Issue 894614 link

Starred by 3 users

Issue metadata

Status:	Verified
Owner:	█ yunlian@chromium.org Last visit > 30 days ago
Closed:	Oct 28
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

Blocking:
issue 834385

SigSYS when running applicaions with seccomp.policy

Project Member Reported by yunlian@chromium.org, Oct 11

Issue description

On glibc 2.26, there is a change 
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Fri Nov 11 15:00:03 2016 -0200

    Consolidate Linux open implementation
    
    This patch consolidates the open Linux syscall implementation on
    sysdeps/unix/sysv/linux/open{64}.c.  The changes are:
    
      1. Remove open{64} from auto-generation syscalls.list.
      2. Add a new open{64}.c implementation.  For architectures that
         define __OFF_T_MATCHES_OFF64_T the default open64 will create
         alias to required open symbols.
      3. Use __NR_openat as default syscall for open{64}.

it changes the __libc_open64 to call
return SYSCALL_CANCEL (openat, AT_FDCWD, file, oflag | EXTRA_OPEN_FLAGS,   mode)
instead of 
return SYSCALL_CANCEL (open, file, oflag | O_LARGEFILE, mode)

It would case SIGSYS if we allow open while openat is not allowed.

We should allow openat if open is allowed.

Project Member

Comment 1 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/1d541bd77334c62728abb6d1e45eb823a326cd9a

commit 1d541bd77334c62728abb6d1e45eb823a326cd9a
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:44 2018

apk-cache: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=None

Change-Id: I8dfdfadcfbce03f7de8dfa00b4d05804996196df
Reviewed-on: https://chromium-review.googlesource.com/1277888
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/1d541bd77334c62728abb6d1e45eb823a326cd9a/arc/apk-cache/seccomp/apk-cache-cleaner-seccomp-amd64.policy
[modify] https://crrev.com/1d541bd77334c62728abb6d1e45eb823a326cd9a/arc/apk-cache/seccomp/apk-cache-cleaner-seccomp-arm.policy

Project Member

Comment 2 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/7a44458bf9420d9d823245aabe6745b30a91c521

commit 7a44458bf9420d9d823245aabe6745b30a91c521
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:41 2018

adbd: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=None

Change-Id: I337b61017d0e1f8176ed66503881faece6a68f13
Reviewed-on: https://chromium-review.googlesource.com/1277890
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/7a44458bf9420d9d823245aabe6745b30a91c521/arc/adbd/seccomp/arc-adbd-amd64.policy
[modify] https://crrev.com/7a44458bf9420d9d823245aabe6745b30a91c521/arc/adbd/seccomp/arc-adbd-arm.policy

Project Member

Comment 3 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/299eeafb38e3ad77aea878967e423ebb7d7e5792

commit 299eeafb38e3ad77aea878967e423ebb7d7e5792
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:17:07 2018

authpolicy: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=None

Change-Id: I0605f9ba76dbca24c746cbe2354ab7251281f35d
Reviewed-on: https://chromium-review.googlesource.com/1277891
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/299eeafb38e3ad77aea878967e423ebb7d7e5792/authpolicy/seccomp_filters/authpolicy_parser-seccomp.policy
[modify] https://crrev.com/299eeafb38e3ad77aea878967e423ebb7d7e5792/authpolicy/seccomp_filters/kpasswd-seccomp.policy
[modify] https://crrev.com/299eeafb38e3ad77aea878967e423ebb7d7e5792/authpolicy/seccomp_filters/klist-seccomp.policy

Project Member

Comment 4 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/b020a8d723f27f35f871105ab8f0beeb21d45130

commit b020a8d723f27f35f871105ab8f0beeb21d45130
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:42 2018

ippusb_manager: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=None

Change-Id: I9a525e6bed84f2e73f724ee15fa71613d9deae0a
Reviewed-on: https://chromium-review.googlesource.com/1277892
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: David Valleau <valleau@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/b020a8d723f27f35f871105ab8f0beeb21d45130/ippusb_manager/seccomp/ippusb-manager-seccomp-amd64.policy
[modify] https://crrev.com/b020a8d723f27f35f871105ab8f0beeb21d45130/ippusb_manager/seccomp/ippusb-manager-seccomp-arm.policy

