** Description changed: - Placeholder to start preparing SRU for - https://github.com/snapcore/core20/issues/48 + [Impact] + + snap-confine from snapd uses libseccomp to filter various system calls + for confinement. The current version in eoan/bionic/xenial (2.4.1) is + missing knowledge of various system calls for various architectures. As + such this causes strange issues like python snaps segfaulting + (https://github.com/snapcore/core20/issues/48) or the inadvertent denial + of system calls which should be permitted by the base policy + (https://forum.snapcraft.io/t/getrlimit-blocked-by-seccomp-on-focal- + arm64/17237). + + libseccomp in groovy is using the latest upstream base release (2.4.3) + plus it includes a patch to add some missing aarch64 system calls + (https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1877633). + + SRUing this version back to older stable releases allows libseccomp to + operate correctly on all supported architectures. + + + [Test Case] + + libseccomp includes a significant unit test suite that is run during the + build and as part of autopkgtests. To verify the new aarch64 system + calls are resolved as expected the scmp_sys_resolver command can be used + as well: + + $ scmp_sys_resolver -a aarch64 getrlimit + 163 + + (whereas in the current version in focal this returns -10180 as + libseccomp was not aware of this system-call at compile-time). + + As part of this SRU, the test suite in libseccomp has been patched to + include a local copy of the architecture-specific kernel headers from + the 5.4 kernel in focal *for all releases*, so that all system calls + which are defined for the 5.4 kernel are known about *for the libseccomp + test suite*. This allows all unit tests to pass on older releases as + well and defaults the build to fail on unit test failures (whereas + currently in xenial this has been overridden to ignore failures). + + + [Regression Potential] + + This has a low regression potential due to significant testing with many + packages that depend on libseccomp (lxc, qemu, snapd, apt, man etc) and + none have shown any regression using this new version. + + Any possible regressions may include applications now seeing correct + system call resolution whereas previously this would have failed, and so + perhaps previous failures (which were erroneous) will now be permitted. + However, this was always permitted previously by the policy anyway but + just denied due to this bug so it is not a true regression as such.
** Patch added: "Update for groovy solely to add the test suite change to be in-line with older releases" https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1876055/+attachment/5374692/+files/libseccomp_2.4.3-1ubuntu3.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1876055 Title: SRU: Backport 2.4.3-1ubuntu2 from groovy to focal/eoan/bionic/xenial for newer syscalls for core20 base To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1876055/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
