SecComp on Raspbian

[ghost]

@lgierth commented on 13 May 2014

I'll have a stack dump as soon as I find the GDB command... need to also compile an OpenWRT with GDB.

root@OpenWrt:~# /etc/init.d/cjdns start
1399952811 INFO cjdroute2.c:541 Cjdns ARM 32-bit LittleEndian linux +seccomp
1399952811 INFO cjdroute2.c:545 Checking for running instance...
1399952811 DEBUG AdminClient.c:349 Connecting to [127.0.0.1:11234]
1399952811 DEBUG UDPAddrInterface.c:289 Bound to address [0.0.0.0:57446]
1399952811 INFO cjdroute2.c:571 Forking angel to background.
1399952811 DEBUG Pipe.c:135 Buffering a message
1399952811 INFO RandomSeed.c:42 Attempting to seed random number generator
1399952811 INFO RandomSeed.c:50 Trying random seed [/dev/urandom] Success
1399952811 INFO RandomSeed.c:56 Trying random seed [sysctl(RANDOM_UUID) (Linux)] Failed
1399952811 INFO RandomSeed.c:50 Trying random seed [/proc/sys/kernel/random/uuid (Linux)] Success
1399952811 INFO RandomSeed.c:64 Seeding random number generator succeeded with [2] sources
1399952811 DEBUG Pipe.c:232 Pipe [/tmp/cjdns_pipe_client-angel-pt8g5nzbcztuyn1bl9knk14j51jw3t] established connection
1399952811 DEBUG Pipe.c:254 Sending buffered message
1399952811 DEBUG AngelInit.c:180 Getting pre-configuration from client
1399952811 DEBUG Pipe.c:232 Pipe [/tmp/cjdns_pipe_client-angel-pt8g5nzbcztuyn1bl9knk14j51jw3t] established connection
1399952811 DEBUG AngelInit.c:184 Finished getting pre-configuration from client
1399952811 INFO AngelInit.c:215 Initializing core [/usr/sbin/cjdroute]
1399952811 DEBUG AngelInit.c:219 Sending pre-configuration to core.
1399952811 DEBUG Pipe.c:135 Buffering a message
1399952811 INFO RandomSeed.c:42 Attempting to seed random number generator
1399952811 INFO RandomSeed.c:50 Trying random seed [/dev/urandom] Success
1399952811 INFO RandomSeed.c:56 Trying random seed [sysctl(RANDOM_UUID) (Linux)] Failed
1399952811 INFO RandomSeed.c:50 Trying random seed [/proc/sys/kernel/random/uuid (Linux)] Success
1399952811 INFO RandomSeed.c:64 Seeding random number generator succeeded with [2] sources
1399952811 INFO LibuvEntropyProvider.c:59 Taking clock samples every [1000]ms for random generator
1399952811 DEBUG Pipe.c:232 Pipe [/tmp/cjdns_pipe_69rhp4cspxhwgx9yt16v7hxcx063qu] established connection
1399952811 DEBUG Pipe.c:254 Sending buffered message
1399952811 DEBUG Pipe.c:232 Pipe [/tmp/cjdns_pipe_69rhp4cspxhwgx9yt16v7hxcx063qu] established connection
1399952811 DEBUG UDPAddrInterface.c:250 Binding to address [127.0.0.1:11234]
1399952811 DEBUG UDPAddrInterface.c:289 Bound to address [127.0.0.1:11234]
1399952811 DEBUG Hermes.c:180 Sending [64] bytes to angel [d5:error4:none5:admind4:bind15:127.0.0.1:11234e4:txid8:00000000e].
1399952811 DEBUG AdminClient.c:349 Connecting to [127.0.0.1:11234]
1399952811 DEBUG UDPAddrInterface.c:289 Bound to address [0.0.0.0:42717]
1399952811 INFO Configurator.c:126 Checking authorized password 0.
1399952811 INFO Configurator.c:147 Adding authorized password #[0] for user [password [0]].
1399952811 CRITICAL Configurator.c:103 Got error [Seccomp.c:296 prctl(PR_SET_SECCOMP) -> [Invalid argument]] calling [Security_dropPermissions]
1399952811 CRITICAL Configurator.c:54 enable Log_LEVEL=KEYS to see message content.
1399952812 INFO Angel.c:43 Got request to exit
1399952817 CRITICAL Configurator.c:66 Failed to stop the core.
1399952817 CRITICAL Configurator.c:68 Aborting.

@cjdelisle commented on 13 May 2014

probably kernel version is too old but you still have seccomp header files. uname -a

@lgierth commented on 17 May 2014

Haven't found the time to look into this yet, meanwhile I'm disabling SecComp as a workaround: Seccomp_NO=1 ./do

@lgierth commented on 24 Sep 2014

Collecting possibly useful findings:

• lkml: ARM seccomp filters and EABI/OABI
• lkml: ARM audit, seccomp, etc are broken wrt OABI syscalls (follow-up of ^)
• lkddb: CONFIG_OABI_COMPAT

@lgierth commented 21 days ago

Some progress in OpenWrt:

• https://lists.openwrt.org/pipermail/openwrt-devel/2015-February/031297.html
• https://dev.openwrt.org/changeset/43888

[viric]

Fwiw, I disable seccomp on arm. So I'll keep an eye on this.

[dangowrt]

Fixed by https://github.com/hyperboria/cjdns/commit/dc63fc73f8cd7eae38279297a5247e25978e1b76 and https://github.com/hyperboria/cjdns/commit/b8e4baa63b5d7f14daae1f6d454a26be2982c61e

[Shnatsel]

This bug is back as of cjdns master, commit 13189fd

Fails for me with very similar errors on Raspberry Pi 2, Jessie image:

1448739768 CRITICAL Configurator.c:107 Got error [Seccomp.c:357 prctl(PR_SET_SECCOMP) -> [Invalid argument]

uname -a output:

Linux raspberrypi 4.1.12-v7+ #824 SMP PREEMPT Wed Oct 28 16:46:35 GMT 2015 armv7l GNU/Linux

[Shnatsel]

Needs confirmation from someone else though - my RPi can be messed up without me knowing it.

[ghost]

@Shnatsel can you have a look whether the kernel was built with OABI_COMPAT?

[Shnatsel]

Yes, looks like was: https://github.com/raspberrypi/linux/blob/rpi-4.1.y/arch/arm/configs/bcm2709_defconfig

[Kubuxu]

There is CONFIG_SECCOMP=y but no CONFIG_SECCOMP_FILTER=y which might be a cause of a problem.

Someone wants to play kernel recompilation?

[koalalorenzo]

I am planning to recompile the kernel during the next week! Is there any reason to report this to the Raspbian community?

[Kubuxu]

It is feature regression from RPi1 kernel AFAIK. it is hardly used feature so: 1. they might have forgot it, 2. removed it deliberate, It is worth asking.

[dangowrt]

This seems to be an issue specific to the semi-proptrietary RaspberryPi kernel which ships with raspbian rather than being a problem having anything to do with ARM in general. The same hardware runs cjdns with seccomp e.g. using http://downloads.openwrt.org/snapshots/trunk/brcm2708/generic/ instead of Raspbian. I thus renamed the issue to reflect that.

[Kubuxu]

Here is the kernel config: https://github.com/raspberrypi/linux/blob/rpi-4.1.y/arch/arm/configs/bcm2709_defconfig

There is CONFIG_SECCOMP=y but no CONFIG_SECCOMP_FILTER=y which might be a cause of a problem.

Would be worth for someone having RPi2 to recompile Raspbian's kernel to include the second flag and check if it works, if it does then it should be reported to Raspbian's dev team.

For now the workaround is to disable seccomp and tests using: NO_TEST=1 Seccomp_NO=1 ./do

[perguth]

Problem still persists with RaspberryPi 3 B: Linux raspberrypi 4.4.38-v7+ #938 SMP Thu Dec 15 15:22:21 GMT 2016 armv7l GNU/Linux.

Using NO_TEST=1 Seccomp_NO=1 ./do it works.

[ansuz]

@pguth, consider making a PR to https://github.com/cjdelisle/cjdns/tree/master/doc/install for a raspbian guide.

[perguth]

@ansuz Ok, did that: https://github.com/cjdelisle/cjdns/pull/1028