Ubuntu
systemd package

Merge ~paelzer/ubuntu/+source/systemd:focal-fix-vs-new-libseccomp into ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-focal

  1. Git
  2. lp:~paelzer/ubuntu/+source/systemd
  3. focal-fix-vs-new-libseccomp
  4. Merge into ubuntu-focal
Proposed by Christian Ehrhardt 
Status: Merged
Merged at revision: 7048d92d071e70e5b17989ae2e03c996c843df78
Proposed branch: ~paelzer/ubuntu/+source/systemd:focal-fix-vs-new-libseccomp
Merge into: ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-focal
Diff against target: 197 lines (+133/-23)
5 files modified
debian/changelog (+8/-0)
debian/patches/lp-1853852-seccomp-fix-multiplexed-system-calls.patch (+74/-0)
debian/patches/lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch (+49/-0)
debian/patches/series (+2/-1)
dev/null (+0/-22)
Reviewer Review Type Date Requested Status
Balint Reczey Approve
Dimitri John Ledkov Pending
Review via email: mp+376514@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
this isn't in 244 upstream so we will need it sooner or later I guess.
Unless you plan to directly go to 245 at some point.

Without the fix systemd and the new libseccomp won't work together.
If we decide to accept, but postpone this upload (since systemd uploads are rather work intensive) I'd ask if you agree that we force-badtest the tests for now to get things in focal migrating again.

Revision history for this message
Balint Reczey (rbalint) wrote :

LGTM, thanks for the thorough follow-up.

It arrived just in time to be in the 244 upload. :-)

