Friday, 10 June 2016

libseccomp 2.3.1 uses negative (pseudo) syscall numbers by default

Hello,

New libseccomp is in yakkety proposed. There is a change, on some
architecutres, w.r.t. to canonical representation of syscall
numbers.....

There are normal syscall numbers and multiplexed ones. And some are
exposed as both - direct numbers and negative pseudo syscall numbers.
All filtering should remain in place for both direct and pseudo
numbers.

But I had to adjust our autopkgtests for this, and I'm wondering if
there are any other pieces of software to fix as a result of this
upstream change on some architectures (e.g. lxc, apparmor, click,
snapd, juju, etc....)

on i386:

# scmp_sys_resolver 373
shutdown
# scmp_sys_resolver shutdown
-113
# scmp_sys_resolver -- -113
shutdown

Other affected syscalls on i386 are:
337 recvmmsg -119
345 sendmmsg -120
359 socket -101
360 socketpair -108
361 bind -102
362 connect -103
363 listen -104
364 accept4 -118
365 getsockopt -115
366 setsockopt -114
367 getsockname -106
368 getpeername -107
369 sendto -111
370 sendmsg -116
371 recvfrom -112
372 recvmsg -117
373 shutdown -113

And there is a similar set on s390x.

This is currently in yakkety proposed, blocked from migration with a
block-proposed tag on the bug
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1580558

If there are regressions anywhere due to this, please comment on the
bug report. I hope that lxc / apparmor / click / snapd / juju / etc
are all fine with these changes.

--
Regards,

Dimitri.

--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel