SEGSEGV with recent kernel and seccomp

[alkino]

When I use proot with a recent kernel (4.8.4 and above) I got a segv.
When I disable SECCOMP with PROOT_NO_SECCOMP=1 it works.

I dig a little but I don't know seccomp at all.

[alkino]

Has been fixed by: openmole@10119a1
@vincenthage: can we have some explanations on your investigations?

[jopasserat]

We did a bit of digging to find it with @romainreuillon but the manpage helped:

If fork(2) or clone(2) is allowed by the filter, any child processes will be constrained to the same system call filters as the parent. If execve(2) is allowed, the existing filters will be preserved across a call to execve(2).

This seems to work as filters that can't be unset when set. Setting one to 0 disables the filter and enables children processes to actually capture the event.

We're not experts in low-level stuff unfortunately so don't take our word for granted.

Our fork was mainly to integrate the work @vincenthage did over the summer to provide Docker-like networking extensions in CARE archives used in @openmole.

Would be great to team up on maintaining / pushing PRoot / CARE further if @cedric-vincent is not able to do it anymore. What do you think @alkino?

[alkino]

I think we can fork it, yeah. Any advice @ivoire or @cedric-vincent?

[cedric-vincent]

@alkino, @jopasserat, @vincenthage, you should have received an invitation to be owner of the "proot-me" organisation on Github. Feel free to maintain PRoot (and/or your work related to) here, if you wish.

I would be glad if you maintain this project,
Cédric.

[cedric-vincent]

Regarding this issue, maybe this could help:

We support Linux 4.8 kernels. This was a significant amount of work because in 4.8,
PTRACE_SYSCALL notifications moved to being delivered before seccomp notifications
instead of afterward. (It's a good change, though, because as well as fixing a security hole,
it also improves rr recording performance; the number of ptrace notifications for each
ptrace-recorded syscall decreases from 3 to 2.) This also uncovered a serious (to rr)
kernel bug with missing PTRACE_EVENT_EXIT notifications, which fortunately we were
able to get fixed upstream (thanks to Kees Cook).

-- http://robert.ocallahan.org/2016/10/rr-440-released.html

[cedric-vincent]

I also sent an invitation to @meefik.

[alkino]

Thank you @cedric-vincent for your trust.

[jopasserat]

Thanks for everything around PRoot @cedric-vincent and for trusting us.

Would you have any document that could be useful for us? Usage stats? Users/devs we could get in touch with?

[Gnurou]

Just wanted to say thanks a lot for the PROOT_NO_SECCOMP=1 hint. I have been wondering why proot suddently stopped working for the last hour!

Looking forward to seeing further releases under the new maintainership!

[jopasserat]

Glad it helped @Gnurou. Please note though that early performance tests we've been running suggest a significant performance drop when disabling Seccomp (something like 4 times as slow on a IO heavy application).

So we need to find an actual solution to re-enable seccomp in the future. #helpwanted ;)

[IceflowRE]

I tried the proot from openmole but got:

$ sudo proot -R . -q qemu-arm-static
-sh: error while loading shared libraries: libreadline.so.7: cannot open shared object file: No such file or directory

[jopasserat]

I haven't tested the qemu mode yet so it could be linked.
Do you have the same issue without the -q flag?

Also, this kind of issues might be better to report on the mailing list until they're proved to be actual bugs / missing features from the project.

[IceflowRE]

Same issue without the -q flag.
Where to find the mailing list?

[jopasserat]

https://proot-me.github.io/#support

[jorge-lip]

Hi. any news regarding #106 and the SECCOMP problem ?
Without the filtering provided by SECCOMP it gets really slow on all applications that use syscalls intensively,

[alkino]

I'm on it. Really near now I think.
Problems comes from reordering like @cedric-vincent said.

[jopasserat]

May I ask what track you're following @alkino? We've hit so many walls trying to fix that with @romainreuillon we'd be glad to understand what was the root of the problem :)

[jorge-lip]

Hi, After posting the question, I decided to look at it over the weekend and I come out with this dirty solution changing tracee/event.c which seems to work ok. Maybe can help you to find a better solution.

https://owncloud.indigo-datacloud.eu/index.php/s/yMj5yd24zY5kXIJ

I'm using proot for udocker (https://github.com/indigo-dc/udocker) a tool to run docker containers without privileges.

[alkino]

Could you do a PR, please?

[jorge-lip]

Done, fix event.c for seccomp and ptrace #115

[mirage335]

With this "fix", I still need to use "export PROOT_NO_SECCOMP=1", and further, proot does not work at all with a PREEMPT_RT kernel.

[necrophcodr]

This issue is still present on the recent versions of proot, and have been reproduced on Sabayon 17.04 Xfce AMD64.

[oxr463]

See: http://man7.org/linux/man-pages/man2/seccomp.2.html, https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html

[katakombi]

No idea if that will be helpful, but just fyi:
https://www.phoronix.com/scan.php?page=news_item&px=Linux-Syscall-Isolate-Memory

[mboisson]

Hi. This happens with the newest CentOS7 kernel.

[mboisson@build-node2 ~]$ proot --version
 _____ _____              ___
|  __ \  __ \_____  _____|   |_
|   __/     /  _  \/  _  \    _|
|__|  |__|__\_____/\_____/\____| 5.1.0

built-in accelerators: process_vm = yes, seccomp_filter = yes

Visit http://proot.me for help, bug reports, suggestions, patchs, ...
Copyright (C) 2014 STMicroelectronics, licensed under GPL v2 or later.
[mboisson@build-node2 ~]$ /cvmfs/soft.computecanada.ca/nix/var/nix/profiles/16.09/bin/proot -b /tmp:/home/mboisson/tmp bash -l
proot info: pid 3431: terminated with signal 11
[mboisson@build-node2 ~]$ uname -r
3.10.0-1127.13.1.el7.x86_64

[katakombi]

Hi. This happens with the newest CentOS7 kernel.

[mboisson@build-node2 ~]$ proot --version
 _____ _____              ___
|  __ \  __ \_____  _____|   |_
|   __/     /  _  \/  _  \    _|
|__|  |__|__\_____/\_____/\____| 5.1.0

built-in accelerators: process_vm = yes, seccomp_filter = yes

Visit http://proot.me for help, bug reports, suggestions, patchs, ...
Copyright (C) 2014 STMicroelectronics, licensed under GPL v2 or later.
[mboisson@build-node2 ~]$ /cvmfs/soft.computecanada.ca/nix/var/nix/profiles/16.09/bin/proot -b /tmp:/home/mboisson/tmp bash -l
proot info: pid 3431: terminated with signal 11
[mboisson@build-node2 ~]$ uname -r
3.10.0-1127.13.1.el7.x86_64

Hi @mboisson can you also try the recently released 5.2.0 alpha version? It solved many issues for me, however, I am running newer kernel versions.

[Apteryks]

Seems to be OK on latest commit.

[oxr463]

Agreed! I'm going to close this FINALLY!

[yuyichao]

Note that on my system (archlinux x64, armv7h and aarch64) I’m still seeing a few failures related to seccomp. In particular, the execve issued by the loader doesn’t get picked up by the enter handler and actually get sent to the kernel which resulted in a memory access error and abort of the tracee. Disabling seccomp get rid of that issue…