[Bug 1785414] [NEW] Backport seccomp sandbox fixes to 16.04

Colin Watson cjwatson at canonical.com
Sat Aug 4 19:06:45 UTC 2018 

Public bug reported:

I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I
think they would all be worth backporting to 16.04.  They're all corner
cases, but at least the second and third of them turned up in an
AskUbuntu post (https://askubuntu.com/questions/1039629/setting-up-man-
db-crashes-system-with-bad-system-calls) and I had a fair amount of
email responses to requests for details about it.  Here are the details:

 * sandbox: Allow sched_setaffinity
   https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e

   It's possible to run into this if reading xz-compressed manual pages
with (e.g.) XZ_DEFAULTS=--threads=0 set in the environment.

 * sandbox: Allow some shared memory operations
   https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=5e08ee9a4e563abedbdd2768c8bbfd96b57c1859

   Some unusual software that installs itself in /etc/ld.so.preload
breaks man without this patch, such as the Astrill VPN.

 * sandbox: Improve ESET compatibility further
   https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=7582fb9d69a126a53ee11223b12346d38c0f333a

   This is a refinement to some previous work I did to cope with ESET
File Security (an antivirus program that installs itself in
/etc/ld.so.preload).

[Test Case]
The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=--threads=0 before trying to read it.  The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works.

[Regression Potential]
This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions.

** Affects: man-db (Ubuntu)
     Importance: High
     Assignee: Colin Watson (cjwatson)
         Status: Fix Released

** Affects: man-db (Ubuntu Bionic)
     Importance: High
     Assignee: Colin Watson (cjwatson)
         Status: In Progress

** Also affects: man-db (Ubuntu Bionic)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to man-db in Ubuntu.
https://bugs.launchpad.net/bugs/1785414

Title:
  Backport seccomp sandbox fixes to 16.04

Status in man-db package in Ubuntu:
  Fix Released
Status in man-db source package in Bionic:
  In Progress

Bug description:
  I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I
  think they would all be worth backporting to 16.04.  They're all
  corner cases, but at least the second and third of them turned up in
  an AskUbuntu post (https://askubuntu.com/questions/1039629/setting-up-
  man-db-crashes-system-with-bad-system-calls) and I had a fair amount
  of email responses to requests for details about it.  Here are the
  details:

   * sandbox: Allow sched_setaffinity
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e

     It's possible to run into this if reading xz-compressed manual
  pages with (e.g.) XZ_DEFAULTS=--threads=0 set in the environment.

   * sandbox: Allow some shared memory operations
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=5e08ee9a4e563abedbdd2768c8bbfd96b57c1859

     Some unusual software that installs itself in /etc/ld.so.preload
  breaks man without this patch, such as the Astrill VPN.

   * sandbox: Improve ESET compatibility further
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=7582fb9d69a126a53ee11223b12346d38c0f333a

     This is a refinement to some previous work I did to cope with ESET
  File Security (an antivirus program that installs itself in
  /etc/ld.so.preload).

  [Test Case]
  The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=--threads=0 before trying to read it.  The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works.

  [Regression Potential]
  This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions

More information about the foundations-bugs mailing list