[Bug 1785414] Re: Backport seccomp sandbox fixes to 18.04
This bug was fixed in the package man-db - 2.8.3-2ubuntu0.1 --- man-db (2.8.3-2ubuntu0.1) bionic; urgency=medium * Backport seccomp sandbox improvements from 2.8.4 (LP: #1785414): - Allow sched_getaffinity, used by xz in some cases. - Allow some shared memory operations, required by preloaded libraries such as the Astrill VPN. - Improve ESET File Security compatibility further. -- Colin Watson Sat, 04 Aug 2018 20:16:12 +0100 ** Changed in: man-db (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785414 Title: Backport seccomp sandbox fixes to 18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1785414] Re: Backport seccomp sandbox fixes to 18.04
Thanks. Sounds like I still missed something but it's at least no worse than before, so I think that's good enough for verification-done. ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785414 Title: Backport seccomp sandbox fixes to 18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1785414] Re: Backport seccomp sandbox fixes to 18.04
Thanks, Colin, for providing the fixes+backport and Brian, for including them into the repository. I hope the following serves at least as a regression test. [Test Cases] 1) ESET NOD32 Antivirus4 4.0.90.0 with /etc/ld.so.preload (which serves to files scanning on access) 1a) man-db 2.8.3-2 and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution 1b) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution 1c) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution, additionally xz-utils 5.2.4 installed to /usr/local (without package) in all cases 1x) Update of the Manual-DB e.g. by "sudo mandb -c" leads to the error messages: ... /usr/bin/mandb: zcat < /usr/share/man/man1/lz4_decompress.1.gz: Bad system call /usr/bin/mandb: /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE -q: Bad system call /usr/bin/mandb: zcat: Bad system call ... For 1b and 1c this was also tested with XZ_DEFAULTS=--threads=0. In all cases 1x) "man mandb" formats correctly. (Maybe that was a problem with earlier ESET versions.) 2) ESET NOD32 Antivirus4 4.0.90.0 without /etc/ld.so.preload 2a) man-db 2.8.3-2 and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution 2b) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution 2c) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution, additionally xz-utils 5.2.4 installed to /usr/local (without package) all 2x) ok für man-db generation and formatting of man pages System Architecture: i386 Ubuntu 18.04 Kernel Linux pc2 4.15.0-33201808301234-generic #0+mediatree+hauppauge-Ubuntu SMP Thu Aug 30 19:02:06 UTC 2018 i686 i686 i686 GNU/Linu The mandb problem doesn't occur with my 64bit Ubuntu installation, although ESET is installed there as well! Conclusion: The bugfix dosn't resolve my problem, but it doesn't make things worse for me, so if it helps others... Thanks for providing it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785414 Title: Backport seccomp sandbox fixes to 18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1785414] Re: Backport seccomp sandbox fixes to 18.04
I couldn't reproduce the problem with XZ_DEFAULTS=--threads=0 but according to [1], it requires xz-utils >= 5.2.3 and 18.04 has 5.2.2-1.3. I found no regression but I have NOT tested the ESET/VPN cases. 1: https://git.savannah.gnu.org/cgit/man- db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785414 Title: Backport seccomp sandbox fixes to 18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1785414] Re: Backport seccomp sandbox fixes to 18.04
Hello Colin, or anyone else affected, Accepted man-db into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/man- db/2.8.3-2ubuntu0.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: man-db (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785414 Title: Backport seccomp sandbox fixes to 18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1785414] Re: Backport seccomp sandbox fixes to 18.04
** Summary changed: - Backport seccomp sandbox fixes to 16.04 + Backport seccomp sandbox fixes to 18.04 ** Description changed: I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I - think they would all be worth backporting to 16.04. They're all corner + think they would all be worth backporting to 18.04. They're all corner cases, but at least the second and third of them turned up in an AskUbuntu post (https://askubuntu.com/questions/1039629/setting-up-man- db-crashes-system-with-bad-system-calls) and I had a fair amount of email responses to requests for details about it. Here are the details: - * sandbox: Allow sched_setaffinity - https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e + * sandbox: Allow sched_setaffinity + https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e -It's possible to run into this if reading xz-compressed manual pages + It's possible to run into this if reading xz-compressed manual pages with (e.g.) XZ_DEFAULTS=--threads=0 set in the environment. - * sandbox: Allow some shared memory operations - https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=5e08ee9a4e563abedbdd2768c8bbfd96b57c1859 + * sandbox: Allow some shared memory operations + https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=5e08ee9a4e563abedbdd2768c8bbfd96b57c1859 -Some unusual software that installs itself in /etc/ld.so.preload + Some unusual software that installs itself in /etc/ld.so.preload breaks man without this patch, such as the Astrill VPN. - * sandbox: Improve ESET compatibility further - https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=7582fb9d69a126a53ee11223b12346d38c0f333a + * sandbox: Improve ESET compatibility further + https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=7582fb9d69a126a53ee11223b12346d38c0f333a -This is a refinement to some previous work I did to cope with ESET + This is a refinement to some previous work I did to cope with ESET File Security (an antivirus program that installs itself in /etc/ld.so.preload). [Test Case] The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=--threads=0 before trying to read it. The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works. [Regression Potential] This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1785414 Title: Backport seccomp sandbox fixes to 18.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs