[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
** Changed in: systemd (Ubuntu Xenial) Status: Invalid => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Released Status in systemd source package in Xenial: Won't Fix Status in libseccomp source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in libseccomp source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
This bug was fixed in the package systemd - 237-3ubuntu10.46 --- systemd (237-3ubuntu10.46) bionic; urgency=medium * d/p/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch: Add support for faccessat2 (LP: #1916485) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b5f11a9baecf0cefb503632e938d473234172128 * d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch: Stop attempting to restrict address families on ppc archs (LP: #1918696) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4569a047ece8b1b300ef63e49b5aea8aba35c500 * d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch: Add openat2() syscall to seccomp filter list (LP: #1891810) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2ddfbfa79af4f22b7adf946c4299433fd74a4f17 -- Dan Streetman Wed, 17 Mar 2021 17:38:05 -0400 ** Changed in: systemd (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Released Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Released Status in libseccomp source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
This bug was fixed in the package libseccomp - 2.5.1-1ubuntu1~16.04.1 --- libseccomp (2.5.1-1ubuntu1~16.04.1) xenial; urgency=medium * Updated to new upstream 2.5.1 version for updated syscalls support (LP: #1891810) - Removed the following patches that are now included in the new version: + d/p/fix-aarch64-syscalls.patch + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch + d/p/db-add-shadow-transactions.patch - Deleted the patch to add a local copy of architecture specific header files from linux-libc-dev/focal as this is not needed anymore + d/p/add-5.4-local-syscall-headers.patch - debian/control: Added gperf to Build-Depends as this is now required by upstream - debian/libseccomp2.symbols: Added new symbols * Add system call headers for powerpc required for backport to xenial - d/p/add-5.8-powerpc-syscall-headers.patch -- Alex Murray Mon, 01 Mar 2021 13:50:00 +1030 ** Changed in: libseccomp (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Released Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
This bug was fixed in the package libseccomp - 2.5.1-1ubuntu1~18.04.1 --- libseccomp (2.5.1-1ubuntu1~18.04.1) bionic; urgency=medium * Updated to new upstream 2.5.1 version for updated syscalls support (LP: #1891810) - Removed the following patches that are now included in the new version: + d/p/fix-aarch64-syscalls.patch + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch + d/p/db-add-shadow-transactions.patch - Deleted the patch to add a local copy of architecture specific header files from linux-libc-dev/focal as this is not needed anymore + d/p/add-5.4-local-syscall-headers.patch - debian/control: Added gperf to Build-Depends as this is now required by upstream - debian/libseccomp2.symbols: Added new symbols * Add system call headers for powerpc required for backport to xenial - d/p/add-5.8-powerpc-syscall-headers.patch -- Alex Murray Mon, 01 Mar 2021 13:49:23 +1030 ** Changed in: libseccomp (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Released Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
libseccomp on bionic looks good from what I can see on https://people.canonical.com/~ubuntu-archive/proposed- migration/bionic/update_excuses.html#libseccomp - can this please migrate now? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
similarly for xenial there is only one failure for libseccomp autopkgtests which is systemd/i386 - https://people.canonical.com /~ubuntu-archive/proposed- migration/xenial/update_excuses.html#libseccomp - and this looks reasonably flaky in recent history https://autopkgtest.ubuntu.com/packages/s/systemd/xenial/i386 - I discussed this back in comment 33 https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/comments/33 above - so would it be possible to promote this as well even with this failure? thanks :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
This bug was fixed in the package libseccomp - 2.5.1-1ubuntu1~20.04.1 --- libseccomp (2.5.1-1ubuntu1~20.04.1) focal; urgency=medium * Updated to new upstream 2.5.1 version for updated syscalls support (LP: #1891810) - Removed the following patches that are now included in the new version: + d/p/cython3.patch + d/p/riscv64_support.patch + d/p/fix-aarch64-syscalls.patch + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch + d/p/db-add-shadow-transactions.patch - Deleted the patch to add a local copy of architecture specific header files from linux-libc-dev/focal as this is not needed anymore + d/p/add-5.4-local-syscall-headers.patch - debian/control: Added gperf to Build-Depends as this is now required by upstream - debian/libseccomp2.symbols: Added new symbols * Add system call headers for powerpc required for backport to xenial - d/p/add-5.8-powerpc-syscall-headers.patch -- Alex Murray Mon, 01 Mar 2021 13:47:46 +1030 ** Changed in: libseccomp (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
For bionic there's a few ADT regressions for libseccomp - I re-ran them, let's see if they pass now. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Released Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
marking invalid for systemd in x, as the seccomp support there is completely different -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
openat2 was added upstream in commit 8270e3d8ed3 which is included in v246 so this is fixed already in g and later, marking as fix released ** Changed in: systemd (Ubuntu Groovy) Status: New => Fix Released ** Changed in: systemd (Ubuntu Hirsute) Status: New => Fix Released ** Changed in: systemd (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: Invalid Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: Fix Released Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
This bug was fixed in the package libseccomp - 2.5.1-1ubuntu1~20.10.1 --- libseccomp (2.5.1-1ubuntu1~20.10.1) groovy; urgency=medium * Updated to new upstream 2.5.1 version for updated syscalls support (LP: #1891810) - Removed the following patches that are now included in the new version: + d/p/cython3.patch + d/p/riscv64_support.patch + d/p/fix-aarch64-syscalls.patch + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch + d/p/db-add-shadow-transactions.patch - Deleted the patch to add a local copy of architecture specific header files from linux-libc-dev/focal as this is not needed anymore + d/p/add-5.4-local-syscall-headers.patch - debian/control: Added gperf to Build-Depends as this is now required by upstream - debian/libseccomp2.symbols: Added new symbols * Add system call headers for powerpc required for backport to xenial - d/p/add-5.8-powerpc-syscall-headers.patch -- Alex Murray Mon, 01 Mar 2021 13:50:23 +1030 ** Changed in: libseccomp (Ubuntu Groovy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
This bug was fixed in the package systemd - 245.4-4ubuntu3.6 --- systemd (245.4-4ubuntu3.6) focal; urgency=medium * debian/patches/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch: Add support for faccessat2 (LP: #1916485) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=affb2c6507dccfeed02820a2267639648e2a2260 * d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch: Stop attempting to restrict address families on ppc archs (LP: #1918696) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=daff4b6604362fcb5d305682216d5ca15a4c5738 * d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch: Add openat2() syscall to seccomp filter list (LP: #1891810) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=69c8a684e2513b2f6530e5a5cf15c83abfb7bc74 * d/p/lp1915887-Downgrade-a-couple-of-warnings-to-debug.patch: Downgrade some log messages so they stop spamming logs (LP: #1915887) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3c2c4731b90ed430ca1790270e69cd125643b94b * d/p/lp1887744-basic-unit-file-when-loading-linked-unit-files-use-l.patch: Use src name, not dst name, of symlinked unit files (LP: #1887744) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=03770601097cfdc09adeadf5593083da69345409 -- Dan Streetman Wed, 17 Mar 2021 17:36:08 -0400 ** Changed in: systemd (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
Actually the Groovy question seems to be answered by the upload of systemd for bug 1918696. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
I don't see a reply to sil2100's question in comment #22: "I see systemd has a 'fix' for this bug in the focal upload so adding the systemd task to the bug as well. Should we assume the systemd parts are already there for hirsute and groovy? I'd like someone to check." Is the systemd part already fixed in Groovy? Thanks! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Released Status in libseccomp source package in Groovy: Fix Released Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
For the focal autopkgtest failures above: docker.io/19.03.8-0ubuntu1.20.04.2 (arm64) systemd/245.4-4ubuntu3.5 (ppc64el) The docker.io/arm64 failed due to network issues in the test infrastructure: + lxc launch ubuntu-daily:focal/arm64 docker -c security.nesting=true Creating docker Error: Failed instance creation: Get "https://cloud-images.ubuntu.com/daily/streams/v1/index.json": Unable to connect to: cloud-images.ubuntu.com:443 So should hopefully be fine if retriggered. And again the systemd/ppc64el failure is already known and covered by https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in libseccomp source package in Groovy: Fix Committed Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
The systemd/229-4ubuntu21.29 (i386) test looks very flaky - this seems to fail more often than not looking at https://autopkgtest.ubuntu.com/packages/s/systemd/xenial/i386 - and the tests which failed for the libseccomp 2.5.1-1ubuntu1~16.04.1 run (boot- and-services and boot-smoke) also failed for a recent linux- meta/4.4.0.206.212 linux/4.4.0-206.238 run too - https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac /autopkgtest-xenial/xenial/i386/s/systemd/20210317_135037_af8e7@/log.gz - but then passed on the next linux-meta upload. So this look like a false positive in this case. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in libseccomp source package in Groovy: Fix Committed Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
Regarding the failing autopkgtests from bionic reported in comment #28: - the containerd and chrony ones on s390x are transient failures due to networking issues in the test infrastructure so should hopefully pass on a re-run. - I can't reproduce the flatpak/amd64 failure locally so I assume this may pass on a re-run as well - this was run locally via: autopkgtest --apt-pocket proposed=src:libseccomp --apt-upgrade flatpak -- qemu /home/amurray/images/autopkgtest-bionic-amd64.img - the systemd/ppc64el failure is addressed by LP: #1918696 - lxc/i386 is a flaky test timeout - this failure has been observed in past runs of this as well as can be seen in the following: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/i386/l/lxc/20210120_133932_9027d@/log.gz https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/i386/l/lxc/20210113_162315_b38c3@/log.gz https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/i386/l/lxc/20210111_172145_15dd5@/log.gz so with any luck this test should also pass on a re-run too -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in libseccomp source package in Groovy: Fix Committed Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
Tested for libseccomp as follows: cat
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
