New issue
Advanced search Search tips

Issue 894700 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Oct 24
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug

Blocking:
issue 834385



Sign in to add a comment

need to add getpid in seccomp white list

Project Member Reported by yunlian@chromium.org, Oct 12

Issue description

Upsteam glibc removes the PID cache and usage in the code, and it requires getpid SYSCALL for some applications and we get SIGSYS error with glibc 2.27

How do we know that a binary needs getpid() system call? Can we just add it to all the whitelist or we just add it when a crash appears?


The commit message of upstream glibc is
commit c579f48edba88380635ab98cb612030e3ed8691e
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Mon Oct 10 15:08:39 2016 -0300

    Remove cached PID/TID in clone
    
    This patch remove the PID cache and usage in current GLIBC code.  Current
    usage is mainly used a performance optimization to avoid the syscall,
    however it adds some issues:
    
      - The exposed clone syscall will try to set pid/tid to make the new
        thread somewhat compatible with current GLIBC assumptions.  This cause
        a set of issue with new workloads and usecases (such as BZ#17214 and
        [1]) as well for new internal usage of clone to optimize other algorithms
        (such as clone plus CLONE_VM for posix_spawn, BZ#19957).
    
      - The caching complexity also added some bugs in the past [2] [3] and
        requires more effort of each port to handle such requirements (for
        both clone and vfork implementation).
    
      - Caching performance gain in mainly on getpid and some specific
        code paths.  The getpid performance leverage is questionable [4],
        either by the idea of getpid being a hotspot as for the getpid
        implementation itself (if it is indeed a justifiable hotspot a
        vDSO symbol could let to a much more simpler solution).
    
        Other usage is mainly for non usual code paths, such as pthread
        cancellation signal and handling.
    
    For thread creation (on stack allocation) the code simplification in fact
    adds some performance gain due the no need of transverse the stack cache
    and invalidate each element pid.
    
    Other thread usages will require a direct getpid syscall, such as
    cancellation/setxid signal, thread cancellation, thread fail path (at
    create_thread), and thread signal (pthread_kill and pthread_sigqueue).
    However these are hardly usual hotspots and I think adding a syscall is
    justifiable.
    
    It also simplifies both the clone and vfork arch-specific implementation.
    And by review each fork implementation there are some discrepancies that
    this patch also solves:
    
      - microblaze clone/vfork does not set/reset the pid/tid field
      - hppa uses the default vfork implementation that fallback to fork.
        Since vfork is deprecated I do not think we should bother with it.
    
    The patch also removes the TID caching in clone. My understanding for
    such semantic is try provide some pthread usage after a user program
    issue clone directly (as done by thread creation with CLONE_PARENT_SETTID
    and pthread tid member).  However, as stated before in multiple discussions
    threads, GLIBC provides clone syscalls without further supporting all this
    semantics.


 
Components: OS>Packages
Labels: OS-Chrome
it would be nice if we only added it to the daemons that need it, but getpid is a pretty benign call that should be safe to whitelist ...
For my own education: do we have a global whitelist? I see a 'logging' whitelist that gets opted in when using minijail's automatic logging, but nothing else really.

Side note: I see minijail's tools/generate_seccomp_policy.py which looks like it's supposed to help in generating seccomp filter lists. Is that still used/maintained? A quick glance looks like it has some potentially useful (but unfortunately dead) code:

    syscall_sets = {}
    syscall_set_list = [
        ['sigreturn', 'rt_sigreturn'],
        ['sigaction', 'rt_sigaction'],
        ['sigprocmask', 'rt_sigprocmask'],
        ['open', 'openat'],
        ['mmap', 'mremap'],
        ['mmap2', 'mremap'],
    ]
...
    for syscall_list in syscall_set_list:
        for syscall in syscall_list:
            other_syscalls = syscall_list[:]
            other_syscalls.remove(syscall)
            syscall_sets[syscall] = other_syscalls


It looks like syscall_sets never gets used.
> do we have a global whitelist

no

> I see a 'logging' whitelist that gets opted in when using minijail's automatic logging

that's for debugging only and not meant for production

> Is tools/generate_seccomp_policy.py still used/maintained

sure, but it's only meant for helping generate a new list from an existing strace ... it's not meant for updating after one has already been created
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/adhd/+/cc62bc6bac77f7ecc880b357b55332e61dd85e74

commit cc62bc6bac77f7ecc880b357b55332e61dd85e74
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 12 22:16:45 2018

adhd: add getpid to seccomp whitelist

Starting with glibc 2.26, getpid() requires a system call, we need
to add it to seccomp whitelist.

BUG= chromium:894700 
TEST=None

Change-Id: I7a1c436c45878fc8e21076d6df16c2db6d8fd473
Reviewed-on: https://chromium-review.googlesource.com/1278100
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/cc62bc6bac77f7ecc880b357b55332e61dd85e74/seccomp/cras-seccomp-arm64.policy
[modify] https://crrev.com/cc62bc6bac77f7ecc880b357b55332e61dd85e74/seccomp/cras-seccomp-amd64.policy
[modify] https://crrev.com/cc62bc6bac77f7ecc880b357b55332e61dd85e74/seccomp/cras-seccomp-arm.policy

Project Member

Comment 5 by bugdroid1@chromium.org, Oct 13

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/f3d9d7e5528a5f1775a7edd65d9ec2c866060600

commit f3d9d7e5528a5f1775a7edd65d9ec2c866060600
Author: Yunlian Jiang <yunlian@google.com>
Date: Sat Oct 13 18:42:16 2018

imageloader: whitelist getpid from seccomp

add getpid to seccomp whitelist

Starting with glibc 2.26, getpid() requires a system call, we need
to add it to seccomp whitelist.

BUG= chromium:894700 
TEST=imageloader not crash with glibc 2.27

Change-Id: I1e6cf8f6c743ffa6b495e5eac0883b39aa5807f1
Reviewed-on: https://chromium-review.googlesource.com/1277898
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/f3d9d7e5528a5f1775a7edd65d9ec2c866060600/imageloader/seccomp/imageloader-seccomp-amd64.policy
[modify] https://crrev.com/f3d9d7e5528a5f1775a7edd65d9ec2c866060600/imageloader/seccomp/imageloader-helper-seccomp-arm.policy
[modify] https://crrev.com/f3d9d7e5528a5f1775a7edd65d9ec2c866060600/imageloader/seccomp/imageloader-helper-seccomp-x86.policy
[modify] https://crrev.com/f3d9d7e5528a5f1775a7edd65d9ec2c866060600/imageloader/seccomp/imageloader-helper-seccomp-amd64.policy
[modify] https://crrev.com/f3d9d7e5528a5f1775a7edd65d9ec2c866060600/imageloader/seccomp/imageloader-seccomp-arm.policy
[modify] https://crrev.com/f3d9d7e5528a5f1775a7edd65d9ec2c866060600/imageloader/seccomp/imageloader-seccomp-arm64.policy
[modify] https://crrev.com/f3d9d7e5528a5f1775a7edd65d9ec2c866060600/imageloader/seccomp/imageloader-seccomp-x86.policy
[modify] https://crrev.com/f3d9d7e5528a5f1775a7edd65d9ec2c866060600/imageloader/seccomp/imageloader-helper-seccomp-arm64.policy

Project Member

Comment 6 by bugdroid1@chromium.org, Oct 13

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/platform/arc-oemcrypto/+/d9d00dce52b0252e2ac783d9ac313cb20c6bc78f

commit d9d00dce52b0252e2ac783d9ac313cb20c6bc78f
Author: Yunlian Jiang <yunlian@google.com>
Date: Sat Oct 13 18:42:17 2018

Project Member

Comment 7 by bugdroid1@chromium.org, Oct 13

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/2c5f96224b2a931f3e29288401ad4e6cb7f5f968

commit 2c5f96224b2a931f3e29288401ad4e6cb7f5f968
Author: Yunlian Jiang <yunlian@google.com>
Date: Sat Oct 13 18:42:20 2018

midis: add getpid to seccomp whitelist

Starting with glibc 2.26, getpid() requires a system call, we need
to add it to seccomp whitelist.

BUG= chromium:894700 
TEST=midis not crash with glibc 2.27

Change-Id: I9fd1756e1221ad5b7d86385a07c0de69ef7b05d0
Reviewed-on: https://chromium-review.googlesource.com/1277899
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/2c5f96224b2a931f3e29288401ad4e6cb7f5f968/midis/seccomp/midis-seccomp-amd64.policy
[modify] https://crrev.com/2c5f96224b2a931f3e29288401ad4e6cb7f5f968/midis/seccomp/midis-seccomp-arm.policy

Project Member

Comment 8 by bugdroid1@chromium.org, Oct 13

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/e1761f4c4052e37e90e635a093381f5b4be3e1c0

commit e1761f4c4052e37e90e635a093381f5b4be3e1c0
Author: Yunlian Jiang <yunlian@google.com>
Date: Sat Oct 13 18:42:18 2018

apk-cache: whitelist getpid from seccomp

add getpid to seccomp whitelist

Starting with glibc 2.26, getpid() requires a system call, we need
to add it to seccomp whitelist.

BUG= chromium:894700 
TEST=apk-cache-cleaner does not crash with glibc 2.27.

Change-Id: I3bf505922e112cc7724a5cc723d66b7cbab2b27e
Reviewed-on: https://chromium-review.googlesource.com/1279117
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/e1761f4c4052e37e90e635a093381f5b4be3e1c0/arc/apk-cache/seccomp/apk-cache-cleaner-seccomp-amd64.policy
[modify] https://crrev.com/e1761f4c4052e37e90e635a093381f5b4be3e1c0/arc/apk-cache/seccomp/apk-cache-cleaner-seccomp-arm.policy

Project Member

Comment 9 by bugdroid1@chromium.org, Oct 19

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/touch_updater/+/518246fa2de8e4156d8137f85e608d02067a6f95

commit 518246fa2de8e4156d8137f85e608d02067a6f95
Author: Yunlian Jiang <yunlian@google.com>
Date: Fri Oct 19 05:38:09 2018

touch_updater: allow getpid system call.

