Description of problem: While investigating some issues with seccomp argument filtering in snapd, a bug was identified in 0.9.0 golang libseccomp bindings. The bug is already fixed in master, but since 0.9 is the latest release, the fix is not available anywhere unless distro uses a snapshot or cherry-picks a specific patch. The details are provided in https://bugs.launchpad.net/snapd/+bug/1825052 and snapd forum topic https://forum.snapcraft.io/t/disabling-seccomp-sandbox-where-a-buggy-golang-seccomp-is-used/11054 The commit with the fix is https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e Version-Release number of selected component (if applicable): 0.9.0 How reproducible: always
You need an update ASAP?
(In reply to Robert-André Mauchin from comment #1) > You need an update ASAP? Yes, that would be great. The problem is that, when constructing a rule for a syscall that matches more than one argument, the generated seccomp rule does not AND the conditions for each argument. Effectively, the resulting BPF will be incorrect, and a call that ought to be blocked will be allowed by seccomp.
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bde7ac3a13
Thank you for pushing out an update for F30. Would it be possible update the package in F29 too?
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-773508199b
(In reply to Maciek Borzecki from comment #4) > Thank you for pushing out an update for F30. Would it be possible update the > package in F29 too? Yes it's done. But snapd probably needs a rebuild so that the change are integrated in the final binary. I could do it but I would prefer the maintainer Neal Gompa take care of it.
Thanks for the updates. I'll grab the built packages, double check locally and post back karma.
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bde7ac3a13
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-773508199b
(In reply to Maciek Borzecki from comment #7) > Thanks for the updates. I'll grab the built packages, double check locally > and post back karma. I've rebuild snapd for F29-F31.
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.