Project Member

Comment 5 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/db885f10f5ebbd026238d107823fcd302863f3c1

commit db885f10f5ebbd026238d107823fcd302863f3c1
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:46 2018

metrics: allow openat system call for memd

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=None

Change-Id: Iea529a12c87a88d42d515e8a6ac2afefeaa20747
Reviewed-on: https://chromium-review.googlesource.com/1277893
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/db885f10f5ebbd026238d107823fcd302863f3c1/metrics/memd/init/memd-seccomp-amd64.policy
[modify] https://crrev.com/db885f10f5ebbd026238d107823fcd302863f3c1/metrics/memd/init/memd-seccomp-arm.policy

Project Member

Comment 6 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/b33a5e4c2d7ea80e0137fa3b2885f88342c70f80

commit b33a5e4c2d7ea80e0137fa3b2885f88342c70f80
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:52 2018

midis: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=None

Change-Id: Ic8db9d57f4ad83f4a2f35d06485d8ef1ea728c32
Reviewed-on: https://chromium-review.googlesource.com/1277894
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/b33a5e4c2d7ea80e0137fa3b2885f88342c70f80/midis/seccomp/midis-seccomp-amd64.policy
[modify] https://crrev.com/b33a5e4c2d7ea80e0137fa3b2885f88342c70f80/midis/seccomp/midis-seccomp-arm.policy

Project Member

Comment 7 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/dbca4e5478c42423154dc671a54bc0228a708fe2

commit dbca4e5478c42423154dc671a54bc0228a708fe2
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:17:01 2018

smbprovider: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=None

Change-Id: If658df6d2b63dc59bbb78b07006a5540c24e4eac
Reviewed-on: https://chromium-review.googlesource.com/1277895
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/dbca4e5478c42423154dc671a54bc0228a708fe2/smbprovider/seccomp_filters/smbprovider-seccomp-amd64.policy
[modify] https://crrev.com/dbca4e5478c42423154dc671a54bc0228a708fe2/smbprovider/seccomp_filters/smbprovider-seccomp-arm.policy

Project Member

Comment 8 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/371564400707086c49158aa7e1e4343dc1bffd29

commit 371564400707086c49158aa7e1e4343dc1bffd29
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:58 2018

conntrack-tools: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open().

BUG= chromium:894614 
TEST=None

Change-Id: Iff751cbe0daba2389f241bc6192ef12095e54c12
Reviewed-on: https://chromium-review.googlesource.com/1278152
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>

[modify] https://crrev.com/371564400707086c49158aa7e1e4343dc1bffd29/net-firewall/conntrack-tools/files/conntrackd-seccomp-arm.policy
[modify] https://crrev.com/371564400707086c49158aa7e1e4343dc1bffd29/net-firewall/conntrack-tools/files/conntrackd-seccomp-amd64.policy
[rename] https://crrev.com/371564400707086c49158aa7e1e4343dc1bffd29/net-firewall/conntrack-tools/conntrack-tools-1.4.4-r11.ebuild
[modify] https://crrev.com/371564400707086c49158aa7e1e4343dc1bffd29/net-firewall/conntrack-tools/files/conntrackd-seccomp-x86.policy

Project Member

Comment 9 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/2d965e77a773957692923925bd773af7c9daf608

commit 2d965e77a773957692923925bd773af7c9daf608
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:44 2018

ippusbxd: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=None

Change-Id: Iae6beb5197ff2caf7c510bf5be358a3c15163f10
Reviewed-on: https://chromium-review.googlesource.com/1278155
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: David Valleau <valleau@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/2d965e77a773957692923925bd773af7c9daf608/net-print/ippusbxd/files/ippusbxd-seccomp-arm.policy
[modify] https://crrev.com/2d965e77a773957692923925bd773af7c9daf608/net-print/ippusbxd/files/ippusbxd-seccomp-amd64.policy
[rename] https://crrev.com/2d965e77a773957692923925bd773af7c9daf608/net-print/ippusbxd/ippusbxd-1.32-r7.ebuild

