[Bug 1785414] Re: Backport seccomp sandbox fixes to 18.04

Bernd Wagner 1785414 at bugs.launchpad.net
Mon Sep 24 18:11:11 UTC 2018 

Thanks, Colin, for providing the fixes+backport and Brian, for including
them into the repository.

I hope the following serves at least as a regression test.

[Test Cases]
1)  ESET NOD32 Antivirus4 4.0.90.0 with /etc/ld.so.preload (which serves to files scanning on access)
1a) man-db 2.8.3-2 and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution
1b) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution
1c) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution, additionally  xz-utils 5.2.4 installed to /usr/local (without package)

in all cases 1x) Update of the Manual-DB e.g. by "sudo mandb -c" leads to the error messages:
...
/usr/bin/mandb: zcat < /usr/share/man/man1/lz4_decompress.1.gz: Bad system call
/usr/bin/mandb: /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE -q: Bad system call
/usr/bin/mandb: zcat: Bad system call
...

For 1b and 1c this was also tested with XZ_DEFAULTS=--threads=0.

In all cases 1x) "man mandb" formats correctly.
(Maybe that was a problem with earlier ESET versions.)

2)  ESET NOD32 Antivirus4 4.0.90.0 without /etc/ld.so.preload
2a) man-db 2.8.3-2 and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution
2b) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution
2c) man-db 2.8.3-2 installed from bionic-proposed and xz-utils 5.2.2-1.3 installed from stable ubuntu 18.04 distribution, additionally xz-utils 5.2.4 installed to /usr/local (without package)

all 2x) ok für man-db generation and formatting of man pages

System Architecture:
i386
Ubuntu 18.04
Kernel Linux pc2 4.15.0-33201808301234-generic #0+mediatree+hauppauge-Ubuntu SMP Thu Aug 30 19:02:06 UTC 2018 i686 i686 i686 GNU/Linu

The mandb problem doesn't occur with my 64bit Ubuntu installation,
although ESET is installed there as well!

Conclusion:
The bugfix dosn't resolve my problem, but it doesn't make things worse for me, so if it helps others...

Thanks for providing it.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to man-db in Ubuntu.
https://bugs.launchpad.net/bugs/1785414

Title:
  Backport seccomp sandbox fixes to 18.04

Status in man-db package in Ubuntu:
  Fix Released
Status in man-db source package in Bionic:
  Fix Committed

Bug description:
  I applied several fixes to the seccomp sandbox in man-db 2.8.4, and I
  think they would all be worth backporting to 18.04.  They're all
  corner cases, but at least the second and third of them turned up in
  an AskUbuntu post (https://askubuntu.com/questions/1039629/setting-up-
  man-db-crashes-system-with-bad-system-calls) and I had a fair amount
  of email responses to requests for details about it.  Here are the
  details:

   * sandbox: Allow sched_setaffinity
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=8fa6fb5eca612600b3a3d8da811f8345afec102e

     It's possible to run into this if reading xz-compressed manual
  pages with (e.g.) XZ_DEFAULTS=--threads=0 set in the environment.

   * sandbox: Allow some shared memory operations
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=5e08ee9a4e563abedbdd2768c8bbfd96b57c1859

     Some unusual software that installs itself in /etc/ld.so.preload
  breaks man without this patch, such as the Astrill VPN.

   * sandbox: Improve ESET compatibility further
     https://git.savannah.gnu.org/cgit/man-db.git/commit/?id=7582fb9d69a126a53ee11223b12346d38c0f333a

     This is a refinement to some previous work I did to cope with ESET
  File Security (an antivirus program that installs itself in
  /etc/ld.so.preload).

  [Test Case]
  The first patch can be tested by recompressing a manual page using xz and setting XZ_DEFAULTS=--threads=0 before trying to read it.  The other two require having Astrill or ESET installed; if this SRU is accepted I'll solicit feedback from people who do, although I think it would be sufficient for SRU purposes to just make sure that ordinary browsing of manual pages still works.

  [Regression Potential]
  This only adds more system calls to what the sandbox permits, so ensuring that man still works should be enough to catch all regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/man-db/+bug/1785414/+subscriptions

More information about the foundations-bugs mailing list