Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/mobile: seccomp filters os.Stat and print/println/panic on amd64 Android O #24403

Closed
eliasnaur opened this issue Mar 15, 2018 · 8 comments

Comments

Projects
None yet
3 participants
@eliasnaur
Copy link
Contributor

commented Mar 15, 2018

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version devel +672729ebbd Thu Mar 15 04:18:11 2018 +0000 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What did you do?

Unpack seccomp.zip, start a 64 bit Android O emulator and then

$ cd seccomp
$ GOPATH=`pwd`:$GOPATH gomobile install -target=android/amd64 osstat
$ GOPATH=`pwd`:$GOPATH gomobile install -target=android/amd64 println

(the -target argument is to make sure the amd64 version is executed)

You may need to run go get -u golang.org/x/mobile/cmd/... and then gomobile init first.

The "osstat" app crashes with the following:

03-15 08:52:22.951  4070  4095 F libc    : Fatal signal 31 (SIGSYS), code 1 in tid 4095 (ng.todo.seccomp)
03-15 08:52:22.982  4099  4099 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-15 08:52:22.982  4099  4099 F DEBUG   : Build fingerprint: 'Android/sdk_gphone_x86_64/generic_x86_64:8.0.0/OSR1.170901.056/4497355:userdebug/dev-keys'
03-15 08:52:22.982  4099  4099 F DEBUG   : Revision: '0'
03-15 08:52:22.982  4099  4099 F DEBUG   : ABI: 'x86_64'
03-15 08:52:22.982  4099  4099 F DEBUG   : pid: 4070, tid: 4095, name: ng.todo.seccomp  >>> org.golang.todo.seccomp <<<
03-15 08:52:22.982  4099  4099 F DEBUG   : signal 31 (SIGSYS), code 1 (SYS_SECCOMP), fault addr --------
03-15 08:52:22.982  4099  4099 F DEBUG   : Cause: seccomp prevented call to disallowed x86_64 system call 0
03-15 08:52:22.982  4099  4099 F DEBUG   :     rax 0000000000000004  rbx 0000000000000000  rcx ffffffffffffffff  rdx 0000000000000000
03-15 08:52:22.982  4099  4099 F DEBUG   :     rsi 000000c00009e108  rdi 000000c0000a005c
03-15 08:52:22.982  4099  4099 F DEBUG   :     r8  0000000000000000  r9  0000000000000000  r10 0000000000000000  r11 0000000000000206
03-15 08:52:22.982  4099  4099 F DEBUG   :     r12 000000000000001a  r13 0000000000000011  r14 00007b6a1c7f0aeb  r15 0000000000000000
03-15 08:52:22.982  4099  4099 F DEBUG   :     cs  0000000000000033  ss  000000000000002b
03-15 08:52:22.982  4099  4099 F DEBUG   :     rip 00007b6a1c793090  rbp 000000c000029eb8  rsp 000000c000029e50  eflags 0000000000000206
03-15 08:52:22.983  4099  4099 F DEBUG   : 
03-15 08:52:22.983  4099  4099 F DEBUG   : backtrace:
03-15 08:52:22.983  4099  4099 F DEBUG   :     #00 pc 00000000000ec090  /data/app/org.golang.todo.seccomp-bXscMVTWmS_d-V0kAMIB7Q==/lib/x86_64/libseccomp.so (syscall.Syscall+48)
03-15 08:52:22.983  4099  4099 F DEBUG   :     #01 pc 00000000000ebb86  /data/app/org.golang.todo.seccomp-bXscMVTWmS_d-V0kAMIB7Q==/lib/x86_64/libseccomp.so (syscall.Stat+150)
03-15 08:52:22.983  4099  4099 F DEBUG   :     #02 pc 00000000000f579b  /data/app/org.golang.todo.seccomp-bXscMVTWmS_d-V0kAMIB7Q==/lib/x86_64/libseccomp.so (os.statNolog+91)
03-15 08:52:22.983  4099  4099 F DEBUG   :     #03 pc 00000000000f54dc  /data/app/org.golang.todo.seccomp-bXscMVTWmS_d-V0kAMIB7Q==/lib/x86_64/libseccomp.so (os.Stat+76)
03-15 08:52:22.983  4099  4099 F DEBUG   :     #04 pc 00000000001327d9  /data/app/org.golang.todo.seccomp-bXscMVTWmS_d-V0kAMIB7Q==/lib/x86_64/libseccomp.so (main.main.func1+57)
03-15 08:52:22.983  4099  4099 F DEBUG   :     #05 pc 00000000001313bf  /data/app/org.golang.todo.seccomp-bXscMVTWmS_d-V0kAMIB7Q==/lib/x86_64/libseccomp.so (golang.org/x/mobile/app.mainUI.func1+63)
03-15 08:52:22.983  4099  4099 F DEBUG   :     #06 pc 00000000000da8a0  /data/app/org.golang.todo.seccomp-bXscMVTWmS_d-V0kAMIB7Q==/lib/x86_64/libseccomp.so (runtime.goexit)

It seems to me the "stat" syscall is blocked and have to be replaced (with fstatat?)

