Bug#951718: selectively enable seccomp not working as documented
Control: clone -1 -2
Control: reassign -2 libseccomp/2.3.3-4
Control: retitle -1 apt: allow seccomp overrides by number
Control: retitle -2 libseccomp: syscalls missing in stable
On Thu, Feb 20, 2020 at 05:00:18PM +0100, Marc Haber wrote:
> Package: apt
> Version: 1.8.2
> Severity: normal
>
> Hi,
>
> /usr/share/doc/apt/examples/configure-index.gz says:
>
> APT::Sandbox
> {
> User "<STRING>";
> ResetEnvironment "<BOOL>";
> Verify "<BOOL>"
> {
> Groups "<BOOL>";
> IDs "<BOOL>";
> Regain "<BOOL>";
> };
> seccomp "<BOOL>"
> {
> print "<BOOL>"; // print what syscall was trapped
> allow "<LIST>";
> trap "<LIST>";
> };
> };
>
> To selectively allow the clock_gettime64 syscall as suggested by Julian in
> #951012, I made this
>
> APT::Sandbox
> {
> seccomp "true"
> {
> allow "clock_gettime64";
> };
> };
>
> which results in "E: Cannot allow clock_gettime64: Invalid argument -
> aptMethod::Configuration (0: Success)".
>
> What would be the correct syntax? Can the docs be fixed please?
It is the correct syntax. libseccomp2 in stable is too old to know
the new syscalls, and there's no way to override by syscall number in
apt. Both should be fixed IMO:
- the list of syscalls the libseccomp library handles in stable
does not match the syscalls used in stable
- apt should allow you to override by number because that's easier.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: