[Bug 1526358] Re: xenial/i386 regression: nspawn fails with "Failed to add audit seccomp rule: Bad address"
Martin Pitt
martin.pitt at ubuntu.com
Wed Dec 16 09:11:30 UTC 2015
I now isolated this seccomp failure into a tiny .c file which reproduces
this. On amd64 it works:
$ gcc -o /tmp/o ~/seccomp-socket-filter.c -lseccomp && /tmp/o
SCMP_SYS(socket) == 41 == 29
Success
and on i386 it reproduces the error:
$ gcc -o /tmp/o ~/seccomp-socket-filter.c -lseccomp && /tmp/o
SCMP_SYS(socket) == 359 == 167
seccomp_rule_add failed: Bad address
So what systemd is trying to do is to first initialize seccomp with
possible alternative architectures (running 32 bit container on 64 bit
host, and vice versa if you have a 64 bit kernel) and then disallow
opening socket()s to the netlink audit subsystem, as audit is broken for
containers. The gist of it is
seccomp = seccomp_init(SCMP_ACT_ALLOW);
seccomp_arch_add(seccomp, SCMP_ARCH_X86_64);
seccomp_rule_add(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
SCMP_SYS(socket),
2,
SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
This has worked on both arches until __NR_socket got defined on i386, before it used that autogenerated value.
** Attachment added: "standalone reproducer C file"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1526358/+attachment/4535516/+files/seccomp-socket-filter.c
** Also affects: libseccomp (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- xenial/i386 regression: nspawn fails with "Failed to add audit seccomp rule: Bad address"
+ adding seccomp rule for socket() fails on i386 since kernel 4.3
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1526358
Title:
adding seccomp rule for socket() fails on i386 since kernel 4.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1526358/+subscriptions
More information about the Ubuntu-server-bugs
mailing list