From: "Berk D. Demir" <bdd@mindcast.org>
To: wireguard@lists.zx2c4.com
Subject: wireguard-go on android crashes due seccomp enforcement of sys_inotify_init
Date: Sun, 9 Dec 2018 10:46:54 -0800 [thread overview]
Message-ID: <CALv=V9Gv6apdWJ9P-80zf9bgByd=c3QqPhRHuw6o0_OaH0=W6g@mail.gmail.com> (raw)
I'm running WireGuard Android on ChromeOS with its Android subsystem
support. It was working without any significant issues up until
Android runtime got updated to 9 (Pie) with a Dev Channel update.
WireGuard started to crash right after starting a connection.
Looking at the logs, I can see libwg-go.so's attempt to use
`inotify_init` (x86_64 system call #253) is blocked by seccomp,
crashing the process with SIGSYS. I'm guessing this is where libwg
hits the seccomp filter:
https://github.com/WireGuard/wireguard-go/blob/1c025570139f614f2083b935e2c58d5dbf199c2f/uapi_linux.go#L91
Is this a known new enforcement in Android 9? ...or I wonder if this
is particular to Android runtime under (/along with?) ChromeOS.
I'm running Chrome 72.0.3626.8 (Dev Channel) on a Google Pixelbook
(CrOS code name: eve) with the latest WireGuard from Play Store.
Relevant portion of the logs are below. I'd gladly collect more data
if someone can instruct me to get more than wireguard logs or looking
at /var/log/arc.log.
== wireguard.log excerpt ==
12-09 09:53:56.270 2254 2271 D WireGuard/GoBackend: Changing tunnel
[[redact: peer host]] to state UP
12-09 09:53:56.270 2254 2271 I WireGuard/GoBackend: Bringing tunnel up
12-09 09:53:56.270 2254 2271 D WireGuard/GoBackend: Requesting to
start VpnService
12-09 09:53:56.550 2254 2271 D WireGuard/GoBackend: Go backend v0.0.20181018
12-09 09:53:56.551 2254 2271 D WireGuard/GoBackend/[[redact: peer
host]]: Debug log enabled
12-09 09:53:56.551 2254 2271 I WireGuard/GoBackend/[[redact: peer
host]]: Attaching to interface tun0
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: event worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: encryption worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: decryption worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: handshake worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: encryption worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: decryption worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: handshake worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: encryption worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: decryption worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: handshake worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: encryption worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: decryption worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: handshake worker - started
12-09 09:53:56.578 2254 2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: TUN reader - started
12-09 09:53:56.578 2254 2271 D WireGuard/GoBackend/[[redact: peer
host]]: Interface has MTU 1280
12-09 09:53:56.578 2254 2271 D WireGuard/GoBackend/[[redact: peer
host]]: UAPI: Updating private key
12-09 09:53:56.578 2254 2271 D WireGuard/GoBackend/[[redact: peer
host]]: UAPI: Removing all peers
12-09 09:53:56.578 2254 2271 D WireGuard/GoBackend/[[redact: peer
host]]: UAPI: Transition to peer configuration
12-09 09:53:56.578 2254 2271 D WireGuard/GoBackend/[[redact: peer
host]]: peer([[redact: peer PK]]) - UAPI: Created
12-09 09:53:56.578 2254 2271 D WireGuard/GoBackend/[[redact: peer
host]]: peer([[redact: peer PK]]) - UAPI: Adding allowedip
12-09 09:53:56.578 2254 2271 D WireGuard/GoBackend/[[redact: peer
host]]: peer([[redact: peer PK]]) - UAPI: Updating endpoint
12-09 09:53:56.578 2254 2271 D WireGuard/GoBackend/[[redact: peer
host]]: peer([[redact: peer PK]]) - UAPI: Updating persistent
keepalive interva
12-09 09:53:56.579 2254 2271 F libc : Fatal signal 31 (SIGSYS),
code 1 (SYS_SECCOMP) in tid 2271 (AsyncTask #2), pid 2254
(reguard.android)
12-09 09:53:56.595 2346 2346 E cutils-trace: Error opening trace
file: Permission denied (13)
12-09 09:53:56.625 2348 2348 I crash_dump64: obtaining output fd
from tombstoned, type: kDebuggerdTombstone
12-09 09:53:56.625 2348 2348 I crash_dump64: performing dump of
process 2254 (target tid = 2271)
12-09 09:53:56.631 2348 2348 F DEBUG : *** *** *** *** *** *** ***
*** *** *** *** *** *** *** *** ***
12-09 09:53:56.631 2348 2348 F DEBUG : Build fingerprint:
'google/eve/eve_cheets:9/R72-11316.6.0/5164505:user/release-keys'
12-09 09:53:56.631 2348 2348 F DEBUG : Revision: '0'
12-09 09:53:56.631 2348 2348 F DEBUG : ABI: 'x86_64'
12-09 09:53:56.631 2348 2348 F DEBUG : pid: 2254, tid: 2271, name:
AsyncTask #2 >>> com.wireguard.android <<<
12-09 09:53:56.631 2348 2348 F DEBUG : signal 31 (SIGSYS), code 1
(SYS_SECCOMP), fault addr --------
12-09 09:53:56.631 2348 2348 F DEBUG : Cause: seccomp prevented
call to disallowed x86_64 system call 253
12-09 09:53:56.631 2348 2348 F DEBUG : rax 00000000000000fd
rbx 000000000000003a rcx 000079379735049b rdx 0000000000000000
12-09 09:53:56.631 2348 2348 F DEBUG : r8 0000000000000000
r9 0000000000000000 r10 0000000000000000 r11 0000000000000202
12-09 09:53:56.631 2348 2348 F DEBUG : r12 0000000000000000
r13 000000000000000c r14 000000000000000b r15 0000000000000080
12-09 09:53:56.631 2348 2348 F DEBUG : rdi 0000000000000000
rsi 0000000000000000
12-09 09:53:56.631 2348 2348 F DEBUG : rbp 000000c000ae7b20
rsp 000000c000ae7ad8 rip 000079379735049b
12-09 09:53:56.631 2348 2348 F DEBUG :
12-09 09:53:56.631 2348 2348 F DEBUG : backtrace:
12-09 09:53:56.631 2348 2348 F DEBUG : #00 pc 000000000014649b
/data/app/com.wireguard.android-EkzFeozwwuPX-vLJCT75-Q==/lib/x86_64/libwg-go.so
12-09 09:53:56.887 2348 2348 E crash_dump64: unable to connect to
activity manager: Permission denied
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next reply other threads:[~2018-12-10 0:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-09 18:46 Berk D. Demir [this message]
2018-12-10 0:52 ` wireguard-go on android crashes due seccomp enforcement of sys_inotify_init Jason A. Donenfeld
2018-12-10 1:01 ` Jason A. Donenfeld
2018-12-11 1:47 ` Jason A. Donenfeld
2018-12-11 1:53 ` Berk D. Demir
2018-12-11 6:18 ` Berk D. Demir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALv=V9Gv6apdWJ9P-80zf9bgByd=c3QqPhRHuw6o0_OaH0=W6g@mail.gmail.com' \
--to=bdd@mindcast.org \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).