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Great, glad to hear that - if there is anything from my side to do on this let me know.
Otherwise I'll leave it in your and the 244 uploads hands.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 480f1c2..b67c6ea 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+systemd (243-3ubuntu2) focal; urgency=medium
7+
8+ * fix issues with muliplexed shmat calls (LP: #1853852)
9+ - d/p/lp-1853852-*: add upstream backports
10+ - drop d/p/test-expect-mmap-to-fail-in-seccomp-test-on-s390-and-s390.patch
11+
12+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 09 Dec 2019 12:57:07 +0100
13+
14 systemd (243-3ubuntu1) focal; urgency=medium
15
16 [ Dan Streetman ]
17diff --git a/debian/patches/lp-1853852-seccomp-fix-multiplexed-system-calls.patch b/debian/patches/lp-1853852-seccomp-fix-multiplexed-system-calls.patch
18new file mode 100644
19index 0000000..2faee37
20--- /dev/null
21+++ b/debian/patches/lp-1853852-seccomp-fix-multiplexed-system-calls.patch
22@@ -0,0 +1,74 @@
23+From bed4668d1daeb640c1d55e79e6a1725c81118e39 Mon Sep 17 00:00:00 2001
24+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
25+Date: Wed, 27 Nov 2019 09:52:07 +0100
26+Subject: [PATCH] seccomp: fix multiplexed system calls
27+
28+Since libseccomp 2.4.2 more architectures have shmat handled as multiplexed
29+call. Those will fail to be added due to seccomp_rule_add_exact failing
30+on them since they'd need to add multiple rules [1].
31+See the discussion at https://github.com/seccomp/libseccomp/issues/193
32+
33+After discussions about the options rejected [2][3] the initial thought of
34+a fallback to the non '_exact' version of the seccomp rule adding the next
35+option is to handle those now affected (i386, s390, s390x) the same way as
36+ppc which ignores and does not block shmat.
37+
38+[1]: https://github.com/seccomp/libseccomp/issues/193
39+[2]: https://github.com/systemd/systemd/pull/14167#issuecomment-559136906
40+[3]: https://github.com/systemd/systemd/commit/469830d1
41+
42+Origin: upstream, https://github.com/systemd/systemd/commit/bed4668d1daeb640c1d55e79e6a1725c81118e39
43+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1853852
44+Last-Update: 2019-12-09
45+
46+---
47+ src/shared/seccomp-util.c | 16 ++++++++--------
48+ 1 file changed, 8 insertions(+), 8 deletions(-)
49+
50+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
51+index bd4f004cc8..fc813dd515 100644
52+--- a/src/shared/seccomp-util.c
53++++ b/src/shared/seccomp-util.c
54+@@ -1593,22 +1593,23 @@ int seccomp_memory_deny_write_execute(void) {
55+
56+ switch (arch) {
57+
58++ /* Note that on some architectures shmat() isn't available, and the call is multiplexed through ipc().
59++ * We ignore that here, which means there's still a way to get writable/executable
60++ * memory, if an IPC key is mapped like this. That's a pity, but no total loss. */
61++
62+ case SCMP_ARCH_X86:
63+ case SCMP_ARCH_S390:
64+ filter_syscall = SCMP_SYS(mmap2);
65+ block_syscall = SCMP_SYS(mmap);
66+- shmat_syscall = SCMP_SYS(shmat);
67++ /* shmat multiplexed, see above */
68+ break;
69+
70+ case SCMP_ARCH_PPC:
71+ case SCMP_ARCH_PPC64:
72+ case SCMP_ARCH_PPC64LE:
73++ case SCMP_ARCH_S390X:
74+ filter_syscall = SCMP_SYS(mmap);
75+-
76+- /* Note that shmat() isn't available, and the call is multiplexed through ipc().
77+- * We ignore that here, which means there's still a way to get writable/executable
78+- * memory, if an IPC key is mapped like this. That's a pity, but no total loss. */
79+-
80++ /* shmat multiplexed, see above */
81+ break;
82+
83+ case SCMP_ARCH_ARM:
84+@@ -1619,8 +1620,7 @@ int seccomp_memory_deny_write_execute(void) {
85+ case SCMP_ARCH_X86_64:
86+ case SCMP_ARCH_X32:
87+ case SCMP_ARCH_AARCH64:
88+- case SCMP_ARCH_S390X:
89+- filter_syscall = SCMP_SYS(mmap); /* amd64, x32, s390x, and arm64 have only mmap */
90++ filter_syscall = SCMP_SYS(mmap); /* amd64, x32 and arm64 have only mmap */
91+ shmat_syscall = SCMP_SYS(shmat);
92+ break;
93+
94+--
95+2.24.0
96+
97diff --git a/debian/patches/lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch b/debian/patches/lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch
98new file mode 100644
99index 0000000..ca68178
100--- /dev/null
101+++ b/debian/patches/lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch
102@@ -0,0 +1,49 @@
103+From 49219b5c2a654ee6639887aa21a78b41da0576f1 Mon Sep 17 00:00:00 2001
104+From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
105+Date: Wed, 4 Dec 2019 11:44:32 +0100
106+Subject: [PATCH] seccomp: mmap test results depend on kernel/libseccomp/glibc
107+
108+Like with shmat already the actual results of the test
109+test_memory_deny_write_execute_mmap depend on kernel/libseccomp/glibc
110+of the platform it is running on.
111+
112+There are known-good platforms, but on the others do not assert success
113+(which implies test has actually failed as no seccomp blocking was achieved),
114+but instead make the check dependent to the success of the mmap call
115+on that platforms.
116+
117+Finally the assert of the munmap on that valid pointer should return ==0,
118+so that is what the check should be for in case of p != MAP_FAILED.
119+
120+Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
121+
122+Origin: upstream, https://github.com/systemd/systemd/commit/49219b5c2a654ee6639887aa21a78b41da0576f1
123+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1853852
124+Last-Update: 2019-12-09
125+
126+---
127+ src/test/test-seccomp.c | 7 ++++---
128+ 1 file changed, 4 insertions(+), 3 deletions(-)
129+
130+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
131+index 7323e79f7b..69b1c788aa 100644
132+--- a/src/test/test-seccomp.c
133++++ b/src/test/test-seccomp.c
134+@@ -535,10 +535,11 @@ static void test_memory_deny_write_execute_mmap(void) {
135+ #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__)
136+ assert_se(p == MAP_FAILED);
137+ assert_se(errno == EPERM);
138+-#else /* unknown architectures */
139+- assert_se(p != MAP_FAILED);
140+- assert_se(munmap(p, page_size()) >= 0);
141+ #endif
142++ /* Depending on kernel, libseccomp, and glibc versions, other architectures
143++ * might fail or not. Let's not assert success. */
144++ if (p != MAP_FAILED)
145++ assert_se(munmap(p, page_size()) == 0);
146+
147+ p = mmap(NULL, page_size(), PROT_WRITE|PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
148+ assert_se(p != MAP_FAILED);
149+--
150+2.24.0
151+
152diff --git a/debian/patches/series b/debian/patches/series
153index 39b84c6..5db6572 100644
154--- a/debian/patches/series
155+++ b/debian/patches/series
156@@ -76,7 +76,6 @@ fix-build-with-compilers-with-default-stack-protector-ena.patch
157 cgroup-fix-typo-in-BPF-firewall-support-warning-message.patch
158 docs-fix-inadvertent-change-in-uid-range.patch
159 test-Pass-personality-test-even-when-i686-userland-runs-o.patch
160-test-expect-mmap-to-fail-in-seccomp-test-on-s390-and-s390.patch
161 resolved-set-stream-type-during-DnsStream-creation.patch
162 boot-Load-LoadOptions-cmdline-if-none-is-available.patch
163 debian/Use-Debian-specific-config-files.patch
164@@ -119,3 +118,5 @@ Revert-cgroup-Continue-unit-reset-if-cgroup-is-busy.patch
165 Revert-network-fix-assertion-when-link-get-carrier.patch
166 Revert-network-prevent-interfaces-to-be-initialized-multi.patch
167 rules-Add-automatic-suspend-udev-rules.patch
168+lp-1853852-seccomp-fix-multiplexed-system-calls.patch
169+lp-1853852-seccomp-mmap-test-results-depend-on-kernel-libseccom.patch
170diff --git a/debian/patches/test-expect-mmap-to-fail-in-seccomp-test-on-s390-and-s390.patch b/debian/patches/test-expect-mmap-to-fail-in-seccomp-test-on-s390-and-s390.patch
171deleted file mode 100644
172index db05715..0000000
173--- a/debian/patches/test-expect-mmap-to-fail-in-seccomp-test-on-s390-and-s390.patch
174+++ /dev/null
175@@ -1,22 +0,0 @@
176-From: Balint Reczey <balint.reczey@canonical.com>
177-Date: Tue, 22 Oct 2019 17:10:17 +0200
178-Subject: test: expect mmap to fail in seccomp test on s390 and s390x
179-
180-(cherry picked from commit a81f7aad9a5ddeebbce002e2da36e1dd84f51b36)
181----
182- src/test/test-seccomp.c | 2 +-
183- 1 file changed, 1 insertion(+), 1 deletion(-)
184-
185-diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
186-index a906070..9881768 100644
187---- a/src/test/test-seccomp.c
188-+++ b/src/test/test-seccomp.c
189-@@ -489,7 +489,7 @@ static void test_memory_deny_write_execute_mmap(void) {
190- assert_se(seccomp_memory_deny_write_execute() >= 0);
191-
192- p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0);
193--#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__)
194-+#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__) || defined(__s390__) || defined(__s390x__)
195- assert_se(p == MAP_FAILED);
196- assert_se(errno == EPERM);
197- #else /* unknown architectures */

Subscribers

People subscribed via source and target branches