This allows getpid() system call because glibc removed PID cache
and it requires explicit getpid() system call now.

BUG= chromium:894700 
TEST=no wacom_flash crash on eve with glibc 2.27

Change-Id: I56de32e41749a72bf72ec46058738c65641b83ed
Reviewed-on: https://chromium-review.googlesource.com/1289770
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/arm/rmi4update.query.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/amd64/sisupdate.query.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/amd64/rmi4update.update.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/amd64/wdt_util.update.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/amd64/wacom_flash.query.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/amd64/wdt_util.query.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/amd64/rmi4update.query.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/arm/rmi4update.update.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/arm/wacom_flash.query.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/amd64/gdixupdate.query.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/arm/wacom_flash.update.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/amd64/gdixupdate.update.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/amd64/sisupdate.update.policy
[modify] https://crrev.com/518246fa2de8e4156d8137f85e608d02067a6f95/policies/amd64/wacom_flash.update.policy

Project Member

Comment 10 by bugdroid1@chromium.org, Oct 22

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/92ef1b4c56b9d78a80a2d321452bd6ece03001c7

commit 92ef1b4c56b9d78a80a2d321452bd6ece03001c7
Author: Yunlian Jiang <yunlian@google.com>
Date: Mon Oct 22 20:40:07 2018

add getpid to seccomp if not added already

This adds getpid to all seccomp policy files. Starting with glibc 2.26,
getpid() requires a system call, we need to add it to seccomp whitelist.

BUG= 894700 
TEST=None

Change-Id: I1261c2be46dde647db3e7e91988cccb9eb85755e
Reviewed-on: https://chromium-review.googlesource.com/1292203
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/dlcservice/seccomp/dlcservice-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/shill/shims/nfqueue-seccomp-mips.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/mtpd/mtpd-seccomp-x86.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/vm_tools/init/vm_cicerone-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/mtpd/mtpd-seccomp-arm64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/ml/seccomp/ml_service-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/shill/shims/nfqueue-seccomp-arm64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/diagnostics/init/diagnostics_processor-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/authpolicy/seccomp_filters/klist-seccomp.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/smbprovider/seccomp_filters/smbprovider-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/arc/adbd/seccomp/arc-adbd-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/ml/seccomp/ml_service-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/bluetooth/seccomp_filters/btdispatch-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/authpolicy/seccomp_filters/authpolicy_parser-seccomp.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/bluetooth/seccomp_filters/btdispatch-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/authpolicy/seccomp_filters/kinit-seccomp.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/crosdns/init/crosdns-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/bluetooth/seccomp_filters/newblued-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/smbprovider/seccomp_filters/smbprovider-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/crosdns/init/crosdns-seccomp-arm64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/tpm_manager/server/tpm_managerd-seccomp-x86.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/cros-disks/avfsd-seccomp-x86.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/mtpd/mtpd-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/bluetooth/seccomp_filters/newblued-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/arc/appfuse/seccomp/arc-appfuse-provider-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/cros-disks/avfsd-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/vm_tools/init/vm_cicerone-seccomp-arm64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/shill/shims/nfqueue-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/ippusb_manager/seccomp/ippusb-manager-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/tpm_manager/server/tpm_managerd-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/vm_tools/init/vm_cicerone-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/webserver/webservd/usr/share/filters/webservd-seccomp.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/shill/shims/nfqueue-seccomp-x86.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/touch_keyboard/seccomp/amd64/touch_keyboard_handler.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/cros-disks/avfsd-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/authpolicy/seccomp_filters/smbclient-seccomp.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/tpm_manager/server/tpm_managerd-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/crosdns/init/crosdns-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/touch_firmware_calibration/seccomp/override-max-pressure-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/arc/appfuse/seccomp/arc-appfuse-provider-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/diagnostics/init/diagnostics_processor-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/authpolicy/seccomp_filters/kpasswd-seccomp.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/ippusb_manager/seccomp/ippusb-manager-seccomp-arm64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/mtpd/mtpd-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/shill/shims/nfqueue-seccomp-arm.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/touch_firmware_calibration/seccomp/override-max-pressure-seccomp-arm64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/cros-disks/avfsd-seccomp-arm64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/dlcservice/seccomp/dlcservice-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/diagnostics/init/diagnosticsd-seccomp-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/authpolicy/seccomp_filters/net_ads-seccomp.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/arc/adbd/seccomp/arc-adbd-amd64.policy
[modify] https://crrev.com/92ef1b4c56b9d78a80a2d321452bd6ece03001c7/diagnostics/init/diagnosticsd-seccomp-arm.policy

Status: Verified (was: Untriaged)

Sign in to add a comment