Project Member

Comment 10 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/cd502605dee7e672dc549cd8d6f81be175edd1a6

commit cd502605dee7e672dc549cd8d6f81be175edd1a6
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:53 2018

cups: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=None

Change-Id: I4351eec6422d122dffc44dc7895cc65515b1f010
Reviewed-on: https://chromium-review.googlesource.com/1278158
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: David Valleau <valleau@chromium.org>
Reviewed-by: Sean Kau <skau@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/cd502605dee7e672dc549cd8d6f81be175edd1a6/net-print/cups/files/lpadmin-seccomp-amd64.policy
[modify] https://crrev.com/cd502605dee7e672dc549cd8d6f81be175edd1a6/net-print/cups/files/lpadmin-seccomp-x86.policy
[modify] https://crrev.com/cd502605dee7e672dc549cd8d6f81be175edd1a6/net-print/cups/files/lpadmin-seccomp-arm.policy
[rename] https://crrev.com/cd502605dee7e672dc549cd8d6f81be175edd1a6/net-print/cups/cups-2.1.4-r15.ebuild

Project Member

Comment 11 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/faee5ad9190b8773d0d01a5cf3e453ecf073410e

commit faee5ad9190b8773d0d01a5cf3e453ecf073410e
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:37 2018

arc-sslh-init: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=None

Change-Id: Iaccd9aa2757fac88b3697b0169f1472d6a36a800
Reviewed-on: https://chromium-review.googlesource.com/1278161
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/faee5ad9190b8773d0d01a5cf3e453ecf073410e/chromeos-base/arc-sslh-init/files/sslh-seccomp-arm.policy
[rename] https://crrev.com/faee5ad9190b8773d0d01a5cf3e453ecf073410e/chromeos-base/arc-sslh-init/arc-sslh-init-0.0.1-r9.ebuild
[modify] https://crrev.com/faee5ad9190b8773d0d01a5cf3e453ecf073410e/chromeos-base/arc-sslh-init/files/sslh-seccomp-amd64.policy

Project Member

Comment 12 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/adhd/+/8b9131b9082724a85259f1c8422480aab0fdb562

commit 8b9131b9082724a85259f1c8422480aab0fdb562
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:54 2018

adhd: allow openat system call.

This allows openat system because glibc 2.26 changed their system call
for open().

BUG= chromium:894614 
TEST=None

Change-Id: Icec3086a0e59b506ad31e5d9503232503be20ef1
Reviewed-on: https://chromium-review.googlesource.com/1278091
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/8b9131b9082724a85259f1c8422480aab0fdb562/seccomp/cras-seccomp-amd64.policy
[modify] https://crrev.com/8b9131b9082724a85259f1c8422480aab0fdb562/seccomp/cras-seccomp-arm.policy

Project Member

Comment 13 by bugdroid1@chromium.org, Oct 13

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/platform/arc-oemcrypto/+/d9d00dce52b0252e2ac783d9ac313cb20c6bc78f

commit d9d00dce52b0252e2ac783d9ac313cb20c6bc78f
Author: Yunlian Jiang <yunlian@google.com>
Date: Sat Oct 13 18:42:17 2018

Project Member

Comment 14 by bugdroid1@chromium.org, Oct 16

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/89107f6891b1f0ff28529899e7c52c68334d1107

commit 89107f6891b1f0ff28529899e7c52c68334d1107
Author: Yunlian Jiang <yunlian@google.com>
Date: Tue Oct 16 13:49:10 2018

metrics: add getpid and prlimit64 to seccomp for memd

This adds getpid and prlimit64 to seccomp of memd because glibc 2.27
needs to call these system calls.

BUG= chromium:894614 
TEST=no memd crashes in /var/spool/crashes with glibc 2.27

Change-Id: Ie7b48435e79bd2ad22cb1ab8ff0faa2b2b9735a6
Reviewed-on: https://chromium-review.googlesource.com/1282002
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/89107f6891b1f0ff28529899e7c52c68334d1107/metrics/memd/init/memd-seccomp-arm64.policy
[modify] https://crrev.com/89107f6891b1f0ff28529899e7c52c68334d1107/metrics/memd/init/memd-seccomp-amd64.policy

Project Member

Comment 15 by bugdroid1@chromium.org, Oct 19

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/daee9321df3788313b971b86c250afd44fb0fa79

commit daee9321df3788313b971b86c250afd44fb0fa79
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 19 05:38:06 2018

attestation: allow openat system call

This allows openat system because glibc 2.26 changed their system call
for open()

