Bug#895417: libseccomp: New upstream release 2.3.3
Package: libseccomp2 Version: 2.3.1-2.1 Followup-For: Bug #895417 Hello, I wholeheartedly concur with Simon: as of libseccomp 2.3.1 (and 2.3.2), trying to run Qt5 applications with seccomp-based syscall filtering (e.g. in a systemd-nspawn container) results in exit code 134 along with the following error message: This application failed to start because it could not find or load the Qt platform plugin "xcb" in "". Reinstalling the application may fix this problem. Aborted This remains a very obscure message; it gets more interesting after: export QT_DEBUG_PLUGINS=1 which allows us to get a more detailed output, including messages such as: /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so: Cannot allocate memory An strace-based investigation quickly reveals the actual issue: statx() syscalls get denied with EPERM; the Qt library, not expecting such a result from statx() ends up calling mmap() with a zero length, resulting in EINVAL and in the previous error messages: openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so", O_RDONLY|O_CLOEXEC) = 3 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, 0x7ffe42110950) = -1 EPERM (Operation not permitted) statx(3, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, 0x7ffe42110a50) = -1 EPERM (Operation not permitted) mmap(NULL, 0, PROT_READ, MAP_SHARED, 3, 0) = -1 EINVAL (Invalid argument) Without seccomp filtering, the normal behaviour results in: openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so", O_RDONLY|O_CLOEXEC) = 3 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_ALL, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=10520, ...}) = 0 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, {stx_mask=STATX_ALL, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=10520, ...}) = 0 mmap(NULL, 10520, PROT_READ, MAP_SHARED, 3, 0) = 0x7fb9a53d7000 After some extra investigations, it becomes clear that both the kernel and systemd-nspawn know about the statx() syscall. Specifically, systemd-nspawn already whitelists the statx() syscall as part of its "@file-system" syscall group. However, libseccomp < 2.3.3 knows nothing about "statx" and ends up denying it. I have manually compiled libseccomp 2.3.3 and confirm that it solves the issue above (probably among others). Long story short: it would indeed be really helpful to package the new upstream version 2.3.3. Cheers, Xavier
Bug#895417: libseccomp: New upstream release 2.3.3
Source: libseccomp Version: 2.3.1-2.1 Severity: normal Tags: patch Hello, please package the new upstream version 2.3.3 which adds support for the statx syscall (which is already actively used by libqt5) among others; this should also close #893722. Patch with the required changes (only unfuzzing of the parisc patch) is attached. Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 diff -u -r libseccomp-2.3.1/debian/changelog libseccomp-2.3.3/debian/changelog --- libseccomp-2.3.1/debian/changelog 2016-11-17 10:16:44.0 +0100 +++ libseccomp-2.3.3/debian/changelog 2018-04-11 12:09:58.258096960 +0200 @@ -1,3 +1,10 @@ +libseccomp (2.3.3-0.1) unstable; urgency=medium + + * Non-maintainer upload. + * New upstream release. + + -- Simon Ruderich Wed, 11 Apr 2018 12:09:39 +0200 + libseccomp (2.3.1-2.1) unstable; urgency=medium [ Martin Pitt ] diff -u -r libseccomp-2.3.1/debian/patches/28-parisc_support.patch