Bug 928137

Summary:	www-client/firefox-124.0.1: [899883] Sandbox: seccomp sandbox violation: pid 899883, tid 899888, syscall 441, args 12 140694333724288 32 0 0 8.
Product:	Gentoo Linux	Reporter:	Michał Górny <mgorny>
Component:	Current packages	Assignee:	Mozilla Gentoo Team <mozilla>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugzilla.mozilla.org/show_bug.cgi?id=1889045 https://bugs.gentoo.org/show_bug.cgi?id=928664
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	www-client:firefox-124.0.1:20240329-161306.log.xz emerge --info patch adding epoll_pwait2 syscall to sandbox

Description Michał Górny archtester

2024-03-29 16:51:57 UTC

Created attachment 889017 [details]
www-client:firefox-124.0.1:20240329-161306.log.xz

I've just built www-client/firefox for the first time, and after starting it seems to spam the console with warnings heavily:

$ firefox --profile /tmp/test
[warn] epoll_wait: Function not implemented
[899883] Sandbox: seccomp sandbox violation: pid 899883, tid 899888, syscall 441, args 12 140694333724288 32 0 0 8.
[…]

The window appears but it is largely non-functional, web pages don't load — I'm not sure if that's because something doesn't work at all, or because it's spending so much resources outputting these warnings non-stop.  In order for it to stop, I need to SIGKILL all /usr/lib64/firefox/firefox-bin processes.

Comment 1 Michał Górny archtester

2024-03-29 16:52:24 UTC

Created attachment 889018 [details]
emerge --info

Comment 2 Joonas Niilola gentoo-dev

2024-03-31 14:21:09 UTC

Does firefox-bin work? Anything in dmesg?

Comment 3 Michał Górny archtester

2024-03-31 15:34:48 UTC

(In reply to Joonas Niilola from comment #2)
> Does firefox-bin work?

Yes, using it for a long time without issues.

> Anything in dmesg?

Nope.

I somehow suspect it's related to new syscalls in sys-libs/glibc-2.39-r2.

Comment 4 Joonas Niilola gentoo-dev

2024-04-01 13:16:27 UTC

I tried with your USE flags and CFLAGS. Firefox-124.0.1 works fine here on ~unstable with glibc-2.39-r2. Hard to say what could be the issue, but since firefox-bin works it's definitely something gentoo-related. I would try with all system* flags turned off, and if that doesn't help, might need to debug with gdb/strace.

Comment 5 Michał Górny archtester

2024-04-01 13:52:07 UTC

Thanks, I will start with that.

Comment 6 Michał Górny archtester

2024-04-01 14:25:12 UTC

For the record, the syscall in question is epoll_pwait2.

Comment 7 Michał Górny archtester

2024-04-01 14:31:06 UTC

You were right, it was one of the system libraries.  Now I'm gonna try "bisecting" which one.

Comment 8 Michał Górny archtester

2024-04-01 14:48:20 UTC

That said, at this point I'm quite convinced that the correct solution is to add __NR_epoll_wait2 to the cases in:

https://searchfox.org/mozilla-central/source/security/sandbox/linux/SandboxFilterUtil.h#218-224

Any clue how to proceed with that?  I suppose syscall tables in security/sandbox/chromium/sandbox/linux/system_headers need to be updated too -- FWICS chromium added __NR_epoll_pwait2 there a while ago already.

Comment 9 Michał Górny archtester

2024-04-01 15:54:31 UTC

Confirmed that it's USE=system-libevent.  I'll work on a patch now.

Comment 10 Michał Górny archtester

2024-04-01 17:39:00 UTC

Created attachment 889218 [details, diff]
patch adding epoll_pwait2 syscall to sandbox

Here's a quick patch that fixed the issue for me.  Note that I've added the syscall fallback to amd64/x86 but not arm*.

Technically, the cause is libevent-2.2.1 (alpha) — upstream added use of epoll_pwait2() there.

Comment 11 Joonas Niilola gentoo-dev

2024-04-01 17:58:27 UTC

(In reply to Michał Górny from comment #8)
> 
> Any clue how to proceed with that?  I suppose syscall tables in
> security/sandbox/chromium/sandbox/linux/system_headers need to be updated
> too -- FWICS chromium added __NR_epoll_pwait2 there a while ago already.

I tried to find this but couldn't, can you give me a repo/commit for this? I'll ask upstream to update this. At least the sandbox/chromium/ part comes from chromium, I don't know the relation between that and sandbox/linux/ but I imagine they're connected. 

Thanks for the patch! I'll add it when next time touching Firefox. Luckily this file is basically never updated so if we can't persuade upstream to update their sandbox component anytime soon, it shouldn't break for us either.

Comment 12 Joonas Niilola gentoo-dev

2024-04-01 18:01:45 UTC

(In reply to Joonas Niilola from comment #11)
> (In reply to Michał Górny from comment #8)
> > 
> > Any clue how to proceed with that?  I suppose syscall tables in
> > security/sandbox/chromium/sandbox/linux/system_headers need to be updated
> > too -- FWICS chromium added __NR_epoll_pwait2 there a while ago already.
> 
> I tried to find this but couldn't, can you give me a repo/commit for this?
> I'll ask upstream to update this. At least the sandbox/chromium/ part comes
> from chromium, I don't know the relation between that and sandbox/linux/ but
> I imagine they're connected. 
> 

...

https://github.com/chromium/chromium/commit/5e08782516d24de536e75d6bf4ff2bc87be55124

my grep-fu failed.

Comment 13 Michał Górny archtester

2024-04-01 19:13:58 UTC

Yes, thanks!

Comment 14 Larry the Git Cow gentoo-dev

2024-04-05 10:55:30 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d6541f7a2dcf4311cb5028e2970258521c50c99

commit 6d6541f7a2dcf4311cb5028e2970258521c50c99
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2024-04-05 10:55:06 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2024-04-05 10:55:28 +0000

    www-client/firefox: add 124.0.2
    
    Closes: https://bugs.gentoo.org/928137
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/firefox/Manifest               |  101 ++
 www-client/firefox/firefox-124.0.2.ebuild | 1424 +++++++++++++++++++++++++++++
 2 files changed, 1525 insertions(+)