** Description changed:
- Currently libseccomp version in Ubuntu are:
+ [Impact]
- libseccomp | 2.2.3-3ubuntu3 | xenial |
source
- libseccomp | 2.3.1-2ubuntu2 | yakkety |
source
- libseccomp | 2.3.1-2.1ubuntu1 | zesty |
source
+ out of date libseccomp w.r.t. custom and hwe kernels provides sub-par
userspace protection, which is otherwise available on the running kernel and
hardware combination.
+ This results in subpar security of systems running new architectures (s390x &
ppc64el) and newer hwe/custom kernels.
- The difference between 2.2.3 and 2.3.1 is 63 upstream commits.
+ * Version 2.3.1 - April 20, 2016
+ - Fixed a problem with 32-bit x86 socket syscalls on some systems
+ - Fixed problems with ipc syscalls on 32-bit x86
+ - Fixed problems with socket and ipc syscalls on s390 and s390x
+
+ * Version 2.3.0 - February 29, 2016
+ - Added support for the s390 and s390x architectures
+ - Added support for the ppc, ppc64, and ppc64le architectures
+ - Update the internal syscall tables to match the Linux 4.5-rcX releases
+ - Filter generation for both multiplexed and direct socket syscalls on x86
+ - Support for the musl libc implementation
+ - Additions to the API to enable runtime version checking of the library
+ - Enable the use of seccomp() instead of prctl() on supported systems
+ - Added additional tests to the regression test suite
- Of those commits, 7 are already cherrypicked into xenial for s390x
- support.
+ There is no ABI/API break
- However that s390x support is incomplete as multiplexed syscalls are not
- supported.
+ There are no packaging changes, apart from dropping patches included in
+ this upstream release and updating new symbols.
- A request has been filed to support multiplexed syscalls in libseccomp
- in xenial at
- https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1679691
+ Doing wholesome update is safer and carries less risk, than individually
+ cherrypicking effectively all of the above.
- That is a request for further 18 commits to backport, bringing the total
- to 25.
+ This is a backport to an LTS release under the banner of safe
+ introduction of new features and new hardware support.
- Looking at the remaining 38 commits there are:
- - documentation updates
- - tools updates
- - tests updates
- - bugfixes
- - updates to syscall tables for linux 4.3, 4.5-rc4+
+ It is expected that container technologies will take advantage of the
+ newly available libseccomp.
- IMHO, in the future when libseccomp is updated to support 4.10 kernel
- syscalls, it should be backported back to xenial too, to properly suppor
- the HWE kernels.
+ This may need to be uploaded as a security update.
+
+ Currently, s390x support in xenial libssecomp is incomplete. And there
+ are v4.5+ syscall tables missing as used by hwe kernels and some custom
+ kernels.
+
+ [Testcase]
+ Validate that all main contianer technologies are operational and do not
regress, e.g.:
+ - lxc
+ - lxd
+ - docker
+ - snapd
+
+ [Regression Potential]
+ Userspace components may detect at runtime newly available libseccomp, and
thus restrict user-space processes more than previously done. This may lead to
a change of restrictions applied on the user sapce processes, and result in
previously unexpected denials / errors returned.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1682102
Title:
libseccomp should support GA and HWE kernels
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1682102/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
