[Bug 1785414] Re: Backport seccomp sandbox fixes to 18.04

Thu Aug 9 20:30:06 UTC 2018

Hello Colin, or anyone else affected,

Accepted man-db into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/man-
db/2.8.3-2ubuntu0.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-bionic to verification-done-bionic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-bionic. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: man-db (Ubuntu Bionic)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to man-db in Ubuntu.
https://bugs.launchpad.net/bugs/1785414

Title:
  Backport seccomp sandbox fixes to 18.04

Status in man-db package in Ubuntu:
  Fix Released
Status in man-db source package in Bionic:
  Fix Committed

Bug description:
  I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I
  think they would all be worth backporting to 18.04.  They're all
  corner cases, but at least the second and third of them turned up in
  an AskUbuntu post (https://askubuntu.com/questions/1039629/setting-up-
  man-db-crashes-system-with-bad-system-calls) and I had a fair amount
  of email responses to requests for details about it.  Here are the
  details:

   * sandbox: Allow sched_setaffinity
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e

     It's possible to run into this if reading xz-compressed manual
  pages with (e.g.) XZ_DEFAULTS=--threads=0 set in the environment.

   * sandbox: Allow some shared memory operations
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=5e08ee9a4e563abedbdd2768c8bbfd96b57c1859

     Some unusual software that installs itself in /etc/ld.so.preload
  breaks man without this patch, such as the Astrill VPN.

   * sandbox: Improve ESET compatibility further
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=7582fb9d69a126a53ee11223b12346d38c0f333a

     This is a refinement to some previous work I did to cope with ESET
  File Security (an antivirus program that installs itself in
  /etc/ld.so.preload).

  [Test Case]
  The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=--threads=0 before trying to read it.  The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works.

  [Regression Potential]
  This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions