571128 – app-misc/pax-utils-1.1.4[seccomp]: Bad system call (scanelf) under musl

Bug 571128 - app-misc/pax-utils-1.1.4[seccomp]: Bad system call (scanelf) under musl

Summary: app-misc/pax-utils-1.1.4[seccomp]: Bad system call (scanelf) under musl

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal (vote)
Assignee:	SpanKY

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-01-06 21:49 UTC by Vladimir Lushnikov
Modified:	2016-02-10 18:55 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch to add missing writev to security.c (add-writev-syscall.patch,302 bytes, patch) 2016-02-08 19:07 UTC, Mias van Klei	Details \| Diff
Add missing syscalls according to kernel log. (add-missing-syscalls.patch,644 bytes, patch) 2016-02-08 19:21 UTC, Mias van Klei	Details \| Diff
Add missing syscalls for musl (add-writev-readv-syscall.patch,490 bytes, patch) 2016-02-10 18:12 UTC, Mias van Klei	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vladimir Lushnikov 2016-01-06 21:49:53 UTC

I get this when trying to emerge pax-utils-1.1.4 with USE=seccomp on a hardened-musl system (from desktop-amd64-musl-hardened-20151015 snapshot).

My kernel config has CONFIG_SECCOMP=Y and CONFIG_SECCOMP_FILTER=Y

This seems related to #558482 (but that one was for glibc not musl)

Reproducible: Always

Comment 1 Vladimir Lushnikov 2016-01-06 21:52:59 UTC

This should really be cc gentoo-musl@lists.gentoo.org as per the https://wiki.gentoo.org/wiki/Project:Hardened_musl/Bluedragon page but Bugzilla won't let me add it

Comment 2 SpanKY gentoo-dev

2016-01-16 18:33:35 UTC

build pax-utils with USE=debug and then post a log of it failing

Comment 3 Mias van Klei 2016-02-08 19:07:50 UTC

Created attachment 424992 [details, diff]
Patch to add missing writev to security.c

The cause of the invalid syscall is because of writev.

Explanation: audit shows that this syscall is number 20.

audit: type=1326 audit(1454957403.169:8): auid=1000 uid=0 gid=0 ses=1 pid=1637 comm="scanelf" exe="/var/tmp/portage/app-misc/pax-utils-1.1.4/work/pax-utils-1.1.4/scanelf" sig=31 arch=c000003e syscall=20 compat=0 ip=0x7f938cc81e8c code=0x0

According to the syscall table this is writev.
By adding writev to pax_seccomp_init in security.c the invalid syscall is gone.

Comment 4 Mias van Klei 2016-02-08 19:21:10 UTC

Created attachment 424998 [details, diff]
Add missing syscalls according to kernel log.

when checking other programs installed by pax-utils, it turns out that scanelf is not the only program suffering invalid syscalls. pspax is also affected. psax apparently needs readv and shmctl as well(according to the logs):

audit: type=1326 audit(1454958866.200:12): auid=1000 uid=0 gid=0 ses=1 pid=5433 comm="pspax" exe="/var/tmp/portage/app-misc/pax-utils-1.1.4/work/pax-utils-1.1.4/pspax" sig=31 arch=c000003e syscall=19 compat=0 ip=0x7f428d8badcb code=0x0

audit: type=1326 audit(1454958901.306:13): auid=1000 uid=0 gid=0 ses=1 pid=5549 comm="pspax" exe="/var/tmp/portage/app-misc/pax-utils-1.1.4/work/pax-utils-1.1.4/pspax" sig=31 arch=c000003e syscall=19 compat=0 ip=0x7f36cbc18dcb code=0x0

attached an updated patch including those syscalls as well.

Comment 5 SpanKY gentoo-dev

2016-02-08 23:29:58 UTC

(In reply to Mias van Klei from comment #4)

those logs show writev & readv, but not shmctl.  where do you see shmctl ?

remember that sig=31 is the signal, not the syscall.

Comment 6 Mias van Klei 2016-02-10 18:12:33 UTC

Created attachment 425156 [details, diff]
Add missing syscalls for musl

I looked wrong. So shmctl is not needed. I'll update patch accordingly.

Comment 7 SpanKY gentoo-dev

2016-02-10 18:54:52 UTC

should be fixed by this:
https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=636c3d42a64a248945ca4c68f5fef605cc55f423

thanks for testing!