subject:"\[Touch\-packages\] \[Bug 1682102\] Re\: libseccomp should support GA and HWE kernels"

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2018-02-15 Thread Francis Ginther

** Tags added: id-5a3bd5fa5445fb1d95040a5b

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Invalid
Status in libseccomp source package in Xenial:
  Fix Released

Bug description:
  [Impact]

  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.

  * Version 2.3.1 - April 20, 2016
  - Fixed a problem with 32-bit x86 socket syscalls on some systems
  - Fixed problems with ipc syscalls on 32-bit x86
  - Fixed problems with socket and ipc syscalls on s390 and s390x

  * Version 2.3.0 - February 29, 2016
  - Added support for the s390 and s390x architectures
  - Added support for the ppc, ppc64, and ppc64le architectures
  - Update the internal syscall tables to match the Linux 4.5-rcX releases
  - Filter generation for both multiplexed and direct socket syscalls on x86
  - Support for the musl libc implementation
  - Additions to the API to enable runtime version checking of the library
  - Enable the use of seccomp() instead of prctl() on supported systems
  - Added additional tests to the regression test suite

  There is no ABI/API break

  There are no packaging changes, apart from dropping patches included
  in this upstream release and updating new symbols.

  Doing wholesome update is safer and carries less risk, than
  individually cherrypicking effectively all of the above.

  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.

  It is expected that container technologies will take advantage of the
  newly available libseccomp.

  This may need to be uploaded as a security update.

  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some
  custom kernels.

  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
   - lxc
   - lxd
   - docker
   - snapd

  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and 
thus restrict user-space processes more than previously done. This may lead to 
a change of restrictions applied on the user sapce processes, and result in 
previously unexpected denials / errors returned.

  
  [Proposed Update available in bileto PPA]
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2018-01-02 Thread Steve Langasek

And I have set the verification-done tag based on comment #6.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Invalid
Status in libseccomp source package in Xenial:
  Fix Released

Bug description:
  [Impact]

  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.

  * Version 2.3.1 - April 20, 2016
  - Fixed a problem with 32-bit x86 socket syscalls on some systems
  - Fixed problems with ipc syscalls on 32-bit x86
  - Fixed problems with socket and ipc syscalls on s390 and s390x

  * Version 2.3.0 - February 29, 2016
  - Added support for the s390 and s390x architectures
  - Added support for the ppc, ppc64, and ppc64le architectures
  - Update the internal syscall tables to match the Linux 4.5-rcX releases
  - Filter generation for both multiplexed and direct socket syscalls on x86
  - Support for the musl libc implementation
  - Additions to the API to enable runtime version checking of the library
  - Enable the use of seccomp() instead of prctl() on supported systems
  - Added additional tests to the regression test suite

  There is no ABI/API break

  There are no packaging changes, apart from dropping patches included
  in this upstream release and updating new symbols.

  Doing wholesome update is safer and carries less risk, than
  individually cherrypicking effectively all of the above.

  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.

  It is expected that container technologies will take advantage of the
  newly available libseccomp.

  This may need to be uploaded as a security update.

  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some
  custom kernels.

  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
   - lxc
   - lxd
   - docker
   - snapd

  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and 
thus restrict user-space processes more than previously done. This may lead to 
a change of restrictions applied on the user sapce processes, and result in 
previously unexpected denials / errors returned.

  
  [Proposed Update available in bileto PPA]
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2018-01-02 Thread Steve Langasek

It would have expedited the release of this SRU if someone had retried
the systemd/armhf autopkgtest failure, or provided some concrete
analysis of why this test is expected to fail and does not need to be
retried.

I've now retriggered that test, and it has passed.  All of the failing
autopkgtests are now accounted for.

** Tags removed: verification-needed verification-needed-xenial
** Tags added: verification-done verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Invalid
Status in libseccomp source package in Xenial:
  Fix Released

Bug description:
  [Impact]

  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.

