Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1195065
Summary: | openssh - seccomp_filter currently failed to build on aarch64/ppc64*/s390* | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Peter Robinson <pbrobinson> | ||||||
Component: | openssh | Assignee: | Jakub Jelen <jjelen> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 22 | CC: | dan, dhorak, hannsj_uhl, jjelen, mattias.ellert, mgrepl, mjuszkie, plautrba, rjones, tmraz | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | openssh-7.2p2-7.fc24 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2016-06-18 18:40:18 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 467765, 1071880, 922257, 1051573 | ||||||||
Attachments: |
|
Description
Peter Robinson
2015-02-22 17:26:09 UTC
According to https://bugzilla.redhat.com/show_bug.cgi?id=1194401#c4 It doesn't work even on armv7hl, so I propose to remove seccomp even from this architecture. Created attachment 994437 [details]
Add support for aarch64
open() is legacy syscall replaced by openat()
Other disabled syscalls are legacy ones not present at AArch64
ppc64 support in libseccomp is not present yet. Someone recently decided to start work on adding it. s390 is not supported as well. Thank you for contribution. After fixing typo with select it works like a charm both on aarch64 and primary architectures. But I would like to hear some reasoning behind removing SC_DENY(open, EACCES) and why is it not also in #ifdef __NR_open as the other platform dependent calls? I'll apply this to rawhide package and propose this extension to upstream when it will be final. open() is legacy syscall which got replaced by openat() one. AArch64 does not support legacy ones and on other architectures glibc hides that fact by using *at() ones. Some of those disabled syscalls should be rather replaced by non-legacy ones. Ok. Thanks for explanation. Fixed in openssh-6.7p1-8.fc23 (aarch64). Leaving bug for other missing platforms. Once more question, Marcin. When open is legacy replaced by openat, I can take it, but about stat? There is replacement fstatat? Why is not this one blacklisted? In meantime, do you have some reference about legacy/non-legacy syscalls and support on different architectures? strace is blaming us with these legacy names ... http://people.linaro.org/~riku.voipio/aarch64-talk/#/18/1 is my favorite help when it comes to legacy/deprecated syscalls on AArch64. stat() is normal syscall afaik ~curse me please... stat() is legacy as well. I did some research what syscalls are used on which architecture for open and stat (should be banned but shouldn't kill program): open stat x86_64 open(2) fstat(5) ix86 open(5) stat64(195) fstat64(197) arm open(5) stat64(195) fstat64(197) aarch64 openat ? __NR_newfstatat ? It would be cool to have it clear also for aarch64 and other secondary architectures supporting seccomp, but I still don't have such a machine. There are syscalls used for select. It would be great to fill and extend this list and test it little but more before we can propose some changes to upstream with new architectures. x86_64 select(23) ix86 _newselect(142) arm _newselect ? aarch64 pselect6(72) Just tested s390* architecture and it works fine for me if I whitelist this architecture with current system calls set. I will issue some rawhide builds later. As I see ppc64* kernels currently do not have support for user filters (there is no CONFIG_SECCOMP_FILTER in /boot/config-*) so I will leave these out for now. To continue investigation about the most problematic system calls and proving it works correct: open stat select s390x open(106) stat(5) select(142) (finally reasonable architecture) openssh-6.9p1-2.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/openssh-6.9p1-2.fc22 openssh-6.9p1-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. Last architecture where we don't build seccomp filter for openssh is ppc/ppc64/ppc64le. Just tested patches to allow building openssh with seccomp sandbox on ppc64 and ppc64le with kernel 4.5-pre and it seems to work just fine. I will update upstream bug and add it to Fedora 24 and rawhide. Dan, do we have some ppc (32b) machines or are you aware of some differences in ISA that could prevent it working there? This would be the last architecture and therefore we can finally skip this check and build seccomp everywhere by default. I would consider 32-bit ppc as dead for this purpose. It was dropped in Fedora 20 (or 21). openssh-7.2p2-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-57cec0322d openssh-7.2p2-7.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-57cec0322d Created attachment 1165520 [details]
Support for seccomp filter in MIPS (thanks mtoman)
Thanks to mtoman, we have tested also seccomp filter on MIPS to general satisfaction. It works just with white-listing architecture in configure in configure.
It will be in the next update.
openssh-7.2p2-7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |