Is this only in hana? We can remove newfstatat for 'arm' policy?

also, if we plan to remove newfstatat for 'arm'. should we revert the CL and commit a new one or commit a new patch on top of the other CL?

I assume it's arm.  I only have a hana handy.  You can just fix it, but you should verify that the problem you intended to fix is still fixed.

newfstatat not existing isn't a bug.  some syscall ABIs implemented fstatat64.  if you're whitelisting a fstat func, you should list all the ones that are available for that ABI.

skau@, can you please provide what syscall cupstestppd in hana requires? Is it fstatat64? 

Based on http://man7.org/linux/man-pages/man2/stat.2.html

"The underlying system call employed by the glibc fstatat() wrapper
function is actually called fstatat64() or, on some architectures,
newfstatat()."

It seems that choosing which wrapper implementation is not well documented? I wonder if manijail is supposed to fail in case a syscall does not exist? In that case, we need seccomp policy for each architecture variation (board?). 

typically at the syscall level, users have to figure it out themselves.  you can run `minijail -H` on the board to get a list for a specific arch.

minijail is supposed to fall over if it's unknown.  which means you're expected to write your own for each arch.  we've had threads on ways to improve things, but that is the status quo today.

I've updated the bug description to more accurately describe the problem.

Root cause of bug:
newfstatat in the seccomp policy which doesn't exist in aarch64 causing cupstestppd to crash when launched with the designated policy.

Minimum amount of changes to fix the issue (print with component& not crash on hana):

cupsd policy:
newfstatat: 1 -> fstatat64: 1

cupstestppd policy:
lstat64: 1
fstatat64: 1

vapier@, do you suggest that we should add fstatfs/fstat/fstat64/fstatfs64/fstatat64 all to the policy since we add fstatat64?

CL: https://chromium-review.googlesource.com/c/540670/

Feel free to comment either here or in the CL. Thanks!

if the arch supports it, then adding those isn't really harmful.  you'd have to consult the actual list for each to find out :).

i guess probably it's better to keep minimum required for now to stop the policy from growing (more syscall unblocked, potentially more vulnerabilities?). I can find out the list for hana and add all variations but dont really have confidence to stop other platforms from policy compilation failure...

Actually, it's odd that you didn't break this test: https://cs.corp.google.com/chromeos_public/src/third_party/autotest/files/client/site_tests/platform_DebugDaemonCupsAddPrinters/platform_DebugDaemonCupsAddPrinters.py as it runs cupstestppd with the GenericPostScript PPD and should have caught the policy compilation failure.

Do we run this test on arm or amd64? This breakage is architecture specific. I tested my change on amd64 and it should not cause any problem.

It's not in CQ right now.  But it should run in the lab daily.  To test your change in the lab, you can follow these instructions. https://www.chromium.org/chromium-os/build/using-remote-trybots

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/55768d04164e631d13674477328c0984d9d3810a

commit 55768d04164e631d13674477328c0984d9d3810a
Author: Xiaochu Liu <xiaochu@chromium.org>
Date: Thu Jun 22 01:48:12 2017

net-print/cups: Fix seccomp policy for different archs

newfstatat does not exist on aarch64/arm which causes seccomp policy fail to load.
On hana(aarch64), it also calls lstat64

BUG= chromium:734843 
TEST=None

Change-Id: I37761589c0a2edb876990c1440aa8d8ee06a672f
Reviewed-on: https://chromium-review.googlesource.com/540670
Commit-Ready: Xiaochu Liu <xiaochu@chromium.org>
Tested-by: Xiaochu Liu <xiaochu@chromium.org>
Reviewed-by: Sean Kau <skau@chromium.org>

[modify] https://crrev.com/55768d04164e631d13674477328c0984d9d3810a/net-print/cups/files/cupstestppd-seccomp-arm.policy
[rename] https://crrev.com/55768d04164e631d13674477328c0984d9d3810a/net-print/cups/cups-2.1.4-r21.ebuild
[modify] https://crrev.com/55768d04164e631d13674477328c0984d9d3810a/net-print/cups/files/cupsd-seccomp-arm.policy