From: Philipp Stephani <p.stephani2@gmail.com>
To: "Basil L. Contovounesios" <contovob@tcd.ie>
Cc: 47708@debbugs.gnu.org
Subject: bug#47708: 28.0.50; SIGSYS test failure with seccomp-filter.bpf
Date: Sun, 11 Apr 2021 19:52:42 +0200 [thread overview]
Message-ID: <CAArVCkR4vaYmY-vD1F=Esr8w2OMWpoxqbJGyXfwTXkpcgUp-7w@mail.gmail.com> (raw)
In-Reply-To: <875z0spwm6.fsf@tcd.ie>
Am So., 11. Apr. 2021 um 19:19 Uhr schrieb Basil L. Contovounesios
<contovob@tcd.ie>:
>
> "Basil L. Contovounesios" <contovob@tcd.ie> writes:
>
> > Philipp Stephani <p.stephani2@gmail.com> writes:
> >
> >> Could you check which syscall exactly is failing, e.g. using
> >> journalctl -g SECCOMP -t audisp-syslog
> >> (assuming that system uses systemd and seccomp audit logging is enabled).
> >
> > After running:
> >
> > ./src/emacs -Q -batch -seccomp test/src/emacs-resources/seccomp-filter.bpf
> >
> > the last audit in 'sudo journalctl -g SECCOMP' is:
> >
> > Apr 11 18:08:56 tia audit[25251]: SECCOMP auid=1000 uid=1000 gid=1000
> > ses=3 subj==unconfined pid=25251 comm="emacs"
> > exe="/home/blc/.local/src/emacs/src/emacs" sig=31 arch=c000003e
> > syscall=228 compat=0 ip=0x7fff7f1f7a7d code=0x80000000
> >
> > Looking up syscall 228 online points to clock_gettime, just like in the
> > GDB log I attached in my previous message.
>
> I don't know whether this is relevant, but 'man 2 seccomp' has the
> following to say about clock_gettime:
>
> Caveats
> There are various subtleties to consider when applying seccomp filters
> to a program, including the following:
>
> * Some traditional system calls have user-space implementations in the
> vdso(7) on many architectures. Notable examples include clock_get‐
> time(2), gettimeofday(2), and time(2). On such architectures, sec‐
> comp filtering for these system calls will have no effect. (How‐
> ever, there are cases where the vdso(7) implementations may fall
> back to invoking the true system call, in which case seccomp filters
> would see the system call.)
>
Nice catch. I think it should be fine to allow the clock system calls.
I've now done that with commit
ea5ea09244b762008bba509d8c58bad5835fb949.
next prev parent reply other threads:[~2021-04-11 17:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-11 13:17 bug#47708: 28.0.50; SIGSYS test failure with seccomp-filter.bpf Basil L. Contovounesios
2021-04-11 13:58 ` Philipp Stephani
2021-04-11 17:13 ` Basil L. Contovounesios
2021-04-11 17:19 ` Basil L. Contovounesios
2021-04-11 17:52 ` Philipp Stephani [this message]
2021-04-11 18:49 ` Basil L. Contovounesios
2021-04-11 17:39 ` Philipp Stephani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAArVCkR4vaYmY-vD1F=Esr8w2OMWpoxqbJGyXfwTXkpcgUp-7w@mail.gmail.com' \
--to=p.stephani2@gmail.com \
--cc=47708@debbugs.gnu.org \
--cc=contovob@tcd.ie \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.