While seccomp is supported at the kernel level on all the mentioned arches it seems seccomp_filter currently fails to build on aarch64/ppc64*/s390
The errors are:
configure: error: seccomp_filter sandbox not supported on aarch64-redhat-linux-gnu
configure: error: seccomp_filter sandbox not supported on powerpc64le-redhat-linux-gnu
I'm not sure if it's the check is wrong or whether there's work that needs to be done elsewhere.
It doesn't work even on armv7hl, so I propose to remove seccomp even from this architecture.
Created attachment 994437 [details]
Add support for aarch64
open() is legacy syscall replaced by openat()
Other disabled syscalls are legacy ones not present at AArch64
ppc64 support in libseccomp is not present yet. Someone recently decided to start work on adding it.
s390 is not supported as well.
Thank you for contribution.
After fixing typo with select it works like a charm both on aarch64 and primary architectures.
But I would like to hear some reasoning behind removing SC_DENY(open, EACCES) and why is it not also in #ifdef __NR_open as the other platform dependent calls?
I'll apply this to rawhide package and propose this extension to upstream when it will be final.
open() is legacy syscall which got replaced by openat() one.
AArch64 does not support legacy ones and on other architectures glibc hides that fact by using *at() ones.
Some of those disabled syscalls should be rather replaced by non-legacy ones.
Ok. Thanks for explanation. Fixed in openssh-6.7p1-8.fc23 (aarch64). Leaving bug for other missing platforms.
Once more question, Marcin. When open is legacy replaced by openat, I can take it, but about stat? There is replacement fstatat? Why is not this one blacklisted?
In meantime, do you have some reference about legacy/non-legacy syscalls and support on different architectures? strace is blaming us with these legacy names ...
http://people.linaro.org/~riku.voipio/aarch64-talk/#/18/1 is my favorite help when it comes to legacy/deprecated syscalls on AArch64.
stat() is normal syscall afaik
~curse me please...
stat() is legacy as well.
I did some research what syscalls are used on which architecture for open and stat (should be banned but shouldn't kill program):
x86_64 open(2) fstat(5)
ix86 open(5) stat64(195) fstat64(197)
arm open(5) stat64(195) fstat64(197)
aarch64 openat ? __NR_newfstatat ?
It would be cool to have it clear also for aarch64 and other secondary architectures supporting seccomp, but I still don't have such a machine.
There are syscalls used for select. It would be great to fill and extend this list and test it little but more before we can propose some changes to upstream with new architectures.
arm _newselect ?
Just tested s390* architecture and it works fine for me if I whitelist this architecture with current system calls set. I will issue some rawhide builds later.
As I see ppc64* kernels currently do not have support for user filters (there is no CONFIG_SECCOMP_FILTER in /boot/config-*) so I will leave these out for now.
To continue investigation about the most problematic system calls and proving it works correct:
open stat select
s390x open(106) stat(5) select(142)
(finally reasonable architecture)
openssh-6.9p1-2.fc22 has been submitted as an update for Fedora 22.
openssh-6.9p1-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Last architecture where we don't build seccomp filter for openssh is ppc/ppc64/ppc64le.
Just tested patches to allow building openssh with seccomp sandbox on ppc64 and ppc64le with kernel 4.5-pre and it seems to work just fine. I will update upstream bug and add it to Fedora 24 and rawhide.
Dan, do we have some ppc (32b) machines or are you aware of some differences in ISA that could prevent it working there?
This would be the last architecture and therefore we can finally skip this check and build seccomp everywhere by default.
I would consider 32-bit ppc as dead for this purpose. It was dropped in Fedora 20 (or 21).
openssh-7.2p2-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-57cec0322d
openssh-7.2p2-7.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-57cec0322d
Created attachment 1165520 [details]
Support for seccomp filter in MIPS (thanks mtoman)
Thanks to mtoman, we have tested also seccomp filter on MIPS to general satisfaction. It works just with white-listing architecture in configure in configure.
It will be in the next update.
openssh-7.2p2-7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.