libseccomp-2.3.3/debian/patches/28-parisc_support.patch --- libseccomp-2.3.1/debian/patches/28-parisc_support.patch 2016-11-17 10:16:44.0 +0100 +++ libseccomp-2.3.3/debian/patches/28-parisc_support.patch 2018-04-11 12:13:17.451686723 +0200 @@ -65,11 +65,11 @@ create mode 100644 src/arch-parisc.h create mode 100644 src/arch-parisc64.c -Index: libseccomp/include/seccomp.h.in +Index: libseccomp-2.3.3/include/seccomp.h.in === libseccomp.orig/include/seccomp.h.in 2016-05-28 19:57:02.050592727 +0200 -+++ libseccomp/include/seccomp.h.in 2016-05-28 19:57:02.038592653 +0200 -@@ -185,6 +185,12 @@ +--- libseccomp-2.3.3.orig/include/seccomp.h.in libseccomp-2.3.3/include/seccomp.h.in +@@ -186,6 +186,12 @@ struct scmp_arg_cmp { #define SCMP_ARCH_S390X AUDIT_ARCH_S390X /** @@ -82,11 +82,11 @@ * Convert a syscall name into the associated syscall number * @param x the syscall name */ -Index: libseccomp/src/Makefile.am +Index: libseccomp-2.3.3/src/Makefile.am === libseccomp.orig/src/Makefile.am 2016-05-28 19:57:02.050592727 +0200 -+++ libseccomp/src/Makefile.am 2016-05-28 19:57:02.038592653 +0200 -@@ -35,6 +35,8 @@ +--- libseccomp-2.3.3.orig/src/Makefile.am libseccomp-2.3.3/src/Makefile.am +@@ -35,6 +35,8 @@ SOURCES_ALL = \ arch-mips.h arch-mips.c arch-mips-syscalls.c \ arch-mips64.h arch-mips64.c arch-mips64-syscalls.c \ arch-mips64n32.h arch-mips64n32.c arch-mips64n32-syscalls.c \ @@ -95,10 +95,10 @@ arch-ppc.h arch-ppc.c arch-ppc-syscalls.c \ arch-ppc64.h arch-ppc64.c arch-ppc64-syscalls.c \ arch-s390.h arch-s390.c arch-s390-syscalls.c \ -Index: libseccomp/src/arch-parisc-syscalls.c +Index: libseccomp-2.3.3/src/arch-parisc-syscalls.c === /dev/null 1970-01-01 00:00:00.0 + -+++ libseccomp/src/arch-parisc-syscalls.c 2016-05-28 19:57:02.042592678 +0200 +--- /dev/null libseccomp-2.3.3/src/arch-parisc-syscalls.c @@ -0,0 +1,499 @@ +/* + * Copyright (c) 2016 Helge Deller @@ -599,10 +599,10 @@ + /* XXX - no safety checks here */ + return parisc_syscall_table[spot].name; +} -Index: libseccomp/src/arch-parisc.c +Index: libseccomp-2.3.3/src/arch-parisc.c === /dev/null 1970-01-01 00:00:00.0 + -+++ libseccomp/src/arch-parisc.c 2016-05-28 19:57:02.042592678 +0200 +--- /dev/null libseccomp-2.3.3/src/arch-parisc.c @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2016 Helge Deller @@ -626,10 +626,10 @@ + .syscall_rewrite = NULL, + .rule_add = NULL, +}; -Index: libseccomp/src/arch-parisc.h +Index: libseccomp-2.3.3/src/arch-parisc.h === /dev/null 1970-01-01 00:00:00.0 + -+++ libseccomp/src/arch-parisc.h 2016-05-28 19:57:02.042592678 +0200 +--- /dev/null libseccomp-2.3.3/src/arch-parisc.h @@ -0,0 +1,38 @@ +/** + * Enhanced Seccomp PARISC Specific Code @@ -669,10 +669,10 @@ +const char *parisc_syscall_iterate_name(unsigned int spot); + +#endif -Index: libseccomp/src/arch-parisc64.c +Index: libseccomp-2.3.3/src/arch-parisc64.c === /dev/null 1970-01-01 00:00:00.0 + -+++ libseccomp/src/arch-parisc64.c 2016-05-28 19:57:02.042592678 +0200 +--- /dev/null libseccomp-2.3.3/src/arch-parisc64.c @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2016 Helge Deller @@ -696,10 +696,10 @@ + .syscall_rewrite = NULL, + .rule_add = NULL, +}; -Index: libseccomp/src/arch-syscall-check.c +Index: libseccomp-2.3.3/src/arch-syscall-check.c === libseccomp.orig/src/arch-syscall-check.c 2016-05-28 19:57:02.050592727 +0200 -+++ libseccomp/src/arch-syscall-check.c 2016-05-28 19:57:02.0425926