The "println" app crashes with:

03-15 08:54:48.531  4330  4353 F libc    : Fatal signal 31 (SIGSYS), code 1 in tid 4353 (ng.todo.println)
03-15 08:54:48.560  4356  4356 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-15 08:54:48.560  4356  4356 F DEBUG   : Build fingerprint: 'Android/sdk_gphone_x86_64/generic_x86_64:8.0.0/OSR1.170901.056/4497355:userdebug/dev-keys'
03-15 08:54:48.560  4356  4356 F DEBUG   : Revision: '0'
03-15 08:54:48.560  4356  4356 F DEBUG   : ABI: 'x86_64'
03-15 08:54:48.560  4356  4356 F DEBUG   : pid: 4330, tid: 4353, name: ng.todo.println  >>> org.golang.todo.println <<<
03-15 08:54:48.560  4356  4356 F DEBUG   : signal 31 (SIGSYS), code 1 (SYS_SECCOMP), fault addr --------
03-15 08:54:48.560  4356  4356 F DEBUG   : Cause: seccomp prevented call to disallowed x86_64 system call 0
03-15 08:54:48.560  4356  4356 F DEBUG   :     rax 0000000000000015  rbx 0000000000000000  rcx ffffffffffffffff  rdx 0000000000000000
03-15 08:54:48.560  4356  4356 F DEBUG   :     rsi 0000000000000002  rdi 00007b6a1c9b9b90
03-15 08:54:48.560  4356  4356 F DEBUG   :     r8  0000000000000003  r9  00007b6a1c8d78fb  r10 000000c0000621c0  r11 0000000000000206
03-15 08:54:48.560  4356  4356 F DEBUG   :     r12 000000000000000c  r13 00000000000000ff  r14 00007b6a1c8e9b6c  r15 0000000000000000
03-15 08:54:48.560  4356  4356 F DEBUG   :     cs  0000000000000033  ss  000000000000002b
03-15 08:54:48.560  4356  4356 F DEBUG   :     rip 00007b6a1c87cf10  rbp 000000c000024f00  rsp 000000c000024eb8  eflags 0000000000000206
03-15 08:54:48.561  4356  4356 F DEBUG   : 
03-15 08:54:48.561  4356  4356 F DEBUG   : backtrace:
03-15 08:54:48.562  4356  4356 F DEBUG   :     #00 pc 00000000000daf10  /data/app/org.golang.todo.println-qgxvQhBbMBMVxtJvR8JWKQ==/lib/x86_64/libprintln.so (runtime.access+16)
03-15 08:54:48.562  4356  4356 F DEBUG   :     #01 pc 00000000000d445f  /data/app/org.golang.todo.println-qgxvQhBbMBMVxtJvR8JWKQ==/lib/x86_64/libprintln.so (runtime.writeErr+79)
03-15 08:54:48.562  4356  4356 F DEBUG   :     #02 pc 00000000000af5c4  /data/app/org.golang.todo.println-qgxvQhBbMBMVxtJvR8JWKQ==/lib/x86_64/libprintln.so (runtime.gwrite+276)
03-15 08:54:48.562  4356  4356 F DEBUG   :     #03 pc 00000000000afd6c  /data/app/org.golang.todo.println-qgxvQhBbMBMVxtJvR8JWKQ==/lib/x86_64/libprintln.so (runtime.printstring+124)
03-15 08:54:48.562  4356  4356 F DEBUG   :     #04 pc 00000000001309aa  /data/app/org.golang.todo.println-qgxvQhBbMBMVxtJvR8JWKQ==/lib/x86_64/libprintln.so (main.main.func1+58)
03-15 08:54:48.562  4356  4356 F DEBUG   :     #05 pc 000000000012f58f  /data/app/org.golang.todo.println-qgxvQhBbMBMVxtJvR8JWKQ==/lib/x86_64/libprintln.so (golang.org/x/mobile/app.mainUI.func1+63)
03-15 08:54:48.562  4356  4356 F DEBUG   :     #06 pc 00000000000d9720  /data/app/org.golang.todo.println-qgxvQhBbMBMVxtJvR8JWKQ==/lib/x86_64/libprintln.so (runtime.goexit)

The same crash happens if a panic() is being printed or if print() is called. It seems the "access" syscall is blocked and have to be replaced (by faccessat?).

The complete list of allowed syscalls is at https://android.googlesource.com/platform/bionic/+/android-4.2.2_r1.2/libc/SYSCALLS.TXT.

I checked both tests on android/386, android/arm and android/arm64 and they run without problems.

Related to #20409.

CC @aclements

@gopherbot gopherbot added this to the Unreleased milestone Mar 15, 2018

@gopherbot gopherbot added the mobile label Mar 15, 2018

@eliasnaur eliasnaur changed the title x/mobile: seccomp filters os.Stat and print/println/panic on Android O x/mobile: seccomp filters os.Stat and print/println/panic on amd64 Android O Mar 15, 2018

@eliasnaur

This comment has been minimized.

Copy link
Contributor Author

commented Mar 15, 2018

Depending on the fix, this might be 1.10.1 material.

@tklauser

This comment has been minimized.

Copy link
Member

commented Mar 15, 2018

The fstatat and faccessat syscalls were added to Linux in kernel 2.6.16 and Go requires at least 2.6.23, so I think it would be OK to use them (at least from the compatibility perspective). Also, linux/arm64 already uses fstatat to implement syscall.Stat.

/cc @ianlancetaylor @bradfitz

@gopherbot

This comment has been minimized.

Copy link

commented Mar 15, 2018

Change https://golang.org/cl/100877 mentions this issue: runtime: use Android O friendly faccessat syscall on linux/amd64

@gopherbot

This comment has been minimized.

Copy link

commented Mar 15, 2018

Change https://golang.org/cl/100878 mentions this issue: syscall: use Android O friendly fstatat syscall to implement Stat on linux/amd64

gopherbot pushed a commit that referenced this issue Mar 15, 2018

runtime: use Android O friendly faccessat syscall on linux/amd64
The Android O seccomp policy disallows the access syscall on amd64, see
https://android.googlesource.com/platform/bionic/+/android-4.2.2_r1.2/libc/SYSCALLS.TXT

Use the faccessat syscall with AT_FDCWD instead to achieve the same
behavior.

Updates #24403

Change-Id: I9db847c1c0f33987a3479b3f96e721fb9588cde2
Reviewed-on: https://go-review.googlesource.com/100877
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

@gopherbot gopherbot closed this in 1073256 Mar 15, 2018

@gopherbot

This comment has been minimized.

Copy link

commented Mar 28, 2018

Change https://golang.org/cl/102975 mentions this issue: [release-branch.go1.9] syscall: use Android O friendly fstatat syscall to implement Stat on linux/amd64

@gopherbot

This comment has been minimized.

Copy link

commented Mar 28, 2018

Change https://golang.org/cl/102976 mentions this issue: [release-branch.go1.10] syscall: use Android O friendly fstatat syscall to implement Stat on linux/amd64

@gopherbot

This comment has been minimized.

Copy link

commented Mar 28, 2018

Change https://golang.org/cl/102995 mentions this issue: [release-branch.go1.10] runtime: use Android O friendly faccessat syscall on linux/amd64

@gopherbot

This comment has been minimized.

Copy link

commented Mar 28, 2018

Change https://golang.org/cl/103195 mentions this issue: [release-branch.go1.9] runtime: use Android O friendly faccessat syscall on linux/amd64

gopherbot pushed a commit that referenced this issue Mar 29, 2018

[release-branch.go1.10] runtime: use Android O friendly faccessat sys…
…call on linux/amd64

The Android O seccomp policy disallows the access syscall on amd64, see
https://android.googlesource.com/platform/bionic/+/android-4.2.2_r1.2/libc/SYSCALLS.TXT

Use the faccessat syscall with AT_FDCWD instead to achieve the same
behavior.

Updates #24403

Change-Id: I9db847c1c0f33987a3479b3f96e721fb9588cde2
Reviewed-on: https://go-review.googlesource.com/100877
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/102995
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

gopherbot pushed a commit that referenced this issue Mar 29, 2018

[release-branch.go1.10] syscall: use Android O friendly fstatat sysca…
…ll to implement Stat on linux/amd64

The Android O seccomp policy disallows the stat syscall on amd64, see
https://android.googlesource.com/platform/bionic/+/android-4.2.2_r1.2/libc/SYSCALLS.TXT

Use the fstatat syscall with AT_FDCWD and zero flags instead to achieve
the same behavior.

Fixes #24403

Change-Id: I36fc9ec9bc938cd8e9de30f66c0eb9d2e24debf6
Reviewed-on: https://go-review.googlesource.com/100878
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Elias Naur <elias.naur@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/102976
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

@golang golang locked and limited conversation to collaborators Mar 28, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.