  * Version 2.3.1 - April 20, 2016
  - Fixed a problem with 32-bit x86 socket syscalls on some systems
  - Fixed problems with ipc syscalls on 32-bit x86
  - Fixed problems with socket and ipc syscalls on s390 and s390x

  * Version 2.3.0 - February 29, 2016
  - Added support for the s390 and s390x architectures
  - Added support for the ppc, ppc64, and ppc64le architectures
  - Update the internal syscall tables to match the Linux 4.5-rcX releases
  - Filter generation for both multiplexed and direct socket syscalls on x86
  - Support for the musl libc implementation
  - Additions to the API to enable runtime version checking of the library
  - Enable the use of seccomp() instead of prctl() on supported systems
  - Added additional tests to the regression test suite

  There is no ABI/API break

  There are no packaging changes, apart from dropping patches included
  in this upstream release and updating new symbols.

  Doing wholesome update is safer and carries less risk, than
  individually cherrypicking effectively all of the above.

  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.

  It is expected that container technologies will take advantage of the
  newly available libseccomp.

  This may need to be uploaded as a security update.

  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some
  custom kernels.

  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
   - lxc
   - lxd
   - docker
   - snapd

  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and 
thus restrict user-space processes more than previously done. This may lead to 
a change of restrictions applied on the user sapce processes, and result in 
previously unexpected denials / errors returned.

  
  [Proposed Update available in bileto PPA]
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2018-01-02 Thread Launchpad Bug Tracker

This bug was fixed in the package libseccomp - 2.3.1-2.1ubuntu2~16.04.1

---
libseccomp (2.3.1-2.1ubuntu2~16.04.1) xenial; urgency=medium

  * Backport libseccomp 2.3.1 to xenial LP: #1682102
- Improved s390x support
- Improved support for v4.5+ kernels

 -- Dimitri John Ledkov   Fri, 06 Oct 2017 14:47:39
+0100

** Changed in: libseccomp (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Invalid
Status in libseccomp source package in Xenial:
  Fix Released

Bug description:
  [Impact]

  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.

  * Version 2.3.1 - April 20, 2016
  - Fixed a problem with 32-bit x86 socket syscalls on some systems
  - Fixed problems with ipc syscalls on 32-bit x86
  - Fixed problems with socket and ipc syscalls on s390 and s390x

  * Version 2.3.0 - February 29, 2016
  - Added support for the s390 and s390x architectures
  - Added support for the ppc, ppc64, and ppc64le architectures
  - Update the internal syscall tables to match the Linux 4.5-rcX releases
  - Filter generation for both multiplexed and direct socket syscalls on x86
  - Support for the musl libc implementation
  - Additions to the API to enable runtime version checking of the library
  - Enable the use of seccomp() instead of prctl() on supported systems
  - Added additional tests to the regression test suite

  There is no ABI/API break

  There are no packaging changes, apart from dropping patches included
  in this upstream release and updating new symbols.

  Doing wholesome update is safer and carries less risk, than
  individually cherrypicking effectively all of the above.

  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.

  It is expected that container technologies will take advantage of the
  newly available libseccomp.

  This may need to be uploaded as a security update.

  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some
  custom kernels.

  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
   - lxc
   - lxd
   - docker
   - snapd

  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and 
thus restrict user-space processes more than previously done. This may lead to 
a change of restrictions applied on the user sapce processes, and result in 
previously unexpected denials / errors returned.

  
  [Proposed Update available in bileto PPA]
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2018-01-02 Thread Dan Watkins

snapd has migrated to xenial-updates without this change landing;
unfortunately, that makes snapd uninstallable on powerpc (as that's the
only architecture where it isn't statically compiled).  snapd is
installed during image builds, so this migration is currently blocking
powerpc cloud images from building.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Invalid
Status in libseccomp source package in Xenial:
  Fix Committed

Bug description:
  [Impact]

  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.