BUG= chromium:894614 
TEST=no attestation crash on eve with glibc 2.27

Change-Id: I8c833906ade1d21376340dce138f87850c84a894
Reviewed-on: https://chromium-review.googlesource.com/1289452
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/daee9321df3788313b971b86c250afd44fb0fa79/attestation/server/attestationd-seccomp-arm.policy
[modify] https://crrev.com/daee9321df3788313b971b86c250afd44fb0fa79/attestation/server/attestationd-seccomp-amd64.policy
[modify] https://crrev.com/daee9321df3788313b971b86c250afd44fb0fa79/attestation/server/attestationd-seccomp-x86.policy

Project Member

Comment 16 by bugdroid1@chromium.org, Oct 19

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/c5ae85469e1b947c6081727ad41c12d9ede24805

commit c5ae85469e1b947c6081727ad41c12d9ede24805
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 19 05:38:04 2018

add openat to seccomp if open is there already.

This adds openat to a seccomp policy file if open is already there.
We need this because glibc 2.25 changed it system call for open().

BUG= chromium:894614 
TEST=None

Change-Id: I28852ccc93d7991819fb1669c2ef9fb1b46bd610
Reviewed-on: https://chromium-review.googlesource.com/1289629
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/dlcservice/seccomp/dlcservice-seccomp-arm.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/apmanager/init/apmanager-seccomp-arm.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/vm_tools/init/vm_cicerone-seccomp-arm.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/ml/seccomp/ml_service-seccomp-arm.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/apmanager/init/apmanager-seccomp-mips.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/diagnostics/init/diagnostics_processor-seccomp-arm.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/ml/seccomp/ml_service-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/bluetooth/seccomp_filters/btdispatch-seccomp-arm.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/crosdns/init/crosdns-seccomp-arm.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/bluetooth/seccomp_filters/btdispatch-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/bluetooth/seccomp_filters/newblued-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/touch_keyboard/seccomp/amd64/touch_keyboard_handler.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/bluetooth/seccomp_filters/newblued-seccomp-arm.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/arc/appfuse/seccomp/arc-appfuse-provider-seccomp-arm.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/vm_tools/init/vm_cicerone-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/apmanager/init/apmanager-seccomp-x86.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/diagnostics/init/diagnosticsd-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/apmanager/init/apmanager-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/tpm_manager/server/tpm_managerd-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/crosdns/init/crosdns-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/arc/appfuse/seccomp/arc-appfuse-provider-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/diagnostics/init/diagnostics_processor-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/dlcservice/seccomp/dlcservice-seccomp-amd64.policy
[modify] https://crrev.com/c5ae85469e1b947c6081727ad41c12d9ede24805/diagnostics/init/diagnosticsd-seccomp-arm.policy

Project Member

Comment 17 by bugdroid1@chromium.org, Oct 19

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/touch_updater/+/67d84ab0d38417ff29f9840330e96211fdb80b64

commit 67d84ab0d38417ff29f9840330e96211fdb80b64
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 19 19:19:55 2018

touch_updater: add openat to seccomp if open is there.

This adds openat to a seccomp policy file if open is already there.
We need this because glibc 2.25 changed it system call for open().

BUG= chromium:894614 
TEST=None

Change-Id: I9db2383cf297b379fb625d15c2593a62ca1bd41b
Reviewed-on: https://chromium-review.googlesource.com/1290207
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/arm/rmi4update.query.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/amd64/sisupdate.query.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/amd64/rmi4update.update.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/amd64/wdt_util.update.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/amd64/wacom_flash.query.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/amd64/wdt_util.query.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/amd64/rmi4update.query.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/arm/rmi4update.update.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/arm/wacom_flash.query.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/amd64/gdixupdate.query.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/arm/wacom_flash.update.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/amd64/gdixupdate.update.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/amd64/sisupdate.update.policy
[modify] https://crrev.com/67d84ab0d38417ff29f9840330e96211fdb80b64/policies/amd64/wacom_flash.update.policy

Project Member

Comment 18 by bugdroid1@chromium.org, Oct 19

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/ap-daemons/+/0b8bebd607442d34df83d575dd12eefbb79bcbfe

commit 0b8bebd607442d34df83d575dd12eefbb79bcbfe
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 19 22:07:50 2018

Project Member

Comment 19 by bugdroid1@chromium.org, Oct 20

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/50c30bf71acdd8e25738ef0de5fab44118bdce9b

commit 50c30bf71acdd8e25738ef0de5fab44118bdce9b
Author: Yunlian Jiang <yunlian@google.com>
Date: Sat Oct 20 02:24:47 2018

libqrtr: add openat to seccomp.

This adds openat to a seccomp policy file if open is already there.
We need this because glibc 2.25 changed it system call for open().

BUG= chromium:894614 
TEST=None

Change-Id: I82ee324ce30f176f7d55aa8ddcd9ff0a374f0daa
Reviewed-on: https://chromium-review.googlesource.com/1291714
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[rename] https://crrev.com/50c30bf71acdd8e25738ef0de5fab44118bdce9b/net-libs/libqrtr/libqrtr-0.0.1-r12.ebuild
[modify] https://crrev.com/50c30bf71acdd8e25738ef0de5fab44118bdce9b/net-libs/libqrtr/files/qrtr-ns-seccomp-arm.policy

Project Member

Comment 20 by bugdroid1@chromium.org, Oct 20

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/4a1d3017171b5fae51e6fc71199a5876b7dd7e1a

commit 4a1d3017171b5fae51e6fc71199a5876b7dd7e1a
Author: Yunlian Jiang <yunlian@google.com>
Date: Sat Oct 20 02:24:48 2018

rpcbind: add openat to seccomp.

This adds openat to a seccomp policy file if open is already there.
We need this because glibc 2.25 changed it system call for open().

BUG= chromium:894614 
TEST=None

Change-Id: Iddf5c1845af71c67e52586d44060828682c5d52a
Reviewed-on: https://chromium-review.googlesource.com/1291715
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/4a1d3017171b5fae51e6fc71199a5876b7dd7e1a/net-nds/rpcbind/files/seccomp-amd64.policy
[modify] https://crrev.com/4a1d3017171b5fae51e6fc71199a5876b7dd7e1a/net-nds/rpcbind/files/seccomp-arm.policy
[rename] https://crrev.com/4a1d3017171b5fae51e6fc71199a5876b7dd7e1a/net-nds/rpcbind/rpcbind-0.2.4-r5.ebuild

Project Member

Comment 21 by bugdroid1@chromium.org, Oct 20

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/logitech-updater/+/207a82b51c8d90ba1d72157a156aef1b980f738a

commit 207a82b51c8d90ba1d72157a156aef1b980f738a
Author: Yunlian Jiang <yunlian@google.com>
Date: Sat Oct 20 02:24:48 2018

add openat to seccomp.

This adds openat to a seccomp policy file if open is already there.
We need this because glibc 2.25 changed it system call for open().

BUG= chromium:894614 
TEST=None

Change-Id: Idf58c141ba873961e02b9807554ed06368ea5288
Reviewed-on: https://chromium-review.googlesource.com/1291844
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/207a82b51c8d90ba1d72157a156aef1b980f738a/seccomp/logitech-updater-seccomp-amd64.policy
[modify] https://crrev.com/207a82b51c8d90ba1d72157a156aef1b980f738a/seccomp/logitech-updater-seccomp-x86_64.policy

Project Member

Comment 22 by bugdroid1@chromium.org, Oct 20

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/vendor/fibocom-firmware/+/3940fe3293efd52c6e3fe13164d93a37d389bda5

commit 3940fe3293efd52c6e3fe13164d93a37d389bda5
Author: Yunlian Jiang <yunlian@google.com>
Date: Sat Oct 20 13:38:17 2018

Project Member

Comment 23 by bugdroid1@chromium.org, Oct 21

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/arc-camera/+/11aeff16fccbc8b203813acedc0f965976790512

commit 11aeff16fccbc8b203813acedc0f965976790512
Author: Yunlian Jiang <yunlian@google.com>
Date: Sun Oct 21 12:25:01 2018

arc-camera: add openat to seccomp

This adds openat to a seccomp policy file if open is already there.
We need this because glibc 2.25 changed it system call for open().

