New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGSEGV with recent kernel and seccomp #106

Open
alkino opened this Issue Nov 3, 2016 · 23 comments

Comments

Projects
None yet
8 participants
@alkino
Contributor

alkino commented Nov 3, 2016

When I use proot with a recent kernel (4.8.4 and above) I got a segv.
When I disable SECCOMP with PROOT_NO_SECCOMP=1 it works.

I dig a little but I don't know seccomp at all.

@alkino

This comment has been minimized.

Show comment
Hide comment
@alkino

alkino Nov 3, 2016

Contributor

Has been fixed by: openmole@10119a1
@vincenthage: can we have some explanations on your investigations?

Contributor

alkino commented Nov 3, 2016

Has been fixed by: openmole@10119a1
@vincenthage: can we have some explanations on your investigations?

@jopasserat

This comment has been minimized.

Show comment
Hide comment
@jopasserat

jopasserat Nov 3, 2016

Member

We did a bit of digging to find it with @romainreuillon but the manpage helped:

If fork(2) or clone(2) is allowed by the filter, any child processes will be constrained to the same system call filters as the parent. If execve(2) is allowed, the existing filters will be preserved across a call to execve(2).

This seems to work as filters that can't be unset when set. Setting one to 0 disables the filter and enables children processes to actually capture the event.

We're not experts in low-level stuff unfortunately so don't take our word for granted.

Our fork was mainly to integrate the work @vincenthage did over the summer to provide Docker-like networking extensions in CARE archives used in @openmole.

Would be great to team up on maintaining / pushing PRoot / CARE further if @cedric-vincent is not able to do it anymore. What do you think @alkino?

Member

jopasserat commented Nov 3, 2016

We did a bit of digging to find it with @romainreuillon but the manpage helped:

If fork(2) or clone(2) is allowed by the filter, any child processes will be constrained to the same system call filters as the parent. If execve(2) is allowed, the existing filters will be preserved across a call to execve(2).

This seems to work as filters that can't be unset when set. Setting one to 0 disables the filter and enables children processes to actually capture the event.

We're not experts in low-level stuff unfortunately so don't take our word for granted.

Our fork was mainly to integrate the work @vincenthage did over the summer to provide Docker-like networking extensions in CARE archives used in @openmole.

Would be great to team up on maintaining / pushing PRoot / CARE further if @cedric-vincent is not able to do it anymore. What do you think @alkino?

@alkino

This comment has been minimized.

Show comment
Hide comment
@alkino

alkino Nov 7, 2016

Contributor

I think we can fork it, yeah. Any advice @ivoire or @cedric-vincent?

Contributor

alkino commented Nov 7, 2016

I think we can fork it, yeah. Any advice @ivoire or @cedric-vincent?

@cedric-vincent

This comment has been minimized.

Show comment
Hide comment
@cedric-vincent

cedric-vincent Nov 8, 2016

Contributor

@alkino, @jopasserat, @vincenthage, you should have received an invitation to be owner of the "proot-me" organisation on Github. Feel free to maintain PRoot (and/or your work related to) here, if you wish.

I would be glad if you maintain this project,
Cédric.

Contributor

cedric-vincent commented Nov 8, 2016

@alkino, @jopasserat, @vincenthage, you should have received an invitation to be owner of the "proot-me" organisation on Github. Feel free to maintain PRoot (and/or your work related to) here, if you wish.

I would be glad if you maintain this project,
Cédric.

@cedric-vincent

This comment has been minimized.

Show comment
Hide comment
@cedric-vincent

cedric-vincent Nov 8, 2016

Contributor

Regarding this issue, maybe this could help:

We support Linux 4.8 kernels. This was a significant amount of work because in 4.8,
PTRACE_SYSCALL notifications moved to being delivered before seccomp notifications
instead of afterward. (It's a good change, though, because as well as fixing a security hole,
it also improves rr recording performance; the number of ptrace notifications for each
ptrace-recorded syscall decreases from 3 to 2.) This also uncovered a serious (to rr)
kernel bug with missing PTRACE_EVENT_EXIT notifications, which fortunately we were
able to get fixed upstream (thanks to Kees Cook).

-- http://robert.ocallahan.org/2016/10/rr-440-released.html

Contributor

cedric-vincent commented Nov 8, 2016

Regarding this issue, maybe this could help:

We support Linux 4.8 kernels. This was a significant amount of work because in 4.8,
PTRACE_SYSCALL notifications moved to being delivered before seccomp notifications
instead of afterward. (It's a good change, though, because as well as fixing a security hole,
it also improves rr recording performance; the number of ptrace notifications for each
ptrace-recorded syscall decreases from 3 to 2.) This also uncovered a serious (to rr)
kernel bug with missing PTRACE_EVENT_EXIT notifications, which fortunately we were
able to get fixed upstream (thanks to Kees Cook).

-- http://robert.ocallahan.org/2016/10/rr-440-released.html

@cedric-vincent

This comment has been minimized.

