Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1702169
Summary: | seccomp argument filtering not working properly with libseccomp-golang 0.9.0 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Maciek Borzecki <maciek.borzecki> |
Component: | golang-github-seccomp-libseccomp-golang | Assignee: | Robert-André Mauchin 🐧 <zebob.m> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | go-sig, jchaloup, ngompa13, zebob.m |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-06 00:45:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Maciek Borzecki
2019-04-23 06:53:58 UTC
You need an update ASAP? (In reply to Robert-André Mauchin from comment #1) > You need an update ASAP? Yes, that would be great. The problem is that, when constructing a rule for a syscall that matches more than one argument, the generated seccomp rule does not AND the conditions for each argument. Effectively, the resulting BPF will be incorrect, and a call that ought to be blocked will be allowed by seccomp. golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bde7ac3a13 Thank you for pushing out an update for F30. Would it be possible update the package in F29 too? golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-773508199b (In reply to Maciek Borzecki from comment #4) > Thank you for pushing out an update for F30. Would it be possible update the > package in F29 too? Yes it's done. But snapd probably needs a rebuild so that the change are integrated in the final binary. I could do it but I would prefer the maintainer Neal Gompa take care of it. Thanks for the updates. I'll grab the built packages, double check locally and post back karma. golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bde7ac3a13 golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-773508199b (In reply to Maciek Borzecki from comment #7) > Thanks for the updates. I'll grab the built packages, double check locally > and post back karma. I've rebuild snapd for F29-F31. golang-github-seccomp-libseccomp-golang-0.9.0-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. golang-github-seccomp-libseccomp-golang-0.9.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |