Hi Seth,
thanks for your thoughts!
Splitting my answers per Release:
== Cosmic ==
For cosmic it needs no FFe IMHO, for already having the Blacklist variant and
using it for quite a while. We only extend it to the threads that were missing
- in that scope it is only a bug fix.
- There the fix is ready and now also tested in various combinations
stage0-prep-cosmic-CVE-seccomp-run1-x86_64.status : Pass 4 Failed
0 Skip 0 + 0 - RC 0 in 12 minutes
stage1-migrate-cosmic-CVE-seccomp-run1-x86_64.status : Pass 276 Failed
0 Skip 0 + 0 - RC 0 in 62 minutes
stage2-cross-cosmic-CVE-seccomp-run1-x86_64.status : Pass 22 Failed
0 Skip 0 + 1 - RC 0 in 28 minutes
stage3-misc-cosmic-CVE-seccomp-run1-x86_64.status : Pass 103 Failed
0 Skip 0 + 0 - RC 0 in 29 minutes
stage0-prep-cosmic-CVE-seccomp-run1-s390x.status : Pass 3 Failed
0 Skip 0 + 0 - RC 0 in 44 minutes
stage1-migrate-cosmic-CVE-seccomp-run1-s390x.status : Pass 249 Failed
2 Skip 5 + 0 - RC 2 in 531 minutes
stage2-cross-cosmic-CVE-seccomp-run1-s390x.status : Pass 12 Failed
0 Skip 0 + 0 - RC 0 in 178 minutes
stage3-misc-cosmic-CVE-seccomp-run1-s390x.status : Pass 67 Failed
0 Skip 0 + 0 - RC 0 in 95 minutes
stage0-prep-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 2 Failed
0 Skip 0 + 0 - RC 0 in 47 minutes
stage1-migrate-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 276 Failed
0 Skip 0 + 0 - RC 0 in 101 minutes
stage2-cross-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 4 Failed
0 Skip 0 + 0 - RC 0 in 8 minutes
stage3-misc-cosmic-CVE-seccomp-run1-ppc64le.status : Pass 48 Failed
0 Skip 1 + 0 - RC 0 in 20 minutes
The only two fails we see have existed before.
Given all that looks good and we were using it already I'll push that for
Cosmic.
== Bionic ==
Bionic is different as I outlined and you also emphasized further.
First of all I'd NOT want to turn on blacklist filtering by default at
all there.
But OTOH being not used by default means the only few that use it are
those that want to rely on its function. So they would most likely want
the fix to be in?
Bionic at least using the blacklist approach already makes this safer than in
older relases.
So for Bionic I'd agree to the "prep something and cajole people that are using
it already for testing of their cases".
I'll make a PPA ready for that.
The fact that not all kernels log seccomp denials is what makes me feel
unsure. That would really be hard to debug.
If we want to go on further than this PPA and actually push something into
Bionic depends on
a) positive test feedback
b) feedback at all that the feature is used
c) your security severity estimation if that is needed is high enough
If not a+b+c then I'd keep Bionic untouched.
Would you be able to "cajole the people" once I have a PPA to try?
== Xenial/Trusty ==
Still using the whitelist approach plus risk due to the obvious backport noise
and older kernels behaving different makes this too much of a risk IMHO.
So I'd rate these Won't Fix unless your severity estimation implies it is
needed.
Again there the feature won't be used by default, and being rather new at the
time it might not be used anywhere.
I'll update the bug task status - please feel free to override if your rating
forces us to deliver something there.
** Changed in: qemu (Ubuntu Trusty)
Status: New => Won't Fix
** Changed in: qemu (Ubuntu Xenial)
Status: New => Won't Fix
** Changed in: qemu (Ubuntu Bionic)
Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team
(ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1789551
Title:
qemu: CVE-2018-15746: seccomp: blacklist is not applied to all threads
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1789551/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
