x86_64 seccomp compilation fails due to duplicate labels
46 views
Skip to first unread message
Mikko Koivisto
Feb 22, 2023, 10:00:12 AM2/22/23
to crosvm-dev
I'm running cuttlefish emulator on crosvm on ubuntu20 host.
The crosvm start fails with:
crosvm[1408252]: libminijail[1408252]: compile_file: /home/mikko_koivisto/test/usr/share/crosvm/x86_64-linux-gnu/seccomp/net_device.policy(70): previous definition here
crosvm[1408252]: libminijail[1408252]: duplicate label: '16_success'
crosvm[1408252]: libminijail[1408252]: failed to compile seccomp filter BPF program in '/home/mikko_koivisto/test/usr/share/crosvm/x86_64-linux-gnu/seccomp/net_device.policy'
The offending part of the file looks like this:
# 0xc018aa3f == UFFDIO_API, 0xaa00 == USERFAULTFD_IOC_NEW
ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00
# TUNSETOFFLOAD
ioctl: arg1 == 0x400454d0
open: return ENOENT
openat: return ENOENT
prctl: arg0 == PR_SET_NAME
ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00
# TUNSETOFFLOAD
ioctl: arg1 == 0x400454d0
open: return ENOENT
openat: return ENOENT
prctl: arg0 == PR_SET_NAME
The upper part seems to come from /jail/seccomp/x86_64/common_device.policy and the lower part from jail/seccomp/x86_64/net_device.policy (which includes the common policy)
What would be the best way to fix this?
If I manually concatenate directives to
ioctl: arg1 == 0xc018aa3f || arg1 == 0xaa00 || arg1 == 0x400454d0
...the problem goes away but I need to apply similar fix to many files.
Frederick Mayle
Feb 22, 2023, 12:07:17 PM2/22/23
to Mikko Koivisto, crosvm-dev
Hi. Are you using the crosvm bundled in AOSP?
This is a known issue in crosvm and AOSP is carrying some patches to work around it, but it looks like we missed some cases.
You can disable sandboxing as a quick workaround, for example
launch_cvd --enable_sandbox=false ...
--
You received this message because you are subscribed to the Google Groups "crosvm-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to crosvm-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/crosvm-dev/8c24bdc5-a467-4d68-a8b8-6eaec8f47609n%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.
Mikko Koivisto
Feb 22, 2023, 2:18:56 PM2/22/23
to crosvm-dev, Frederick Mayle, crosvm-dev, Mikko Koivisto
Thanks for the tip. The cuttlefish boots up fine with -enable_sandbox=false.
enable_sandbox=true worked after manually "fixing" the duplicate ioctl definitions from files:
net_device.policy
xhci_device.policy
fs_device.policy
vhost_vsock_device.policy
This is aosp crosvm with HEAD at
0fcfdb3cd72f4b9ea2d59cac32d1763a39905d1e (HEAD, m/master, aosp/master) ANDROID: restrict visibility
Frederick Mayle
Feb 22, 2023, 4:17:47 PM2/22/23
to Mikko Koivisto, crosvm-dev
Cool. I don't have a timeline, but this should "just work" at some point in the near future.
Reply all
Reply to author
Forward
0 new messages