Bug 215212

Summary: [WPE][GTK] Wrong argument order for clone syscall seccomp filter on s390x
Product: WebKit Reporter: Alberto Garcia <berto>
Component: WebKitGTKAssignee: Adrian Perez <aperez>
Status: RESOLVED FIXED    
Severity: Normal CC: aperez, bugs-noreply, cgarcia, mcatanzaro, pgriffis
Priority: P2    
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Alberto Garcia
Reported 2020-08-06 04:37:08 PDT
It seems that the order of the arguments in the clone() syscall depends on the architecture (you can see that in the clone(2) manpage). We use that in WebKit's seccomp filter (glib/BubblewrapLauncher.cpp), and this is broken in s390x at least. Flatpak is also affected, and we are using the same code. Here's the fix for Flatpak: https://github.com/flatpak/flatpak/pull/3777/commits/6d70aabc03f0389e548911b14446d702a07b016c
Attachments
Patch (2.05 KB, patch)
2020-08-06 04:59 PDT, Adrian Perez 		no flags
DetailsFormatted DiffDiff
Patch for landing (2.01 KB, patch)
2020-08-06 07:03 PDT, Adrian Perez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alberto Garcia
Comment 1 2020-08-06 04:47:10 PDT
(note: this **seems to be broken** in WebKit based on the fact that it is broken in Flatpak and we took that code, but it should be double checked)
Adrian Perez
Comment 2 2020-08-06 04:51:30 PDT
(In reply to Alberto Garcia from comment #0) > It seems that the order of the arguments in the clone() syscall depends on > the architecture (you can see that in the clone(2) manpage). > > We use that in WebKit's seccomp filter (glib/BubblewrapLauncher.cpp), and > this is broken in s390x at least. > > Flatpak is also affected, and we are using the same code. Here's the fix for > Flatpak: > https://github.com/flatpak/flatpak/pull/3777/commits/ > 6d70aabc03f0389e548911b14446d702a07b016c (CC'ing Patrick, as he's our resident sandboxing expert.) Yes, we also need a similar fix in the WebKit sandboxing code. One would imagine that libseccomp takes care of this kind of busy-work… but it turns out that it's a pretty dumb wrapper around the kernel interface 🤷️
Adrian Perez
Comment 3 2020-08-06 04:59:21 PDT
Created attachment 406081 [details] Patch
Michael Catanzaro
Comment 4 2020-08-06 06:39:35 PDT
Comment on attachment 406081 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=406081&action=review > Source/WebKit/ChangeLog:3 > + [GLIB] Wrong argument order for clone syscall seccomp filter on s390x [WPE][GTK]
Adrian Perez
Comment 5 2020-08-06 07:03:17 PDT
Created attachment 406083 [details] Patch for landing
EWS
Comment 6 2020-08-06 07:48:13 PDT
Committed r265326: <https://trac.webkit.org/changeset/265326> All reviewed patches have been landed. Closing bug and clearing flags on attachment 406083 [details].
Note You need to log in before you can comment on or make changes to this bug.