dd5

  syscalls: add close_range() syscall 
  https://github.com/seccomp/libseccomp/commit/ac849e7960547d41

  syscalls: update to Linux v5.14-rc7
  https://github.com/seccomp/libseccomp/commit/c3559610ffdcda23

I see that the RHEL 8.6 dist-git has Linux 4.18.0, which seems old enough, but I don't know what sort of backports we are currently carrying or might carry in the future.

I noticed this while working on fixing CVE-2021-41133 (bug 2012245) for Flatpak, both upstream and for Fedora and RHEL.

In certain situations, Flatpak receives -EFAULT from seccomp_rule_add() if libseccomp doesn't know about the system call.  To avoid user-visible breakage, Flatpak ignores that and keeps going.  However, if the user is running a kernel that's new enough to have that system call, then this means that Flatpak doesn't block the call, leaving a gap in its sandbox.

Having a newer libseccomp will make our lives easier when evaluating the security impact and fixes for the next CVE that rolls in, by reducing the number of different kernel/libseccomp combinations.

Updating from 2.5.1 to 2.5.2 should be pretty safe, and we now have similar updates for Fedora >= 33.
Comment 2 Debarshi Ray 2021-11-05 10:43:36 UTC 
Thanks for working on this!
Comment 13 errata-xmlrpc 2022-05-10 15:21:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libseccomp bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:2029