Bug#895417: libseccomp: New upstream release 2.3.3

[Xavier Guerrin]

Package: libseccomp2
Version: 2.3.1-2.1
Followup-For: Bug #895417

Hello,

I wholeheartedly concur with Simon: as of libseccomp 2.3.1 (and 2.3.2), trying
to run Qt5 applications with seccomp-based syscall filtering (e.g. in a
systemd-nspawn container) results in exit code 134 along with the following
error message:

  This application failed to start because it could not find or load the Qt 
platform plugin "xcb"
  in "".

  Reinstalling the application may fix this problem.
  Aborted

This remains a very obscure message; it gets more interesting after:
  export QT_DEBUG_PLUGINS=1
which allows us to get a more detailed output, including messages such as:
  /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so: Cannot allocate 
memory

An strace-based investigation quickly reveals the actual issue: statx()
syscalls get denied with EPERM; the Qt library, not expecting such a result
from statx() ends up calling mmap() with a zero length, resulting in EINVAL and
in the previous error messages:

  openat(AT_FDCWD, 
"/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so", 
O_RDONLY|O_CLOEXEC) = 3 
  statx(3, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, 0x7ffe42110950) 
= -1 EPERM (Operation not permitted) 
  statx(3, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, 0x7ffe42110a50) 
= -1 EPERM (Operation not permitted) 
  mmap(NULL, 0, PROT_READ, MAP_SHARED, 3, 0) = -1 EINVAL (Invalid argument)

Without seccomp filtering, the normal behaviour results in:

  openat(AT_FDCWD, 
"/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so", 
O_RDONLY|O_CLOEXEC) = 3 
  statx(3, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, 
{stx_mask=STATX_ALL, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=10520, 
...}) = 0 
  statx(3, "", AT_STATX_SYNC_AS_STAT|AT_EMPTY_PATH, STATX_ALL, 
{stx_mask=STATX_ALL, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=10520, 
...}) = 0 
  mmap(NULL, 10520, PROT_READ, MAP_SHARED, 3, 0) = 0x7fb9a53d7000

After some extra investigations, it becomes clear that both the kernel and
systemd-nspawn know about the statx() syscall. Specifically, systemd-nspawn
already whitelists the statx() syscall as part of its "@file-system" syscall
group. However, libseccomp < 2.3.3 knows nothing about "statx" and ends up
denying it.

I have manually compiled libseccomp 2.3.3 and confirm that it solves the issue
above (probably among others).
Long story short: it would indeed be really helpful to package the new upstream
version 2.3.3.

Cheers,
Xavier

Bug#895417: libseccomp: New upstream release 2.3.3

[Simon Ruderich]

Source: libseccomp
Version: 2.3.1-2.1
Severity: normal
Tags: patch

Hello,

please package the new upstream version 2.3.3 which adds support
for the statx syscall (which is already actively used by libqt5)
among others; this should also close #893722.

Patch with the required changes (only unfuzzing of the parisc
patch) is attached.

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
diff -u -r libseccomp-2.3.1/debian/changelog libseccomp-2.3.3/debian/changelog
--- libseccomp-2.3.1/debian/changelog	2016-11-17 10:16:44.0 +0100
+++ libseccomp-2.3.3/debian/changelog	2018-04-11 12:09:58.258096960 +0200
@@ -1,3 +1,10 @@
+libseccomp (2.3.3-0.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * New upstream release.
+
+ -- Simon Ruderich   Wed, 11 Apr 2018 12:09:39 +0200
+
 libseccomp (2.3.1-2.1) unstable; urgency=medium
 
   [ Martin Pitt ]
diff -u -r libseccomp-2.3.1/debian/patches/28-parisc_support.patch libseccomp-2.3.3/debian/patches/28-parisc_support.patch
--- libseccomp-2.3.1/debian/patches/28-parisc_support.patch	2016-11-17 10:16:44.0 +0100
+++ libseccomp-2.3.3/debian/patches/28-parisc_support.patch	2018-04-11 12:13:17.451686723 +0200
@@ -65,11 +65,11 @@
  create mode 100644 src/arch-parisc.h
  create mode 100644 src/arch-parisc64.c
 
