Crash on Fedora 34 without `--insecure-disable-seccomp`

Question

Crash on Fedora 34 without `--insecure-disable-seccomp`

Closed this issue 3 years ago · 4 comments

Hello there!

I recently tried sniffglue, which looks quite great. As it's not packaged on Fedora yet, I installed it with a simple cargo install sniffglue.

Unfortunately, without running it with the --insecure-disable-seccomp flag, it instantly crashes on my machine.
Here is a backtrace from the core dump:

(gdb) bt
#0  0x00007efdb5da4b8b in getpid () from /lib64/libc.so.6
#1  0x00007efdb5c15350 in generate_local_port () from /lib64/libnl-3.so.200
#2  0x00007efdb5c1ff86 in nl_connect () from /lib64/libnl-3.so.200
#3  0x00007efdb5ccb4fb in find_sysfs_devs_nl () from /lib64/libibverbs.so.1
#4  0x00007efdb5cc916d in ibv_get_device_list () from /lib64/libibverbs.so.1
#5  0x00007efdb6067580 in rdmasniff_findalldevs () from /lib64/libpcap.so.1
#6  0x00007efdb6067c39 in pcap_findalldevs () from /lib64/libpcap.so.1
#7  0x00007efdb6068267 in pcap_lookupdev () from /lib64/libpcap.so.1
#8  0x000055c01c3d19f2 in sniffglue::sniff::default_interface () at src/sniff.rs:62
#9  0x000055c01c35ad52 in sniffglue::main () at src/main.rs:34

Indeed, once in seccomp mode, it seems legit not to be able to call getpid()... As to why libnl-3 ends up here, that will have to remain a mystery to me for tonight...

Do you need anything more? I probably won't be able to dig that further, as I have basically no idea of what's going on, but I can help test some stuff.

Answer 1 · 2021-10-20T14:45:54.000Z

hi!

Thanks for the detailed bugreport, seccomp is setup in two stages, can you try this command to enable debug logging and then check if the crash is in stage 1 or 2?

sudo RUST_LOG=debug sniffglue

If it's during setup only this line should show up:

[2021-10-20T14:40:16Z INFO  sniffglue::sandbox] stage 1/2 is active

If it's post-setup both of these lines should show up:

[2021-10-20T14:40:16Z INFO  sniffglue::sandbox] stage 1/2 is active
[...]
[2021-10-20T14:40:16Z INFO  sniffglue::sandbox] stage 2/2 is active

Depending on that I need to add getpid to the first or both seccomp filters.

Thanks!

Answer 2 · 2021-10-27T14:16:12.000Z

Oh sorry, it seems I dropped the notification of your answer... :/

Thanks for the patch anyway \o/

Answer 3 · 2021-10-27T14:18:42.000Z

No problem :) this should be fixed in the 0.14.0 release, please let me know if you still experience issues with that version

Answer 4 · 2021-10-27T14:44:08.000Z

Yep, 0.14.0 works fine on my Fedora 34! Issue is definitely closed 👍