Bug 1195065 - openssh - seccomp_filter currently failed to build on aarch64/ppc64*/s390*
Summary: openssh - seccomp_filter currently failed to build on aarch64/ppc64*/s390*
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 22
Hardware: All
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ZedoraTracker PPCTracker ARM64, F-ExcludeArch-aarch64 F-ExcludeArch-ppc64le, PPC64LETracker
TreeView+ depends on / blocked
 
Reported: 2015-02-22 17:26 UTC by Peter Robinson
Modified: 2016-06-18 18:40 UTC (History)
10 users (show)

Fixed In Version: openssh-7.2p2-7.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-18 18:40:18 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Add support for aarch64 (3.33 KB, patch)
2015-02-23 16:41 UTC, Marcin Juszkiewicz
no flags Details | Diff
Support for seccomp filter in MIPS (thanks mtoman) (1.01 KB, patch)
2016-06-07 07:44 UTC, Jakub Jelen
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 2590 0 None None None 2016-06-17 11:47:41 UTC

Description Peter Robinson 2015-02-22 17:26:09 UTC
While seccomp is supported at the kernel level on all the mentioned arches it seems seccomp_filter currently fails to build on aarch64/ppc64*/s390

The errors are:
configure: error: seccomp_filter sandbox not supported on aarch64-redhat-linux-gnu

configure: error: seccomp_filter sandbox not supported on powerpc64le-redhat-linux-gnu

I'm not sure if it's the check is wrong or whether there's work that needs to be done elsewhere.

Comment 1 Jakub Jelen 2015-02-23 07:32:11 UTC
According to
https://bugzilla.redhat.com/show_bug.cgi?id=1194401#c4

It doesn't work even on armv7hl, so I propose to remove seccomp even from this architecture.

Comment 2 Marcin Juszkiewicz 2015-02-23 16:41:10 UTC
Created attachment 994437 [details]
Add support for aarch64

open() is legacy syscall replaced by openat()

Other disabled syscalls are legacy ones not present at AArch64

Comment 3 Marcin Juszkiewicz 2015-02-23 16:42:38 UTC
ppc64 support in libseccomp is not present yet. Someone recently decided to start work on adding it.

s390 is not supported as well.

Comment 4 Jakub Jelen 2015-02-24 08:17:01 UTC
Thank you for contribution.
After fixing typo with select it works like a charm both on aarch64 and primary architectures.
But I would like to hear some reasoning behind removing SC_DENY(open, EACCES) and why is it not also in #ifdef __NR_open as the other platform dependent calls?

I'll apply this to rawhide package and propose this extension to upstream when it will be final.

Comment 5 Marcin Juszkiewicz 2015-02-24 08:46:54 UTC
open() is legacy syscall which got replaced by openat() one.

AArch64 does not support legacy ones and on other architectures glibc hides that fact by using *at() ones.

Some of those disabled syscalls should be rather replaced by non-legacy ones.

Comment 6 Jakub Jelen 2015-02-24 09:33:46 UTC
Ok. Thanks for explanation. Fixed in openssh-6.7p1-8.fc23 (aarch64). Leaving bug for other missing platforms.

Comment 7 Jakub Jelen 2015-02-24 10:18:08 UTC
Once more question, Marcin. When open is legacy replaced by openat, I can take it, but about stat? There is replacement fstatat? Why is not this one blacklisted?

In meantime, do you have some reference about legacy/non-legacy syscalls and support on different architectures? strace is blaming us with these legacy names ...

Comment 8 Marcin Juszkiewicz 2015-02-25 09:50:40 UTC
http://people.linaro.org/~riku.voipio/aarch64-talk/#/18/1 is my favorite help when it comes to legacy/deprecated syscalls on AArch64.

stat() is normal syscall afaik

Comment 9 Marcin Juszkiewicz 2015-02-25 09:56:27 UTC
~curse me please...

stat() is legacy as well.

Comment 10 Jakub Jelen 2015-02-27 17:22:15 UTC
I did some research what syscalls are used on which architecture for open and stat (should be banned but shouldn't kill program):

          open      stat
x86_64   open(2)   fstat(5)
 ix86    open(5)   stat64(195)  fstat64(197)
 arm     open(5)   stat64(195)  fstat64(197)
aarch64  openat ?  __NR_newfstatat ?


It would be cool to have it clear also for aarch64 and other secondary architectures supporting seccomp, but I still don't have such a machine.


There are syscalls used for select. It would be great to fill and extend this list and test it little but more before we can propose some changes to upstream with new architectures.

x86_64   select(23)
 ix86    _newselect(142)
 arm     _newselect ?
aarch64  pselect6(72)

Comment 11 Jakub Jelen 2015-07-08 09:01:08 UTC
Just tested s390* architecture and it works fine for me if I whitelist this architecture with current system calls set. I will issue some rawhide builds later.

As I see ppc64* kernels currently do not have support for user filters (there is no CONFIG_SECCOMP_FILTER in /boot/config-*) so I will leave these out for now.

To continue investigation about the most problematic system calls and proving it works correct:
          open      stat     select
s390x     open(106) stat(5)  select(142)
  (finally reasonable architecture)

Comment 12 Fedora Update System 2015-07-16 06:16:50 UTC
openssh-6.9p1-2.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/openssh-6.9p1-2.fc22

Comment 13 Fedora Update System 2015-07-21 08:10:02 UTC
openssh-6.9p1-2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Jakub Jelen 2016-06-06 07:53:25 UTC
Last architecture where we don't build seccomp filter for openssh is ppc/ppc64/ppc64le.

Just tested patches to allow building openssh with seccomp sandbox on ppc64 and ppc64le with kernel 4.5-pre and it seems to work just fine. I will update upstream bug and add it to Fedora 24 and rawhide.

Dan, do we have some ppc (32b) machines or are you aware of some differences in ISA that could prevent it working there?

This would be the last architecture and therefore we can finally skip this check and build seccomp everywhere by default.

Comment 15 Dan Horák 2016-06-06 08:15:38 UTC
I would consider 32-bit ppc as dead for this purpose. It was dropped in Fedora 20 (or 21).

Comment 16 Fedora Update System 2016-06-06 16:02:22 UTC
openssh-7.2p2-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-57cec0322d

Comment 17 Fedora Update System 2016-06-06 17:56:40 UTC
openssh-7.2p2-7.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-57cec0322d

Comment 18 Jakub Jelen 2016-06-07 07:44:06 UTC
Created attachment 1165520 [details]
Support for seccomp filter in MIPS (thanks mtoman)

Thanks to mtoman, we have tested also seccomp filter on MIPS to general satisfaction. It works just with white-listing architecture in configure in configure.

It will be in the next update.

Comment 19 Fedora Update System 2016-06-18 18:40:10 UTC
openssh-7.2p2-7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.