BUG= chromium:894614 
TEST=None

Change-Id: Ib44f87c1727029c965e50605d162c0b11877c5a6
Reviewed-on: https://chromium-review.googlesource.com/1291951
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/11aeff16fccbc8b203813acedc0f965976790512/common/cros-camera-algo-arm.policy
[modify] https://crrev.com/11aeff16fccbc8b203813acedc0f965976790512/hal_adapter/seccomp_filter/cros-camera-arm.policy
[modify] https://crrev.com/11aeff16fccbc8b203813acedc0f965976790512/common/cros-camera-algo-amd64.policy
[modify] https://crrev.com/11aeff16fccbc8b203813acedc0f965976790512/hal_adapter/seccomp_filter/cros-camera-amd64.policy

Project Member

Comment 24 by bugdroid1@chromium.org, Oct 21

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/crosvm/+/a70445aa3b7bfef71b7ee888eaf614c83ded3c59

commit a70445aa3b7bfef71b7ee888eaf614c83ded3c59
Author: Yunlian Jiang <yunlian@google.com>
Date: Sun Oct 21 12:25:01 2018

crosvm: add openat to seccomp

This adds openat to a seccomp policy file if open is already there.
We need this because glibc 2.25 changed it system call for open().

BUG= chromium:894614 
TEST=None

Change-Id: Ie5b45d858e8d9ea081fd7bfda81709bda048d965
Reviewed-on: https://chromium-review.googlesource.com/1292129
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>

[modify] https://crrev.com/a70445aa3b7bfef71b7ee888eaf614c83ded3c59/seccomp/arm/9p_device.policy
[modify] https://crrev.com/a70445aa3b7bfef71b7ee888eaf614c83ded3c59/seccomp/x86_64/gpu_device.policy
[modify] https://crrev.com/a70445aa3b7bfef71b7ee888eaf614c83ded3c59/tests/plugin.policy
[modify] https://crrev.com/a70445aa3b7bfef71b7ee888eaf614c83ded3c59/seccomp/arm/9s.policy
[modify] https://crrev.com/a70445aa3b7bfef71b7ee888eaf614c83ded3c59/seccomp/x86_64/9p_device.policy
[modify] https://crrev.com/a70445aa3b7bfef71b7ee888eaf614c83ded3c59/seccomp/x86_64/9s.policy

Project Member

Comment 25 by bugdroid1@chromium.org, Oct 21

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/tlsdate/+/dbc57c67851f90eebdc2c07852e1df226daa9f50

commit dbc57c67851f90eebdc2c07852e1df226daa9f50
Author: Yunlian Jiang <yunlian@google.com>
Date: Sun Oct 21 12:25:00 2018

tlsdate: add openat to seccomp

This adds openat to a seccomp policy file if open is already there.
We need this because glibc 2.25 changed it system call for open().

BUG= chromium:894614 
TEST=None

Change-Id: I9543567547a326adb2d435a9ced9e8b58d56e957
Reviewed-on: https://chromium-review.googlesource.com/1291874
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Dan Erat <derat@chromium.org>

[modify] https://crrev.com/dbc57c67851f90eebdc2c07852e1df226daa9f50/tlsdate-seccomp-x86.policy
[modify] https://crrev.com/dbc57c67851f90eebdc2c07852e1df226daa9f50/tlsdate-seccomp-amd64.policy
[modify] https://crrev.com/dbc57c67851f90eebdc2c07852e1df226daa9f50/tlsdate-seccomp-arm.policy

Project Member

Comment 26 by bugdroid1@chromium.org, Oct 21

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/platform/drivefs/+/60b5926679a0dbfd1592e698e363f47ad714df8d

commit 60b5926679a0dbfd1592e698e363f47ad714df8d
Author: Yunlian Jiang <yunlian@google.com>
Date: Sun Oct 21 20:37:59 2018

Project Member

Comment 27 by bugdroid1@chromium.org, Oct 21

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/vendor/intel-wifi-fw-dump/+/de0ceab9509c999bcecc5a19f0aecfd04daa036d

commit de0ceab9509c999bcecc5a19f0aecfd04daa036d
Author: Yunlian Jiang <yunlian@google.com>
Date: Sun Oct 21 20:38:00 2018

Project Member

Comment 28 by bugdroid1@chromium.org, Oct 25

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/dbfa72cf04c183620a4a85ad7b7c831346d53df4

commit dbfa72cf04c183620a4a85ad7b7c831346d53df4
Author: Yunlian Jiang <yunlian@google.com>
Date: Thu Oct 25 14:54:17 2018

Add openat to seccomp when open is present.

This sets the same permission to openat as the one to open, because glibc 2.26
changed their system call for open()

BUG= chromium:894614 
TEST=None

Change-Id: Ic92132b75e34ce598157cdd2daa270677e093a23
Reviewed-on: https://chromium-review.googlesource.com/1298292
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/dbfa72cf04c183620a4a85ad7b7c831346d53df4/touch_firmware_calibration/seccomp/override-max-pressure-seccomp-arm.policy
[modify] https://crrev.com/dbfa72cf04c183620a4a85ad7b7c831346d53df4/shill/shims/nfqueue-seccomp-mips.policy
[modify] https://crrev.com/dbfa72cf04c183620a4a85ad7b7c831346d53df4/shill/shims/nfqueue-seccomp-x86.policy
[modify] https://crrev.com/dbfa72cf04c183620a4a85ad7b7c831346d53df4/shill/shims/nfqueue-seccomp-arm.policy
[modify] https://crrev.com/dbfa72cf04c183620a4a85ad7b7c831346d53df4/shill/shims/nfqueue-seccomp-amd64.policy
[modify] https://crrev.com/dbfa72cf04c183620a4a85ad7b7c831346d53df4/touch_firmware_calibration/seccomp/override-max-pressure-seccomp-arm64.policy

Comment 29 by yunlian@chromium.org, Oct 28

Owner: yunlian@chromium.org
Status: Verified (was: Untriaged)

►

Issue 894614 link

Issue metadata

SigSYS when running applicaions with seccomp.policy

Issue description

Comment 1 by bugdroid1@chromium.org, Oct 12

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Oct 12

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Oct 12

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Oct 12

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Oct 12

Comment 5 Deleted

Comment 6 by bugdroid1@chromium.org, Oct 12

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Oct 12

Comment 7 Deleted

Comment 8 by bugdroid1@chromium.org, Oct 12

Comment 8 Deleted

Comment 9 by bugdroid1@chromium.org, Oct 12

Comment 9 Deleted

Comment 10 by bugdroid1@chromium.org, Oct 12

Comment 10 Deleted

Comment 11 by bugdroid1@chromium.org, Oct 12

Comment 11 Deleted

Comment 12 by bugdroid1@chromium.org, Oct 12

Comment 12 Deleted

Comment 13 by bugdroid1@chromium.org, Oct 13

Comment 13 Deleted

Comment 14 by bugdroid1@chromium.org, Oct 16

Comment 14 Deleted

Comment 15 by bugdroid1@chromium.org, Oct 19

Comment 15 Deleted

Comment 16 by bugdroid1@chromium.org, Oct 19

Comment 16 Deleted

Comment 17 by bugdroid1@chromium.org, Oct 19

Comment 17 Deleted

Comment 18 by bugdroid1@chromium.org, Oct 19

Comment 18 Deleted

Comment 19 by bugdroid1@chromium.org, Oct 20

Comment 19 Deleted

Comment 20 by bugdroid1@chromium.org, Oct 20

Comment 20 Deleted

Comment 21 by bugdroid1@chromium.org, Oct 20

Comment 21 Deleted

Comment 22 by bugdroid1@chromium.org, Oct 20

Comment 22 Deleted

Comment 23 by bugdroid1@chromium.org, Oct 21

Comment 23 Deleted

Comment 24 by bugdroid1@chromium.org, Oct 21

Comment 24 Deleted

Comment 25 by bugdroid1@chromium.org, Oct 21

Comment 25 Deleted

Comment 26 by bugdroid1@chromium.org, Oct 21

Comment 26 Deleted

Comment 27 by bugdroid1@chromium.org, Oct 21

Comment 27 Deleted

Comment 28 by bugdroid1@chromium.org, Oct 25

Comment 28 Deleted

Comment 29 by yunlian@chromium.org, Oct 28

Comment 29 Deleted

Sign in to add a comment