[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

This bug was fixed in the package libseccomp - 2.2.3-2ubuntu3 --- libseccomp (2.2.3-2ubuntu3) xenial; urgency=low * debian/patches/add-x86-32bit-socket-calls.patch: add the newly connected direct socket calls. (LP: #1526358) -- Andy Whitcroft Wed, 16 Dec

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

** Changed in: libseccomp (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1526358 Title: adding seccomp rule for socket() fails on i386

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

Running the example above the EFAULT is being generated in userspace. Looking at libseccomp it seems we have a literal copy of the systemcall table mapping call strings to local numbers. For 32bit the new system calls are not filled in so they will fail. Esentially libseccomp and the kernel

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

** Changed in: linux (Ubuntu) Status: Confirmed => Invalid ** Changed in: libseccomp (Ubuntu) Status: Triaged => In Progress ** Changed in: systemd (Ubuntu) Status: Triaged => Invalid -- You received this bug notification because you are a member of Ubuntu Server Team,

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

** Changed in: libseccomp (Ubuntu) Importance: Undecided => High ** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Andy Whitcroft (apw) ** Changed in: libseccomp (Ubuntu) Assignee: (unassigned) => Andy Whitcroft

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

https://github.com/seccomp/libseccomp/pull/22 Thanks Andy! ** Changed in: libseccomp (Ubuntu) Importance: High => Undecided ** Changed in: libseccomp (Ubuntu) Status: In Progress => Fix Committed ** Changed in: libseccomp (Ubuntu) Assignee: Andy Whitcroft (apw) => (unassigned)

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

Forgot to attach the simplified file.. ** Attachment added: "simpler standalone reproducer C file" https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1526358/+attachment/4535518/+files/seccomp-socket-filter.c -- You received this bug notification because you are a member of Ubuntu

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

This isn't specific to netlink. I removed the two rules from the seccomp filter and simplified it to just generally block socket(). I also simplified adding the arches so that only the non-native arch is added, not the native one. Note that adding the socket() filter *does* work on both arches if

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

So in the commit below we switched how the socket family of calls are exposed at the syscall level (which was a 4.3-rc1 change): commit 9dea5dc921b5f4045a18c63eb92e84dc274d17eb Author: Andy Lutomirski Date: Tue Jul 14 15:24:24 2015 -0700 x86/entry/syscalls: Wire up

[Bug 1526358] Re: adding seccomp rule for socket() fails on i386 since kernel 4.3

Notified systemd upstream in https://github.com/systemd/systemd/issues/2177 . -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1526358 Title: adding seccomp rule for socket()