Show comment
Hide comment
@cedric-vincent

cedric-vincent Nov 8, 2016

Contributor

I also sent an invitation to @meefik.

Contributor

cedric-vincent commented Nov 8, 2016

I also sent an invitation to @meefik.

@alkino

This comment has been minimized.

Show comment
Hide comment
@alkino

alkino Nov 8, 2016

Contributor

Thank you @cedric-vincent for your trust.

Contributor

alkino commented Nov 8, 2016

Thank you @cedric-vincent for your trust.

@jopasserat

This comment has been minimized.

Show comment
Hide comment
@jopasserat

jopasserat Nov 8, 2016

Member

Thanks for everything around PRoot @cedric-vincent and for trusting us.

Would you have any document that could be useful for us? Usage stats? Users/devs we could get in touch with?

Member

jopasserat commented Nov 8, 2016

Thanks for everything around PRoot @cedric-vincent and for trusting us.

Would you have any document that could be useful for us? Usage stats? Users/devs we could get in touch with?

@Gnurou

This comment has been minimized.

Show comment
Hide comment
@Gnurou

Gnurou Dec 8, 2016

Just wanted to say thanks a lot for the PROOT_NO_SECCOMP=1 hint. I have been wondering why proot suddently stopped working for the last hour!

Looking forward to seeing further releases under the new maintainership!

Gnurou commented Dec 8, 2016

Just wanted to say thanks a lot for the PROOT_NO_SECCOMP=1 hint. I have been wondering why proot suddently stopped working for the last hour!

Looking forward to seeing further releases under the new maintainership!

@jopasserat

This comment has been minimized.

Show comment
Hide comment
@jopasserat

jopasserat Dec 8, 2016

Member

Glad it helped @Gnurou. Please note though that early performance tests we've been running suggest a significant performance drop when disabling Seccomp (something like 4 times as slow on a IO heavy application).

So we need to find an actual solution to re-enable seccomp in the future. #helpwanted ;)

Member

jopasserat commented Dec 8, 2016

Glad it helped @Gnurou. Please note though that early performance tests we've been running suggest a significant performance drop when disabling Seccomp (something like 4 times as slow on a IO heavy application).

So we need to find an actual solution to re-enable seccomp in the future. #helpwanted ;)

@IceflowRE

This comment has been minimized.

Show comment
Hide comment
@IceflowRE

IceflowRE Jan 7, 2017

I tried the proot from openmole but got:

$ sudo proot -R . -q qemu-arm-static
-sh: error while loading shared libraries: libreadline.so.7: cannot open shared object file: No such file or directory

I tried the proot from openmole but got:

$ sudo proot -R . -q qemu-arm-static
-sh: error while loading shared libraries: libreadline.so.7: cannot open shared object file: No such file or directory
@jopasserat

This comment has been minimized.

Show comment
Hide comment
@jopasserat

jopasserat Jan 10, 2017

Member

I haven't tested the qemu mode yet so it could be linked.
Do you have the same issue without the -q flag?

Also, this kind of issues might be better to report on the mailing list until they're proved to be actual bugs / missing features from the project.

Member

jopasserat commented Jan 10, 2017

I haven't tested the qemu mode yet so it could be linked.
Do you have the same issue without the -q flag?

Also, this kind of issues might be better to report on the mailing list until they're proved to be actual bugs / missing features from the project.

@IceflowRE

This comment has been minimized.

Show comment
Hide comment
@IceflowRE

IceflowRE Jan 18, 2017

Same issue without the -q flag.
Where to find the mailing list?

Same issue without the -q flag.
Where to find the mailing list?

@jopasserat

This comment has been minimized.

Show comment
Hide comment
@jorge-lip

This comment has been minimized.

Show comment
Hide comment
@jorge-lip

jorge-lip Feb 10, 2017

Contributor

Hi. any news regarding #106 and the SECCOMP problem ?
Without the filtering provided by SECCOMP it gets really slow on all applications that use syscalls intensively,

Contributor

jorge-lip commented Feb 10, 2017

Hi. any news regarding #106 and the SECCOMP problem ?
Without the filtering provided by SECCOMP it gets really slow on all applications that use syscalls intensively,

@alkino

This comment has been minimized.

Show comment
Hide comment
@alkino

alkino Feb 13, 2017

Contributor

I'm on it. Really near now I think.
Problems comes from reordering like @cedric-vincent said.

Contributor

alkino commented Feb 13, 2017

I'm on it. Really near now I think.
Problems comes from reordering like @cedric-vincent said.

@jopasserat

This comment has been minimized.

Show comment
Hide comment
@jopasserat

jopasserat Feb 13, 2017

Member

May I ask what track you're following @alkino? We've hit so many walls trying to fix that with @romainreuillon we'd be glad to understand what was the root of the problem :)

Member

jopasserat commented Feb 13, 2017

May I ask what track you're following @alkino? We've hit so many walls trying to fix that with @romainreuillon we'd be glad to understand what was the root of the problem :)

@jorge-lip

This comment has been minimized.

Show comment
Hide comment
@jorge-lip

jorge-lip Feb 13, 2017

Contributor

Hi, After posting the question, I decided to look at it over the weekend and I come out with this dirty solution changing tracee/event.c which seems to work ok. Maybe can help you to find a better solution.

https://owncloud.indigo-datacloud.eu/index.php/s/yMj5yd24zY5kXIJ

I'm using proot for udocker (https://github.com/indigo-dc/udocker) a tool to run docker containers without privileges.

Contributor

jorge-lip commented Feb 13, 2017

Hi, After posting the question, I decided to look at it over the weekend and I come out with this dirty solution changing tracee/event.c which seems to work ok. Maybe can help you to find a better solution.

https://owncloud.indigo-datacloud.eu/index.php/s/yMj5yd24zY5kXIJ

I'm using proot for udocker (https://github.com/indigo-dc/udocker) a tool to run docker containers without privileges.

@alkino

This comment has been minimized.

Show comment
Hide comment
@alkino

alkino Feb 13, 2017

Contributor

Could you do a PR, please?

Contributor

alkino commented Feb 13, 2017

Could you do a PR, please?

@jorge-lip

This comment has been minimized.

Show comment
Hide comment
@jorge-lip

jorge-lip Feb 13, 2017

Contributor

Done, fix event.c for seccomp and ptrace #115

Contributor

jorge-lip commented Feb 13, 2017

Done, fix event.c for seccomp and ptrace #115

@mirage335

This comment has been minimized.

Show comment
Hide comment
@mirage335

mirage335 Mar 20, 2017

With this "fix", I still need to use "export PROOT_NO_SECCOMP=1", and further, proot does not work at all with a PREEMPT_RT kernel.

With this "fix", I still need to use "export PROOT_NO_SECCOMP=1", and further, proot does not work at all with a PREEMPT_RT kernel.

@necrophcodr

This comment has been minimized.

Show comment
Hide comment
@necrophcodr

necrophcodr May 1, 2017

This issue is still present on the recent versions of proot, and have been reproduced on Sabayon 17.04 Xfce AMD64.

This issue is still present on the recent versions of proot, and have been reproduced on Sabayon 17.04 Xfce AMD64.

@mirage335

This comment has been minimized.

Show comment
Hide comment
@mirage335

mirage335 Dec 31, 2017

Redirection of folders visible to applications with hardcoded expectations (eg. Arduino, emacs, FireFox, Slic3r, Cura, Pronterface, etc), is an essential feature for ensuring these applications can be configured for a specific purpose (eg. https://github.com/mirage335/MarlinBuilder/blob/master/launchArduino) .

PRoot's methods and syntax present the logical solution to this problem, yet, it has not been acceptably reliable for production use, if for no other reason than this bug report has been allowed to remain open for more than a year.

Ubiquitous Bash is significantly inspired as a workaround to this bug report, and after approximately four months intensive development, is now operational on Linux systems, especially Debian Stretch. Application virtualization, with file parameter translation and permission dropping, is supported. Several virtualization backends are available to chose from, including ChRoot, QEMU, VirtualBox, and Docker, all working with the same raw VM image. If for any reason one of these backends is unsuitable or unavailable, an alternative can be launched within seconds.

https://rawgit.com/mirage335/ubiquitous_bash/master/USAGE.html

https://github.com/mirage335/ubiquitous_bash

mirage335 commented Dec 31, 2017

Redirection of folders visible to applications with hardcoded expectations (eg. Arduino, emacs, FireFox, Slic3r, Cura, Pronterface, etc), is an essential feature for ensuring these applications can be configured for a specific purpose (eg. https://github.com/mirage335/MarlinBuilder/blob/master/launchArduino) .

PRoot's methods and syntax present the logical solution to this problem, yet, it has not been acceptably reliable for production use, if for no other reason than this bug report has been allowed to remain open for more than a year.

Ubiquitous Bash is significantly inspired as a workaround to this bug report, and after approximately four months intensive development, is now operational on Linux systems, especially Debian Stretch. Application virtualization, with file parameter translation and permission dropping, is supported. Several virtualization backends are available to chose from, including ChRoot, QEMU, VirtualBox, and Docker, all working with the same raw VM image. If for any reason one of these backends is unsuitable or unavailable, an alternative can be launched within seconds.

https://rawgit.com/mirage335/ubiquitous_bash/master/USAGE.html

https://github.com/mirage335/ubiquitous_bash

guillon added a commit to guillon/zoostrap that referenced this issue May 3, 2018

Disable seccomp optimization in proot
With recent kernels, the proot seccomp optimization
does not work correctly.
Ref: proot-me/PRoot#106
Disable w/ PROOT_NO_SECCOMP in srun script.

guillon added a commit to guillon/zoostrap that referenced this issue May 3, 2018

Disable seccomp optimization in proot
With recent kernels, the proot seccomp optimization
does not work correctly.
Ref: proot-me/PRoot#106
Disable w/ PROOT_NO_SECCOMP in srun script.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment