Ubuntu
libseccomp package

32bit glibc calls old socketcall() syscall, causing seccomp problems

  1. Trusty (14.04)
  2. Bug #1576066
Bug #1576066 reported by desrt
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)
Fix Released
High
Unassigned
Trusty
Triaged
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Zesty
New
Undecided
Unassigned
Artful
Fix Released
High
Unassigned
libseccomp (Ubuntu)
Fix Released
High
Unassigned
Trusty
Triaged
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Zesty
New
Undecided
Unassigned
Artful
Fix Released
High
Unassigned

Bug Description

Back in the day when Linux was created for i386, for who knows what reason, all socket calls were multiplexed through a single syscall API, socketcall(). This was a strange thing to do, but it probably made sense from the standpoint of the same part of the kernel handling all of those calls.

It was realised a long time ago that this was a strange and suboptimal arrangement.

By the time they got around to doing amd64 and other architectures, they fixed this arrangement and gave each socket call a separate syscall entry point. 32bit systems continued to do it this old way, however, multiplexing all calls through socketcall().

This is a problem for seccomp. If we want to allow a program to make casual use of the network, but not bind a listener socket, we cannot currently do that. On 64bits we just filter out the bind() and listen() calls, but on 32bit, it's all the same syscall.

The kernel people fixed this problem up last summer by introducing new, separate, syscall entries for each separate call.

  http://patchwork.sourceware.org/patch/7679/

The problem is that glibc in Y is still using the old socketcall() interface on i386. It needs to be updated to use the new calls.

A possible caveat is that this might create problems for running newer binaries on older kernels on i386 (as we sometimes do with builders) because they won't have the new syscalls. A solution could involve checking for ENOSYS and trying again via the old route.

Revision history for this message
Sebastien Bacher (seb128) wrote :

setting to high, that makes some snap not work on i386

Changed in glibc (Ubuntu):
importance: Undecided → High
Revision history for this message
Justin Cormack (justincormack) wrote :

Hi, glibc was updated to use the new syscalls in 16.04, and does not use socketcall. Previous editions should not be updated.

However the problem that Sebastien has, and has also been reported to Docker, is that libseccomp in 16.04 has not been updated to 2.3.0 which supports the direct non socketcall syscalls for i386, so any 32 bit process using seccomp cannot perform socket operations on 16.04, eg Steam.

Sebastien Bacher (seb128)
tags: added: desktop-snap-issue
tags: removed: desktop-snap-issue
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I'll take a look at this. I'll try an updated libseccomp with xenial's glibc and a > 4.2 kernel and if this works, I'll pursue an SRU. Is there a simple test case or snap that I can use to verify it is broken with old seccomp and working with new?

Changed in libseccomp (Ubuntu):
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in glibc (Ubuntu):
status: New → Invalid
status: Invalid → New
Changed in libseccomp (Ubuntu):
status: New → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :

@Jamie, the gnome-calculator one on i386 with confinment enabled hits a system call error, I'm happy to test candidate debs if that's useful

tags: added: snap-desktop-issue
Jamie Strandboge (jdstrand)
Changed in libseccomp (Ubuntu):
status: Incomplete → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Note, this affects even hello-world.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

hello-world.sh that is.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in glibc (Ubuntu):
status: New → Confirmed
Changed in libseccomp (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

While this bug is still open, developers may either:

* install snaps with --devmode (eg, snap install --devmode /path/to/snap)
* add 'socketcall' to /var/lib/snapd/seccomp/profiles/snap.your.app

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, >=16.10 has libseccomp >= 2.3. xenial has 2.2.3-3ubuntu3 that includes updated syscall tables for this (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809556 and https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1554098).

>=16.04 have 4.4 kernels and updated glibc.

Changed in libseccomp (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: Confirmed → Fix Released
Changed in libseccomp (Ubuntu Xenial):
status: New → Fix Released
Changed in libseccomp (Ubuntu Trusty):
status: New → Triaged
Changed in glibc (Ubuntu Trusty):
status: New → Triaged
Changed in glibc (Ubuntu):
status: Confirmed → Fix Released
Changed in glibc (Ubuntu Xenial):
status: New → Fix Released
Revision history for this message
Michael Vogt (mvo) wrote :

Fwiw, this is longer working on zesty and newer:
"""
#include <stdio.h>

#include <seccomp.h>

int main(int argc, char **argv) {
  int sys_num = seccomp_syscall_resolve_name("socket");
  printf("%d ", sys_num);
}
"""
returns -101 now. I think I know what is going on and will provide a patch shortly.

Revision history for this message
Michael Vogt (mvo) wrote :

So to summarize: in zesty, artful `scmp_sys_resolver -a x86 socket` will return: `-101`. The syscalls are still there in the kernel and libc its just that libseccomp reports a pseudo number again (which it did not in xenial).

The reason why we are seeing negative syscall numbers from libseccomp again is: https://github.com/seccomp/libseccomp/commit/73d83e45efbe8c31067c97155162f17ca51b7435

The interessting question is what we should do - the most simple answer is to just revert this, this would be consistent with xenial. But given that its an upstream commit I'm hesitant to do this.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.