-Index: libseccomp/include/seccomp.h.in
+Index: libseccomp-2.3.3/include/seccomp.h.in
 ===
 libseccomp.orig/include/seccomp.h.in	2016-05-28 19:57:02.050592727 +0200
-+++ libseccomp/include/seccomp.h.in	2016-05-28 19:57:02.038592653 +0200
-@@ -185,6 +185,12 @@
+--- libseccomp-2.3.3.orig/include/seccomp.h.in
 libseccomp-2.3.3/include/seccomp.h.in
+@@ -186,6 +186,12 @@ struct scmp_arg_cmp {
  #define SCMP_ARCH_S390X		AUDIT_ARCH_S390X
  
  /**
@@ -82,11 +82,11 @@
   * Convert a syscall name into the associated syscall number
   * @param x the syscall name
   */
-Index: libseccomp/src/Makefile.am
+Index: libseccomp-2.3.3/src/Makefile.am
 ===
 libseccomp.orig/src/Makefile.am	2016-05-28 19:57:02.050592727 +0200
-+++ libseccomp/src/Makefile.am	2016-05-28 19:57:02.038592653 +0200
-@@ -35,6 +35,8 @@
+--- libseccomp-2.3.3.orig/src/Makefile.am
 libseccomp-2.3.3/src/Makefile.am
+@@ -35,6 +35,8 @@ SOURCES_ALL = \
  	arch-mips.h arch-mips.c arch-mips-syscalls.c \
  	arch-mips64.h arch-mips64.c arch-mips64-syscalls.c \
  	arch-mips64n32.h arch-mips64n32.c arch-mips64n32-syscalls.c \
@@ -95,10 +95,10 @@
  	arch-ppc.h arch-ppc.c arch-ppc-syscalls.c \
  	arch-ppc64.h arch-ppc64.c arch-ppc64-syscalls.c \
  	arch-s390.h arch-s390.c arch-s390-syscalls.c \
-Index: libseccomp/src/arch-parisc-syscalls.c
+Index: libseccomp-2.3.3/src/arch-parisc-syscalls.c
 ===
 /dev/null	1970-01-01 00:00:00.0 +
-+++ libseccomp/src/arch-parisc-syscalls.c	2016-05-28 19:57:02.042592678 +0200
+--- /dev/null
 libseccomp-2.3.3/src/arch-parisc-syscalls.c
 @@ -0,0 +1,499 @@
 +/*
 + * Copyright (c) 2016 Helge Deller 
@@ -599,10 +599,10 @@
 +	/* XXX - no safety checks here */
 +	return parisc_syscall_table[spot].name;
 +}
-Index: libseccomp/src/arch-parisc.c
+Index: libseccomp-2.3.3/src/arch-parisc.c
 ===
 /dev/null	1970-01-01 00:00:00.0 +
-+++ libseccomp/src/arch-parisc.c	2016-05-28 19:57:02.042592678 +0200
+--- /dev/null
 libseccomp-2.3.3/src/arch-parisc.c
 @@ -0,0 +1,22 @@
 +/*
 + * Copyright (c) 2016 Helge Deller 
@@ -626,10 +626,10 @@
 +	.syscall_rewrite = NULL,
 +	.rule_add = NULL,
 +};
-Index: libseccomp/src/arch-parisc.h
+Index: libseccomp-2.3.3/src/arch-parisc.h
 ===
 /dev/null	1970-01-01 00:00:00.0 +
-+++ libseccomp/src/arch-parisc.h	2016-05-28 19:57:02.042592678 +0200
+--- /dev/null
 libseccomp-2.3.3/src/arch-parisc.h
 @@ -0,0 +1,38 @@
 +/**
 + * Enhanced Seccomp PARISC Specific Code
@@ -669,10 +669,10 @@
 +const char *parisc_syscall_iterate_name(unsigned int spot);
 +
 +#endif
-Index: libseccomp/src/arch-parisc64.c
+Index: libseccomp-2.3.3/src/arch-parisc64.c
 ===
 /dev/null	1970-01-01 00:00:00.0 +
-+++ libseccomp/src/arch-parisc64.c	2016-05-28 19:57:02.042592678 +0200
+--- /dev/null
 libseccomp-2.3.3/src/arch-parisc64.c
 @@ -0,0 +1,22 @@
 +/*
 + * Copyright (c) 2016 Helge Deller 
@@ -696,10 +696,10 @@
 +	.syscall_rewrite = NULL,
 +	.rule_add = NULL,
 +};
-Index: libseccomp/src/arch-syscall-check.c
+Index: libseccomp-2.3.3/src/arch-syscall-check.c
 ===
 libseccomp.orig/src/arch-syscall-check.c	2016-05-28 19:57:02.050592727 +0200
-+++ libseccomp/src/arch-syscall-check.c	2016-05-28 19:57:02.0425926