libseccomp 2.3.1 uses negative (pseudo) syscall numbers by default
Dimitri John Ledkov
xnox at ubuntu.com
Fri Jun 10 17:32:51 UTC 2016
Hello,
New libseccomp is in yakkety proposed. There is a change, on some
architecutres, w.r.t. to canonical representation of syscall
numbers.....
There are normal syscall numbers and multiplexed ones. And some are
exposed as both - direct numbers and negative pseudo syscall numbers.
All filtering should remain in place for both direct and pseudo
numbers.
But I had to adjust our autopkgtests for this, and I'm wondering if
there are any other pieces of software to fix as a result of this
upstream change on some architectures (e.g. lxc, apparmor, click,
snapd, juju, etc....)
on i386:
# scmp_sys_resolver 373
shutdown
# scmp_sys_resolver shutdown
-113
# scmp_sys_resolver -- -113
shutdown
Other affected syscalls on i386 are:
337 recvmmsg -119
345 sendmmsg -120
359 socket -101
360 socketpair -108
361 bind -102
362 connect -103
363 listen -104
364 accept4 -118
365 getsockopt -115
366 setsockopt -114
367 getsockname -106
368 getpeername -107
369 sendto -111
370 sendmsg -116
371 recvfrom -112
372 recvmsg -117
373 shutdown -113
And there is a similar set on s390x.
This is currently in yakkety proposed, blocked from migration with a
block-proposed tag on the bug
https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1580558
If there are regressions anywhere due to this, please comment on the
bug report. I hope that lxc / apparmor / click / snapd / juju / etc
are all fine with these changes.
--
Regards,
Dimitri.
More information about the ubuntu-devel
mailing list