[abrt] firejail: iopl(): faudit killed by SIGSYS

[odubaj]

Firejail used: Target: Appimage

Version-Release number of selected component:
firejail-0.9.62

Additional info:
reporter: libreport-2.12.0
backtrace_rating: 4
cgroup: 0::/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service
cmdline: /usr/lib64/firejail/faudit syscall iopl
crash_function: iopl
executable: /usr/lib64/firejail/faudit
journald_cursor: s=349286f12e264b8ab9b41b7b72e0f25b;i=1a5df;b=e56abb028e2b43a6bffd3ce1716070e0;m=4d5658ed4;t=59eed73218c61;x=6ef9763ce5a9c60c
kernel: 5.4.18-200.fc31.x86_64
rootdir: /
runlevel: N 5
type: CCpp
uid: 1000

Truncated backtrace:
Thread no. 1 (2 frames)
#0 iopl at ../sysdeps/unix/syscall-template.S:78
#1 syscall_helper at syscall.c:80

coredump.zip

[rusty-snake]

What firejai --audit does (manpage):

--audit
Audit the sandbox, see AUDIT section for more details.

AUDIT
Audit feature allows the user to point out gaps in security profiles. The implementation replaces the program to be sandboxed with a test program. By default, we use faudit program distributed with Firejail. A custom test program can also be supplied by the user. Examples:

Running the default audit program:
$ firejail --audit transmission-gtk

Running a custom audit program:
$ firejail --audit=~/sandbox-test transmission-gtk

In the examples above, the sandbox configures transmission-gtk profile and starts the test program. The real program, transmission-gtk, will not be started.

You can also audit a specific profile without specifying a program.
$ firejail --audit --profile=/etc/firejail/zoom.profile

Limitations: audit feature is not implemented for --x11 commands.

So firejail --audit runs faudit inside the sandbox. faudit checks some syscalls whether they are blacklisted or not. Until firejail 0.9.64 a program gets killed if it violates seccomp rules, that's why faudit forks and execls and then makes the syscall and checks if the child was killed. The default rules for seccomp blacklist iopl. If you now run firejail --audit (or firejai --audit firefox, firejail --audit --profile=totem, ...) with a seccomp filter, faudit gets killed. So if /usr/lib64/firejail/faudit (or better /usr/lib64/firejail/faudit syscall <SYSCALL>) crashes/gets killed, this is usually expected behaviour. The only thing that confuses me is that you have rhbz#1804702 and rhbz#1884143 but no for other syscalls such as ioperm, pivot_root, ....

IMHO abrt should ignore faudit or at least /usr/lib64/firejail/faudit syscall <SYSCALL>. Maybe abrt should even ignore everything in a firejail sandbox or at least add a note that the crash was inside firejail. This could avoid bug searching in other programs where the sandbox is the cause.

No response from upstream in mail, creating issue on official upstream github
#3724

source. Normally it's faster to open a issue here, because here are around 6 persons frequently reading and answering (if they can say something useful) and much more who read and answer from time to time.

[rusty-snake]

faudit was removed in 5c95f0f