The fix for systemd's LP: #1918696 is not in the systemd xenial SRU since, as noted in that bug, systemd in xenial doesn't include upstream commit 469830d1426a91e0897c321fdc8ee428f0a750c1 which reworked the code to switch from seccomp_rule_add to seccomp_rule_add_exact. In this case systemd could handle lack of arch support itself, instead of allowing the 'not exact' seccomp syscall to just ignore the call due to lack of arch support. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in libseccomp source package in Groovy: Fix Committed Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
I don't see a fix for systemd's LP: #1918696 in the systemd xenial SRU in the queue - is xenial unaffected by the ppc64el test issues? Also, SRUs for focal and groovy had some additional systemd changes besides libseccomp to get things working - are those also not needed in xenial? I'd like someone to make sure that's the case. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in libseccomp source package in Groovy: Fix Committed Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
Hello Steve, or anyone else affected, Accepted libseccomp into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.5.1-1ubuntu1~18.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: libseccomp (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed-bionic ** Changed in: systemd (Ubuntu Bionic) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: Fix Committed Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: Fix Committed Status in systemd source package in Bionic: Fix Committed Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in libseccomp source package in Groovy: Fix Committed Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
I see systemd has a 'fix' for this bug in the focal upload so adding the systemd task to the bug as well. Should we assume the systemd parts are already there for hirsute and groovy? I'd like someone to check. ** Also affects: systemd (Ubuntu) Importance: Undecided Status: New ** Changed in: systemd (Ubuntu Focal) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in systemd package in Ubuntu: New Status in libseccomp source package in Xenial: In Progress Status in systemd source package in Xenial: New Status in libseccomp source package in Bionic: In Progress Status in systemd source package in Bionic: New Status in libseccomp source package in Focal: Fix Committed Status in systemd source package in Focal: Fix Committed Status in libseccomp source package in Groovy: Fix Committed Status in systemd source package in Groovy: New Status in libseccomp source package in Hirsute: Fix Released Status in systemd source package in Hirsute: New Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
Hello Steve, or anyone else affected, Accepted libseccomp into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.5.1-1ubuntu1~20.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: libseccomp (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: In Progress Status in libseccomp source package in Bionic: In Progress Status in libseccomp source package in Focal: Fix Committed Status in libseccomp source package in Groovy: Fix Committed Status in libseccomp source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891810] Re: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers
Adjusted title to make it clear that this is also a full backport of 2.5.1 to the stable series. Please make sure to do some additional general regression testing! ** Summary changed: - Missing openat2 syscall, causes problems for fuse-overlayfs in nspawn containers + Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers ** Changed in: libseccomp (Ubuntu Groovy) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-groovy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1891810 Title: Backport 2.5.1 to fix missing openat2 syscall, causing problems for fuse-overlayfs in nspawn containers Status in libseccomp package in Ubuntu: Fix Released Status in libseccomp source package in Xenial: In Progress Status in libseccomp source package in Bionic: In Progress Status in libseccomp source package in Focal: In Progress Status in libseccomp source package in Groovy: Fix Committed Status in libseccomp source package in Hirsute: Fix Released Bug description: [Impact] The version of libseccomp2 in X/B/F/G does not know about the openat2 syscall. As such applications that use libseccomp cannot specify a system-call filter against this system-call and so it cannot be mediated. [Test Plan] This can be tested by simply running scmp_sys_resolver from the seccomp binary package and specifying this system-call: Existing behaviour: $ scmp_sys_resolver openat2 -1 Expected behaviour: $ scmp_sys_resolver openat2 437 (Note this value will be different on other architectures) [Where problems could occur] In version 2.5.1 of libseccomp which adds this new system-call, changes were also made in the way the socket system-call is handled by libseccomp on PPC platforms - this resulted in a change in the expected behaviour and so this has already been noticed and a fix is required for the systemd unit tests as a result https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1918696 There was also a similar change for s390x but so far no regressions have been observed as a result as systemd already expected that behaviour from libseccomp, it was only PPC that was missing. In the event that a regression is observed however, we can easily either patch the affected package to cope with the new behaviour of this updated libseccomp since in each case the change in behaviour only affects a few system calls on particular architectures, or we can revert this update. [Other Info] * As usual thorough testing of this update has been performed both manually via the QA Regression Testing scripts, and via the autopkgtest infrastructure against packages in the Ubuntu Security Proposed PPA https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/ with results seen https://people.canonical.com/~platform/security-britney/current/ I have attached debdiffs of the prepared updates which are also sitting in the Ubuntu Security Proposed PPA. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1891810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