  * Version 2.3.1 - April 20, 2016
  - Fixed a problem with 32-bit x86 socket syscalls on some systems
  - Fixed problems with ipc syscalls on 32-bit x86
  - Fixed problems with socket and ipc syscalls on s390 and s390x

  * Version 2.3.0 - February 29, 2016
  - Added support for the s390 and s390x architectures
  - Added support for the ppc, ppc64, and ppc64le architectures
  - Update the internal syscall tables to match the Linux 4.5-rcX releases
  - Filter generation for both multiplexed and direct socket syscalls on x86
  - Support for the musl libc implementation
  - Additions to the API to enable runtime version checking of the library
  - Enable the use of seccomp() instead of prctl() on supported systems
  - Added additional tests to the regression test suite

  There is no ABI/API break

  There are no packaging changes, apart from dropping patches included
  in this upstream release and updating new symbols.

  Doing wholesome update is safer and carries less risk, than
  individually cherrypicking effectively all of the above.

  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.

  It is expected that container technologies will take advantage of the
  newly available libseccomp.

  This may need to be uploaded as a security update.

  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some
  custom kernels.

  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
   - lxc
   - lxd
   - docker
   - snapd

  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and 
thus restrict user-space processes more than previously done. This may lead to 
a change of restrictions applied on the user sapce processes, and result in 
previously unexpected denials / errors returned.

  
  [Proposed Update available in bileto PPA]
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2018-01-02 Thread Dimitri John Ledkov

snapd failure on s390x. We now do have machine isolation available, but
the tests do not have anything to run:

+ /tmp/go/bin/spread -v autopkgtest:ubuntu-16.04-s390x
2017-12-11 23:35:01 Found /tmp/autopkgtest.ics8dn/build.mFy/src/spread.yaml.
error: nothing matches provider filter

This is a false negative; previous state was untested.

snapd failure on amd64:
2017-12-12 16:40:40 Failed tasks: 1
- autopkgtest:ubuntu-16.04-amd64:tests/main/completion
error: unsuccessful run

Appears to be unrelated to libseccomp.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Invalid
Status in libseccomp source package in Xenial:
  Fix Committed

Bug description:
  [Impact]

  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.

  * Version 2.3.1 - April 20, 2016
  - Fixed a problem with 32-bit x86 socket syscalls on some systems
  - Fixed problems with ipc syscalls on 32-bit x86
  - Fixed problems with socket and ipc syscalls on s390 and s390x

  * Version 2.3.0 - February 29, 2016
  - Added support for the s390 and s390x architectures
  - Added support for the ppc, ppc64, and ppc64le architectures
  - Update the internal syscall tables to match the Linux 4.5-rcX releases
  - Filter generation for both multiplexed and direct socket syscalls on x86
  - Support for the musl libc implementation
  - Additions to the API to enable runtime version checking of the library
  - Enable the use of seccomp() instead of prctl() on supported systems
  - Added additional tests to the regression test suite

  There is no ABI/API break

  There are no packaging changes, apart from dropping patches included
  in this upstream release and updating new symbols.

  Doing wholesome update is safer and carries less risk, than
  individually cherrypicking effectively all of the above.

  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.

  It is expected that container technologies will take advantage of the
  newly available libseccomp.

  This may need to be uploaded as a security update.

  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some
  custom kernels.

  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
   - lxc
   - lxd
   - docker
   - snapd

  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and 
thus restrict user-space processes more than previously done. This may lead to 
a change of restrictions applied on the user sapce processes, and result in 
previously unexpected denials / errors returned.

  
  [Proposed Update available in bileto PPA]
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2017-12-12 Thread Tyler Hicks

As for the failing Xenial snapd autopkgtests...

- amd64: The autopkgtest:ubuntu-16.04-amd64:tests/main/completion fails with 
and without the libseccomp in xenial-proposed
- s390x: No tests are ever ran due to the tests requiring "machine-level 
isolation" but that not being available on s390x. However, snapd s390x test 
runs have been hitting an error for about the last month.

Both are false positives and should not be something that keeps
libseccomp from migrating.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Invalid
Status in libseccomp source package in Xenial:
  Fix Committed

Bug description:
  [Impact]

  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.

  * Version 2.3.1 - April 20, 2016
  - Fixed a problem with 32-bit x86 socket syscalls on some systems
  - Fixed problems with ipc syscalls on 32-bit x86
  - Fixed problems with socket and ipc syscalls on s390 and s390x

  * Version 2.3.0 - February 29, 2016
  - Added support for the s390 and s390x architectures
  - Added support for the ppc, ppc64, and ppc64le architectures
  - Update the internal syscall tables to match the Linux 4.5-rcX releases
  - Filter generation for both multiplexed and direct socket syscalls on x86
  - Support for the musl libc implementation
  - Additions to the API to enable runtime version checking of the library
  - Enable the use of seccomp() instead of prctl() on supported systems
  - Added additional tests to the regression test suite

  There is no ABI/API break

  There are no packaging changes, apart from dropping patches included
  in this upstream release and updating new symbols.

  Doing wholesome update is safer and carries less risk, than
  individually cherrypicking effectively all of the above.

  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.

  It is expected that container technologies will take advantage of the
  newly available libseccomp.

  This may need to be uploaded as a security update.

  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some
  custom kernels.

  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
   - lxc
   - lxd
   - docker
   - snapd

  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and 
thus restrict user-space processes more than previously done. This may lead to 
a change of restrictions applied on the user sapce processes, and result in 
previously unexpected denials / errors returned.

  
  [Proposed Update available in bileto PPA]
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2017-11-09 Thread Tyler Hicks

I've successfully performed the testing described in the [libseccomp
Test Case] section of the bug 1567597 description using libseccomp
2.3.1-2.1ubuntu2~16.04.1 from xenial-proposed. It includes the
libseccomp live tests (which aren't used during the build) and a
specific test of the new seccomp logging functionality. (I'm mentioning
my testing here because bug 1567597 isn't mentioned in the changelog of
the SRU upload.)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Invalid
Status in libseccomp source package in Xenial:
  Fix Committed

Bug description:
  [Impact]

  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.

  * Version 2.3.1 - April 20, 2016
  - Fixed a problem with 32-bit x86 socket syscalls on some systems
  - Fixed problems with ipc syscalls on 32-bit x86
  - Fixed problems with socket and ipc syscalls on s390 and s390x

  * Version 2.3.0 - February 29, 2016
  - Added support for the s390 and s390x architectures
  - Added support for the ppc, ppc64, and ppc64le architectures
  - Update the internal syscall tables to match the Linux 4.5-rcX releases
  - Filter generation for both multiplexed and direct socket syscalls on x86
  - Support for the musl libc implementation
  - Additions to the API to enable runtime version checking of the library
  - Enable the use of seccomp() instead of prctl() on supported systems
  - Added additional tests to the regression test suite

  There is no ABI/API break

  There are no packaging changes, apart from dropping patches included
  in this upstream release and updating new symbols.

  Doing wholesome update is safer and carries less risk, than
  individually cherrypicking effectively all of the above.

  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.

  It is expected that container technologies will take advantage of the
  newly available libseccomp.

  This may need to be uploaded as a security update.

  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some
  custom kernels.

  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
   - lxc
   - lxd
   - docker
   - snapd

  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and 
thus restrict user-space processes more than previously done. This may lead to 
a change of restrictions applied on the user sapce processes, and result in 
previously unexpected denials / errors returned.

  
  [Proposed Update available in bileto PPA]
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2017-11-07 Thread Adam Conrad

I built this package in the ubuntu-security-proposed PPA so it can be
released to both -updates and -security (which seems like probably a
sane thing to do) once it's passed the SRU process.

** Changed in: libseccomp (Ubuntu Xenial)
   Status: Confirmed => Fix Committed

** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Invalid
Status in libseccomp source package in Xenial:
  Fix Committed

Bug description:
  [Impact]

  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.

  * Version 2.3.1 - April 20, 2016
  - Fixed a problem with 32-bit x86 socket syscalls on some systems
  - Fixed problems with ipc syscalls on 32-bit x86
  - Fixed problems with socket and ipc syscalls on s390 and s390x

  * Version 2.3.0 - February 29, 2016
  - Added support for the s390 and s390x architectures
  - Added support for the ppc, ppc64, and ppc64le architectures
  - Update the internal syscall tables to match the Linux 4.5-rcX releases
  - Filter generation for both multiplexed and direct socket syscalls on x86
  - Support for the musl libc implementation
  - Additions to the API to enable runtime version checking of the library
  - Enable the use of seccomp() instead of prctl() on supported systems
  - Added additional tests to the regression test suite

  There is no ABI/API break

  There are no packaging changes, apart from dropping patches included
  in this upstream release and updating new symbols.

  Doing wholesome update is safer and carries less risk, than
  individually cherrypicking effectively all of the above.

  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.

  It is expected that container technologies will take advantage of the
  newly available libseccomp.

  This may need to be uploaded as a security update.

  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some
  custom kernels.

  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
   - lxc
   - lxd
   - docker
   - snapd

  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and 
thus restrict user-space processes more than previously done. This may lead to 
a change of restrictions applied on the user sapce processes, and result in 
previously unexpected denials / errors returned.

  
  [Proposed Update available in bileto PPA]
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2017-10-11 Thread ChristianEhrhardt

A 2.3.x in Xenial would also allow to drop some Delta that the Cloud
Archive is adding to "drop" newer seccomp support we add for latter
releases - so seconding Tyhicks question being interested as well.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Confirmed
Status in libseccomp source package in Xenial:
  Confirmed

Bug description:
  [Impact]

  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.

  * Version 2.3.1 - April 20, 2016
  - Fixed a problem with 32-bit x86 socket syscalls on some systems
  - Fixed problems with ipc syscalls on 32-bit x86
  - Fixed problems with socket and ipc syscalls on s390 and s390x

  * Version 2.3.0 - February 29, 2016
  - Added support for the s390 and s390x architectures
  - Added support for the ppc, ppc64, and ppc64le architectures
  - Update the internal syscall tables to match the Linux 4.5-rcX releases
  - Filter generation for both multiplexed and direct socket syscalls on x86
  - Support for the musl libc implementation
  - Additions to the API to enable runtime version checking of the library
  - Enable the use of seccomp() instead of prctl() on supported systems
  - Added additional tests to the regression test suite

  There is no ABI/API break

  There are no packaging changes, apart from dropping patches included
  in this upstream release and updating new symbols.

  Doing wholesome update is safer and carries less risk, than
  individually cherrypicking effectively all of the above.

  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.

  It is expected that container technologies will take advantage of the
  newly available libseccomp.

  This may need to be uploaded as a security update.

  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some
  custom kernels.

  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
   - lxc
   - lxd
   - docker
   - snapd

  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and 
thus restrict user-space processes more than previously done. This may lead to 
a change of restrictions applied on the user sapce processes, and result in 
previously unexpected denials / errors returned.

  
  [Proposed Update available in bileto PPA]
  https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2981

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2017-10-06 Thread Dimitri John Ledkov

** Description changed:

  [Impact]
  
  out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
  This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.
  
- * Version 2.3.1 - April 20, 2016  


- - Fixed a problem with 32-bit x86 socket syscalls on some systems 


- - Fixed problems with ipc syscalls on 32-bit x86  


- - Fixed problems with socket and ipc syscalls on s390 and s390x   


-   


- * Version 2.3.0 - February 29, 2016   


- - Added support for the s390 and s390x architectures  


- - Added support for the ppc, ppc64, and ppc64le architectures 


- - Update the internal syscall tables to match the Linux 4.5-rcX releases  


- - Filter generation for both multiplexed and direct socket syscalls on x86


- - Support for the musl libc implementation


- - Additions to the API to enable runtime version checking of the library  


- - Enable the use of seccomp() instead of prctl() on supported systems 


- - Added additional tests to the regression test suite  
+ * Version 2.3.1 - April 20, 2016
+ - Fixed a problem with 32-bit x86 socket syscalls on some systems
+ - Fixed problems with ipc syscalls on 32-bit x86
+ - Fixed problems with socket and ipc syscalls on s390 and s390x
+ 
+ * Version 2.3.0 - February 29, 2016
+ - Added support for the s390 and s390x architectures
+ - Added support for the ppc, ppc64, and ppc64le architectures
+ - Update the internal syscall tables to match the Linux 4.5-rcX releases
+ - Filter generation for both multiplexed and direct socket syscalls on x86
+ - Support for the musl libc implementation
+ - Additions to the API to enable runtime version checking of the library
+ - Enable the use of seccomp() instead of prctl() on supported systems
+ - Added additional tests to the regression test suite
  
  There is no ABI/API break
  
  There are no packaging changes, apart from dropping patches included in
  this upstream release and updating new symbols.
  
  Doing wholesome update is safer and carries less risk, than individually
  cherrypicking effectively all of the above.
  
  This is a backport to an LTS release under the banner of safe
  introduction of new features and new hardware support.
  
  It is expected that container technologies will take advantage of the
  newly available libseccomp.
  
  This may need to be uploaded as a security update.
  
  Currently, s390x support in xenial libssecomp is incomplete. And there
  are v4.5+ syscall tables missing as used by hwe kernels and some custom
  kernels.
  
  [Testcase]
  Validate that all main contianer technologies are operational and do not 
regress, e.g.:
-  - lxc
-  - lxd
-  - docker
-  - snapd
+  - lxc
+  - lxd
+  - docker
+  - snapd
  
  [Regression Potential]
  Userspace components may detect at runtime newly available libseccomp, and

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2017-10-06 Thread Dimitri John Ledkov

** Description changed:

- Currently libseccomp version in Ubuntu are:
+ [Impact]
  
-  libseccomp | 2.2.3-3ubuntu3   | xenial | 
source
-  libseccomp | 2.3.1-2ubuntu2   | yakkety| 
source
-  libseccomp | 2.3.1-2.1ubuntu1 | zesty  | 
source
+ out of date libseccomp w.r.t. custom and hwe kernels provides sub-par 
userspace protection, which is otherwise available on the running kernel and 
hardware combination.
+ This results in subpar security of systems running new architectures (s390x & 
ppc64el) and newer hwe/custom kernels.
  
- The difference between 2.2.3 and 2.3.1 is 63 upstream commits.
+ * Version 2.3.1 - April 20, 2016  


+ - Fixed a problem with 32-bit x86 socket syscalls on some systems 


+ - Fixed problems with ipc syscalls on 32-bit x86  


+ - Fixed problems with socket and ipc syscalls on s390 and s390x   


+   


+ * Version 2.3.0 - February 29, 2016   


+ - Added support for the s390 and s390x architectures  


+ - Added support for the ppc, ppc64, and ppc64le architectures 


+ - Update the internal syscall tables to match the Linux 4.5-rcX releases  


+ - Filter generation for both multiplexed and direct socket syscalls on x86


+ - Support for the musl libc implementation


+ - Additions to the API to enable runtime version checking of the library  


+ - Enable the use of seccomp() instead of prctl() on supported systems 


+ - Added additional tests to the regression test suite  
  
- Of those commits, 7 are already cherrypicked into xenial for s390x
- support.
+ There is no ABI/API break
  
- However that s390x support is incomplete as multiplexed syscalls are not
- supported.
+ There are no packaging changes, apart from dropping patches included in
+ this upstream release and updating new symbols.
  
- A request has been filed to support multiplexed syscalls in libseccomp
- in xenial at
- https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1679691
+ Doing wholesome update is safer and carries less risk, than individually
+ cherrypicking effectively all of the above.
  
- That is a request for further 18 commits to backport, bringing the total
- to 25.
+ This is a backport to an LTS release under the banner of safe
+ introduction of new features and new hardware support.
  
- Looking at the remaining 38 commits there are:
- - documentation updates
- - tools updates
- - tests updates
- - bugfixes
- - updates to syscall tables for linux 4.3, 4.5-rc4+
+ It is expected that container technologies will take advantage of the
+ newly available libseccomp.
  
- IMHO, in the future when libseccomp is updated to support 4.10 kernel
- syscalls, it should be backported back to xenial too, to properly suppor
- the HWE kernels.
+ This may need to be uploaded as a security update.
+ 
+ Currently, s390x support in xenial libssecomp is incomplete. And there
+ are v4.5+ syscall tables missing as used by

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2017-10-05 Thread Tyler Hicks

@xnox bringing zesty's libseccomp back to xenial may be needed for some
kernel/snapd/libseccomp changes that I'm working on. Have you spent any
time investigating such a change?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Confirmed
Status in libseccomp source package in Xenial:
  Confirmed

Bug description:
  Currently libseccomp version in Ubuntu are:

   libseccomp | 2.2.3-3ubuntu3   | xenial | 
source
   libseccomp | 2.3.1-2ubuntu2   | yakkety| 
source
   libseccomp | 2.3.1-2.1ubuntu1 | zesty  | 
source

  The difference between 2.2.3 and 2.3.1 is 63 upstream commits.

  Of those commits, 7 are already cherrypicked into xenial for s390x
  support.

  However that s390x support is incomplete as multiplexed syscalls are
  not supported.

  A request has been filed to support multiplexed syscalls in libseccomp
  in xenial at
  https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1679691

  That is a request for further 18 commits to backport, bringing the
  total to 25.

  Looking at the remaining 38 commits there are:
  - documentation updates
  - tools updates
  - tests updates
  - bugfixes
  - updates to syscall tables for linux 4.3, 4.5-rc4+

  IMHO, in the future when libseccomp is updated to support 4.10 kernel
  syscalls, it should be backported back to xenial too, to properly
  suppor the HWE kernels.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

2017-04-24 Thread Launchpad Bug Tracker

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: libseccomp (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1682102

Title:
  libseccomp should support GA and HWE kernels

Status in libseccomp package in Ubuntu:
  Confirmed
Status in libseccomp source package in Xenial:
  Confirmed

Bug description:
  Currently libseccomp version in Ubuntu are:

   libseccomp | 2.2.3-3ubuntu3   | xenial | 
source
   libseccomp | 2.3.1-2ubuntu2   | yakkety| 
source
   libseccomp | 2.3.1-2.1ubuntu1 | zesty  | 
source

  The difference between 2.2.3 and 2.3.1 is 63 upstream commits.

  Of those commits, 7 are already cherrypicked into xenial for s390x
  support.

  However that s390x support is incomplete as multiplexed syscalls are
  not supported.

  A request has been filed to support multiplexed syscalls in libseccomp
  in xenial at
  https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1679691

  That is a request for further 18 commits to backport, bringing the
  total to 25.

  Looking at the remaining 38 commits there are:
  - documentation updates
  - tools updates
  - tests updates
  - bugfixes
  - updates to syscall tables for linux 4.3, 4.5-rc4+

  IMHO, in the future when libseccomp is updated to support 4.10 kernel
  syscalls, it should be backported back to xenial too, to properly
  suppor the HWE kernels.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

[Touch-packages] [Bug 1682102] Re: libseccomp should support GA and HWE kernels

14 matches

Site Navigation

Mail list logo

Footer information