Bug 1702169 - seccomp argument filtering not working properly with libseccomp-golang 0.9.0
Summary: seccomp argument filtering not working properly with libseccomp-golang 0.9.0
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: golang-github-seccomp-libseccomp-golang
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Robert-André Mauchin 🐧
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-23 06:53 UTC by Maciek Borzecki
Modified: 2019-05-06 04:15 UTC (History)
4 users (show)

Fixed In Version: golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-06 00:45:16 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1825052 0 None None None 2019-04-23 06:54:33 UTC

Description Maciek Borzecki 2019-04-23 06:53:58 UTC
Description of problem:

While investigating some issues with seccomp argument filtering in snapd, a bug was identified in 0.9.0 golang libseccomp bindings. The bug is already fixed in master, but since 0.9 is the latest release, the fix is not available anywhere unless distro uses a snapshot or cherry-picks a specific patch.

The details are provided in https://bugs.launchpad.net/snapd/+bug/1825052 and snapd forum topic 
https://forum.snapcraft.io/t/disabling-seccomp-sandbox-where-a-buggy-golang-seccomp-is-used/11054

The commit with the fix is https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e

Version-Release number of selected component (if applicable):
0.9.0

How reproducible:
always

Comment 1 Robert-André Mauchin 🐧 2019-04-23 08:06:22 UTC
You need an update ASAP?

Comment 2 Maciek Borzecki 2019-04-23 08:37:55 UTC
(In reply to Robert-André Mauchin from comment #1)
> You need an update ASAP?

Yes, that would be great. The problem is that, when constructing a rule for a syscall that matches more than one argument, the generated seccomp rule does not AND the conditions for each argument. Effectively, the resulting BPF will be incorrect, and a call that ought to be blocked will be allowed by seccomp.

Comment 3 Fedora Update System 2019-04-23 08:45:14 UTC
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bde7ac3a13

Comment 4 Maciek Borzecki 2019-04-23 10:12:22 UTC
Thank you for pushing out an update for F30. Would it be possible update the package in F29 too?

Comment 5 Fedora Update System 2019-04-23 10:16:38 UTC
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-773508199b

Comment 6 Robert-André Mauchin 🐧 2019-04-23 10:22:12 UTC
(In reply to Maciek Borzecki from comment #4)
> Thank you for pushing out an update for F30. Would it be possible update the
> package in F29 too?

Yes it's done. But snapd probably needs a rebuild so that the change are integrated in the final binary. I could do it but I would prefer the maintainer Neal Gompa take care of it.

Comment 7 Maciek Borzecki 2019-04-23 13:47:20 UTC
Thanks for the updates. I'll grab the built packages, double check locally and post back karma.

Comment 8 Fedora Update System 2019-04-23 14:56:07 UTC
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bde7ac3a13

Comment 9 Fedora Update System 2019-04-23 21:16:12 UTC
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-773508199b

Comment 10 Robert-André Mauchin 🐧 2019-04-23 21:35:26 UTC
(In reply to Maciek Borzecki from comment #7)
> Thanks for the updates. I'll grab the built packages, double check locally
> and post back karma.

I've rebuild snapd for F29-F31.

Comment 11 Fedora Update System 2019-05-06 00:45:16 UTC
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2019-05-06 04:15:00 UTC
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.