Closed
Bug 1298869
Opened 8 years ago
Closed 8 years ago
MOZ_CRASH(seccomp+tsync failed, but kernel supports tsync) when running with rr
Categories
(Core :: Security: Process Sandboxing, defect)
Core
Security: Process Sandboxing
Tracking
()
RESOLVED
INVALID
Tracking | Status | |
---|---|---|
firefox51 | --- | affected |
People
(Reporter: botond, Unassigned)
References
Details
STR: 1. Install rr (http://rr-project.org/) 2. Run a local build of m-c with |mach run --debugger rr| 3. Load any webpage Expected results: The page loads. Actual results: The content process crashes, with the following output: Sandbox: thread-synchronized seccomp failed: Function not implemented Hit MOZ_CRASH(seccomp+tsync failed, but kernel supports tsync) at /home/botond/dev/mozilla/central/security/sandbox/linux/Sandbox.cpp:452 Running without rr works fine. Setting security.sandbox.content.level=0 fixes the problem.
Comment 1•8 years ago
|
||
This is a bug in rr. Also, there's a better workaround: set MOZ_FAKE_NO_SECCOMP_TSYNC in the environment. What seems to be going on here is: * The sandbox feature detection code passes nullptr instead of an actual filter and checks for EFAULT, in order to probe for support without actually changing the process state. Chromium also uses this technique (and seccomp-bpf was originally contributed to Linux by the Chromium project, so they'd know as well as anyone). * rr tries to emulate the seccomp syscall (which is needed in order to use the SECCOMP_FILTER_FLAG_TSYNC flag, to change all threads in the process at once; this is the "tsync" feature referred to in the error message) without first checking if it's supported, and it has an early exit that returns a synthetic EFAULT if the filter address is invalid, even if the actual syscall wouldn't have gotten that far: https://github.com/mozilla/rr/blob/3d96a37cc/src/SeccompFilterRewriter.cc#L38 * In this case the kernel *doesn't* support it, but rr's interposition returns a false positive to the detection code, so when the time comes to actually install the filter, rr needs to use the actual syscall to install its patched version of the filter program, and that does fail with ENOSYS. * This would also be the case for the older prctl(PR_SET_SECCOMP, ...) interface, but kernels old enough to lack seccomp-bpf entirely are uncommon enough that perhaps nobody has ever tried to run Firefox under rr on one. I'd suggest that rr should either probe for syscall support before trying to interpose like that, or else change those early returns to cause the recorded process to issue the syscall itself so that it gets the appropriate error. Additionally, it seems that rr isn't handling SECCOMP_FILTER_FLAG_TSYNC correctly, in that it's not handling it at all — it seems to be completely ignoring the flags argument and marking only the calling thread as having changed seccomp status, but passes through the flags to the actual syscall, which means that other threads will get incorrect values from prctl(PR_GET_SECCOMP), which is trapped and emulated by rr. (Disclaimer: everything in this comment is from code reading, not testing.)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•8 years ago
|
||
Thanks for the analysis! I filed an rr bug: https://github.com/mozilla/rr/issues/1781
rr doesn't work without seccomp-bpf, that's why we don't have issues on them :-).
You need to log in
before you can comment on or make changes to this bug.
Description
•