Your message dated Sun, 15 Apr 2018 21:05:26 +0000
with message-id <e1f7opy-000gdn...@fasolo.debian.org>
and subject line Bug#890489: fixed in apt 1.6~rc1
has caused the Debian Bug report #890489,
regarding apt: seccomp sandbox fails on x32
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
890489: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890489
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: apt
Version: 1.6~alpha7
Severity: important
Tags: patch

apt fails on x32:

  # apt update
  Reading package lists... Done
  E: Method http has died unexpectedly!
  E: Sub-process http received signal 31.

strace shows lots of stuff along the lines of "strace: syscall_96(...)
in unsupported 64-bit mode of process PID=2997".  The attached patch has
some more reasoning and fixes this.

Thanks,

-- 
Colin Watson                                       [cjwat...@debian.org]
>From 3b88f5d71e1ec850ad9f692a687c66ef1c714897 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwat...@debian.org>
Date: Thu, 15 Feb 2018 09:22:10 +0000
Subject: [PATCH] Fix seccomp sandbox on x32

On x32, the kernel VDSO that provides clock_gettime and gettimeofday
sometimes falls back to the underlying syscall.  Unfortunately, it falls
back to the x86-64 variant of that syscall
(https://bugs.debian.org/850047), so we need to allow those too.
---
 methods/aptmethod.h | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/methods/aptmethod.h b/methods/aptmethod.h
index 3314115..4ca80f0 100644
--- a/methods/aptmethod.h
+++ b/methods/aptmethod.h
@@ -136,7 +136,6 @@ protected:
       ALLOW(chown);
       ALLOW(chown32);
       ALLOW(clock_getres);
-      ALLOW(clock_gettime);
       ALLOW(clock_nanosleep);
       ALLOW(close);
       ALLOW(creat);
@@ -188,7 +187,6 @@ protected:
       ALLOW(get_robust_list);
       ALLOW(getrusage);
       ALLOW(gettid);
-      ALLOW(gettimeofday);
       ALLOW(getuid);
       ALLOW(getuid32);
       ALLOW(ioctl);
@@ -310,6 +308,19 @@ protected:
 	    return _error->FatalE("aptMethod::Configuration", "Cannot allow %s: %s", custom.c_str(), strerror(-rc));
       }
 
+      // On x32, the clock_gettime and gettimeofday syscalls fall back to
+      // the x86-64 syscall in some circumstances
+      // (https://bugs.debian.org/850047).  Note that these must be the last
+      // syscalls added to the filter, as once we've called seccomp_arch_add
+      // all syscalls after that point will be allowed for both
+      // architectures.
+#if defined(__x86_64__) && defined(__ILP32__)
+      if ((rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64)))
+	 return _error->FatalE("HttpMethod::Configuration", "Cannot add x86-64 architecture: %s", strerror(-rc));
+#endif
+      ALLOW(clock_gettime);
+      ALLOW(gettimeofday);
+
 #undef ALLOW
 
       rc = seccomp_load(ctx);
-- 
2.7.4


--- End Message ---
--- Begin Message ---
Source: apt
Source-Version: 1.6~rc1

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <j...@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 15 Apr 2018 21:41:44 +0200
Source: apt
Binary: apt libapt-pkg5.0 libapt-inst2.0 apt-doc libapt-pkg-dev libapt-pkg-doc 
apt-utils apt-transport-https
Architecture: source
Version: 1.6~rc1
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <de...@lists.debian.org>
Changed-By: Julian Andres Klode <j...@debian.org>
Description:
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - transitional package for https support
 apt-utils  - package management related utility programs
 libapt-inst2.0 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg5.0 - package management runtime library
Closes: 890489 891644 895117
Changes:
 apt (1.6~rc1) unstable; urgency=medium
 .
   [ Julian Andres Klode ]
   * Experimental support for zstd (LP: #1763839)
   * Fix debian/NEWS entry for 1.6~beta1
   * Use https for Ubuntu changelogs
   * Bump cache major version to allow different 1.5 and 1.6 updates
   * CI: Switch testing to use ubuntu:bionic for 1.6.y
   * Turn off seccomp sandboxing by default (LP: #1732030) (Closes: #890489)
   * Allow restart_syscall() syscall in seccomp sandboxes (Closes: #891644)
   * Delete /etc/dpkg/dpkg.cfg.d/excludes on Docker CI images
   * test: export GCOV_ERROR_FILE=/dev/null to make it fail less/no tests
   * apt-private: Collect not found packages in CacheSetHelperAPTGet
   * Introduce experimental new hooks for command-line tools (LP: #1763839)
 .
   [ David Kalnischkies ]
   * remove duplicate changelog lines from 1.6~beta1 entry
   * fix communication typo in https manpage
   * set our two libapt libraries to prio:optional
   * document Acquire::AllowReleaseInfoChange without extra s
 .
   [ jean-pierre giraud ]
   * French man pages translation (Closes: #895117)
Checksums-Sha1:
 aa56c3007ca59f221ed149d8133469c100f10863 2751 apt_1.6~rc1.dsc
 e65d824232463893a40fbd4a4f17b965176429a2 2137516 apt_1.6~rc1.tar.xz
 e772bd5e5d3b4369cabec4aaf81b0d4ba434acf7 7462 apt_1.6~rc1_source.buildinfo
Checksums-Sha256:
 73b27b15d0f549575731b543fbc8e4016f50fa18ac8c38d525c0ffec77aed3c0 2751 
apt_1.6~rc1.dsc
 3f73d50870dfe95d9f7247c1d0bb8bd2aaf41206f7eb126ab0d230e9658315bc 2137516 
apt_1.6~rc1.tar.xz
 66b1624f4d2dacdc05f318a86a76f9b7eb61cd5568b2e1c90ca12a638d714e33 7462 
apt_1.6~rc1_source.buildinfo
Files:
 ee32536b25ac389dfad65039a0acc329 2751 admin important apt_1.6~rc1.dsc
 9acd1b35bd0a86b43843affc8280cd54 2137516 admin important apt_1.6~rc1.tar.xz
 1422e2a0286080101e22d65dbfdd6b4a 7462 admin important 
apt_1.6~rc1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEzeVhi4gF/W4gLOnC1zw55WWAs4YFAlrTsrwPHGpha0BkZWJp
YW4ub3JnAAoJENc8OeVlgLOGNYQQAJ6oHSQC3wKkj+4vXdZccTbP9FmbpJL9NJo1
w32fBklyvevY67WFIY9wJNMC8nVaIcstnjvwIy33yAc4WxudPoLTPaMFYXC/CanQ
Z+oWTHs6H3A9Sdub9L7tBYJi8wosJHKhL26PFxuhKXDgh5vtm/p/BxGc/YbQX9Bi
r033yuTF6elW15G1NxBtP6U2YoJ5ocPdUjvrvkAgTNXr75g2zCUSEFof5v2YgWib
wY4mqMex4ohLdP61h7QYBOKDV6fiHSgChRDRzHMkmgSjL1JmPpt5oBsul+xCjfQk
Jt8JDS9A6ZoYoqJDX+ogoE2DPZh9zQfaov+9PWGl7bjEEEt6W20uJgurMkf5DYVF
IMhZ/LoHJylu1zRfb9zD9GW6S1QffkuBjQQB8WJLhW/ETq+bGAfLi4oDQFpGJlJF
kKfUiJlaYsHFHlpzP/9fy78JajskvtKfTfpwzz+hSO3cVMyXCP5mdhmEhshO+Z2+
UbIq0aIrqCQYiOd050KYdVyhXOs+Mzn8k+r59DSzSAQiNw+CfmeZDxGt82kax+EV
MzV0P9O3wFKeKl8g++zYWIV0IuCD9A5e0AsRXbQYVUaTzqdUqSq2WmAVzg/p5hrI
6fsBdZErUzCNdPaehbUVbvw3Q2V8XwH0kOlML0gzkgXEIgfdHx5XD2uMtqbPknKV
Ma8E2E2j
=ZTUW
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to