WireGuard Archive on lore.kernel.org
 help / Atom feed
* wireguard-go on android crashes due seccomp enforcement of sys_inotify_init
@ 2018-12-09 18:46 Berk D. Demir
  2018-12-10  0:52 ` Jason A. Donenfeld
  0 siblings, 1 reply; 6+ messages in thread
From: Berk D. Demir @ 2018-12-09 18:46 UTC (permalink / raw)
  To: wireguard

I'm running WireGuard Android on ChromeOS with its Android subsystem
support. It was working without any significant issues up until
Android runtime got updated to 9 (Pie) with a Dev Channel update.
WireGuard started to crash right after starting a connection.

Looking at the logs, I can see libwg-go.so's attempt to use
`inotify_init` (x86_64 system call #253) is blocked by seccomp,
crashing the process with SIGSYS. I'm guessing this is where libwg
hits the seccomp filter:
https://github.com/WireGuard/wireguard-go/blob/1c025570139f614f2083b935e2c58d5dbf199c2f/uapi_linux.go#L91

Is this a known new enforcement in Android 9? ...or I wonder if this
is particular to Android runtime under (/along with?) ChromeOS.

I'm running Chrome 72.0.3626.8 (Dev Channel) on a Google Pixelbook
(CrOS code name: eve) with the latest WireGuard from Play Store.

Relevant portion of the logs are below. I'd gladly collect more data
if someone can instruct me to get more than wireguard logs or looking
at /var/log/arc.log.


== wireguard.log excerpt ==
12-09 09:53:56.270  2254  2271 D WireGuard/GoBackend: Changing tunnel
[[redact: peer host]] to state UP
12-09 09:53:56.270  2254  2271 I WireGuard/GoBackend: Bringing tunnel up
12-09 09:53:56.270  2254  2271 D WireGuard/GoBackend: Requesting to
start VpnService
12-09 09:53:56.550  2254  2271 D WireGuard/GoBackend: Go backend v0.0.20181018
12-09 09:53:56.551  2254  2271 D WireGuard/GoBackend/[[redact: peer
host]]: Debug log enabled
12-09 09:53:56.551  2254  2271 I WireGuard/GoBackend/[[redact: peer
host]]: Attaching to interface tun0
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: event worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: encryption worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: decryption worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: handshake worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: encryption worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: decryption worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: handshake worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: encryption worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: decryption worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: handshake worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: encryption worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: decryption worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: handshake worker - started
12-09 09:53:56.578  2254  2277 D WireGuard/GoBackend/[[redact: peer
host]]: Routine: TUN reader - started
12-09 09:53:56.578  2254  2271 D WireGuard/GoBackend/[[redact: peer
host]]: Interface has MTU 1280
12-09 09:53:56.578  2254  2271 D WireGuard/GoBackend/[[redact: peer
host]]: UAPI: Updating private key
12-09 09:53:56.578  2254  2271 D WireGuard/GoBackend/[[redact: peer
host]]: UAPI: Removing all peers
12-09 09:53:56.578  2254  2271 D WireGuard/GoBackend/[[redact: peer
host]]: UAPI: Transition to peer configuration
12-09 09:53:56.578  2254  2271 D WireGuard/GoBackend/[[redact: peer
host]]: peer([[redact: peer PK]]) - UAPI: Created
12-09 09:53:56.578  2254  2271 D WireGuard/GoBackend/[[redact: peer
host]]: peer([[redact: peer PK]]) - UAPI: Adding allowedip
12-09 09:53:56.578  2254  2271 D WireGuard/GoBackend/[[redact: peer
host]]: peer([[redact: peer PK]]) - UAPI: Updating endpoint
12-09 09:53:56.578  2254  2271 D WireGuard/GoBackend/[[redact: peer
host]]: peer([[redact: peer PK]]) - UAPI: Updating persistent
keepalive interva
12-09 09:53:56.579  2254  2271 F libc    : Fatal signal 31 (SIGSYS),
code 1 (SYS_SECCOMP) in tid 2271 (AsyncTask #2), pid 2254
(reguard.android)
12-09 09:53:56.595  2346  2346 E cutils-trace: Error opening trace
file: Permission denied (13)
12-09 09:53:56.625  2348  2348 I crash_dump64: obtaining output fd
from tombstoned, type: kDebuggerdTombstone
12-09 09:53:56.625  2348  2348 I crash_dump64: performing dump of
process 2254 (target tid = 2271)
12-09 09:53:56.631  2348  2348 F DEBUG   : *** *** *** *** *** *** ***
*** *** *** *** *** *** *** *** ***
12-09 09:53:56.631  2348  2348 F DEBUG   : Build fingerprint:
'google/eve/eve_cheets:9/R72-11316.6.0/5164505:user/release-keys'
12-09 09:53:56.631  2348  2348 F DEBUG   : Revision: '0'
12-09 09:53:56.631  2348  2348 F DEBUG   : ABI: 'x86_64'
12-09 09:53:56.631  2348  2348 F DEBUG   : pid: 2254, tid: 2271, name:
AsyncTask #2  >>> com.wireguard.android <<<
12-09 09:53:56.631  2348  2348 F DEBUG   : signal 31 (SIGSYS), code 1
(SYS_SECCOMP), fault addr --------
12-09 09:53:56.631  2348  2348 F DEBUG   : Cause: seccomp prevented
call to disallowed x86_64 system call 253
12-09 09:53:56.631  2348  2348 F DEBUG   :     rax 00000000000000fd
rbx 000000000000003a  rcx 000079379735049b  rdx 0000000000000000
12-09 09:53:56.631  2348  2348 F DEBUG   :     r8  0000000000000000
r9  0000000000000000  r10 0000000000000000  r11 0000000000000202
12-09 09:53:56.631  2348  2348 F DEBUG   :     r12 0000000000000000
r13 000000000000000c  r14 000000000000000b  r15 0000000000000080
12-09 09:53:56.631  2348  2348 F DEBUG   :     rdi 0000000000000000
rsi 0000000000000000
12-09 09:53:56.631  2348  2348 F DEBUG   :     rbp 000000c000ae7b20
rsp 000000c000ae7ad8  rip 000079379735049b
12-09 09:53:56.631  2348  2348 F DEBUG   :
12-09 09:53:56.631  2348  2348 F DEBUG   : backtrace:
12-09 09:53:56.631  2348  2348 F DEBUG   :     #00 pc 000000000014649b
 /data/app/com.wireguard.android-EkzFeozwwuPX-vLJCT75-Q==/lib/x86_64/libwg-go.so
12-09 09:53:56.887  2348  2348 E crash_dump64: unable to connect to
activity manager: Permission denied
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wireguard-go on android crashes due seccomp enforcement of sys_inotify_init
  2018-12-09 18:46 wireguard-go on android crashes due seccomp enforcement of sys_inotify_init Berk D. Demir
@ 2018-12-10  0:52 ` Jason A. Donenfeld
  2018-12-10  1:01   ` Jason A. Donenfeld
  0 siblings, 1 reply; 6+ messages in thread
From: Jason A. Donenfeld @ 2018-12-10  0:52 UTC (permalink / raw)
  To: bdd; +Cc: WireGuard mailing list

Thanks. I filed a bug upstream with the Go people.

https://go-review.googlesource.com/c/sys/+/153318

I can work around it locally in builds, but usually they patch these
pretty quickly.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wireguard-go on android crashes due seccomp enforcement of sys_inotify_init
  2018-12-10  0:52 ` Jason A. Donenfeld
@ 2018-12-10  1:01   ` Jason A. Donenfeld
  2018-12-11  1:47     ` Jason A. Donenfeld
  0 siblings, 1 reply; 6+ messages in thread
From: Jason A. Donenfeld @ 2018-12-10  1:01 UTC (permalink / raw)
  To: bdd; +Cc: WireGuard mailing list

Locally fixed here:

https://git.zx2c4.com/wireguard-go/commit/?id=ccd0be9e3e1ba002c57f9e8d789b0dca3ca58081
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wireguard-go on android crashes due seccomp enforcement of sys_inotify_init
  2018-12-10  1:01   ` Jason A. Donenfeld
@ 2018-12-11  1:47     ` Jason A. Donenfeld
  2018-12-11  1:53       ` Berk D. Demir
  0 siblings, 1 reply; 6+ messages in thread
From: Jason A. Donenfeld @ 2018-12-11  1:47 UTC (permalink / raw)
  To: bdd; +Cc: WireGuard mailing list

Hi Berk,

The fixed version should now be rolling out on the Play Store,
probably available within an hour, and eventually in F-Droid too
whenever their build infra kicks in. Thanks again for reporting the
bug.

Regards,
Jason
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wireguard-go on android crashes due seccomp enforcement of sys_inotify_init
  2018-12-11  1:47     ` Jason A. Donenfeld
@ 2018-12-11  1:53       ` Berk D. Demir
  2018-12-11  6:18         ` Berk D. Demir
  0 siblings, 1 reply; 6+ messages in thread
From: Berk D. Demir @ 2018-12-11  1:53 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

[-- Attachment #1.1: Type: text/plain, Size: 423 bytes --]

Thank you for this stellar stewardship.

Will confirm fix in this thread once I get the latest build.

On Mon, Dec 10, 2018 at 17:48 Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> Hi Berk,
>
> The fixed version should now be rolling out on the Play Store,
> probably available within an hour, and eventually in F-Droid too
> whenever their build infra kicks in. Thanks again for reporting the
> bug.
>
> Regards,
> Jason
>

[-- Attachment #1.2: Type: text/html, Size: 756 bytes --]

<div><div dir="auto">Thank you for this stellar stewardship.</div></div><div dir="auto"><br></div><div dir="auto">Will confirm fix in this thread once I get the latest build.</div><div><br><div class="gmail_quote"><div dir="ltr">On Mon, Dec 10, 2018 at 17:48 Jason A. Donenfeld &lt;<a href="mailto:Jason@zx2c4.com">Jason@zx2c4.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Berk,<br>
<br>
The fixed version should now be rolling out on the Play Store,<br>
probably available within an hour, and eventually in F-Droid too<br>
whenever their build infra kicks in. Thanks again for reporting the<br>
bug.<br>
<br>
Regards,<br>
Jason<br>
</blockquote></div></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: wireguard-go on android crashes due seccomp enforcement of sys_inotify_init
  2018-12-11  1:53       ` Berk D. Demir
@ 2018-12-11  6:18         ` Berk D. Demir
  0 siblings, 0 replies; 6+ messages in thread
From: Berk D. Demir @ 2018-12-11  6:18 UTC (permalink / raw)
  To: Jason; +Cc: wireguard

Confirming the fix.
Thanks again!
On Mon, Dec 10, 2018 at 5:53 PM Berk D. Demir <bdd@mindcast.org> wrote:
>
> Thank you for this stellar stewardship.
>
> Will confirm fix in this thread once I get the latest build.
>
> On Mon, Dec 10, 2018 at 17:48 Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>>
>> Hi Berk,
>>
>> The fixed version should now be rolling out on the Play Store,
>> probably available within an hour, and eventually in F-Droid too
>> whenever their build infra kicks in. Thanks again for reporting the
>> bug.
>>
>> Regards,
>> Jason
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-09 18:46 wireguard-go on android crashes due seccomp enforcement of sys_inotify_init Berk D. Demir
2018-12-10  0:52 ` Jason A. Donenfeld
2018-12-10  1:01   ` Jason A. Donenfeld
2018-12-11  1:47     ` Jason A. Donenfeld
2018-12-11  1:53       ` Berk D. Demir
2018-12-11  6:18         ` Berk D. Demir

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox