Re: Seccomp prevented execution of syscall 0000000403 on architecture armhf
On Sun, Feb 02, 2020 at 03:23:21PM +0100, Marc Haber wrote:
> 1 [1/4191]mh@entrada:~ $ sudo apt update
> 0% [Working]
> **** Seccomp prevented execution of syscall 0000000403 on architecture armhf ****
> Reading package lists... Done
> E: Method http has died unexpectedly!
> E: Sub-process http returned an error code (31)
>
> Disabling seccomp seems to solve the issue.
> 100 [2/4192]mh@entrada:~ $ cat 999seccomp
> apt::sandbox::seccomp "false";
> [3/4193]mh@entrada:~ $ sudo mv 999seccomp /etc/apt/apt.conf.d/
> [4/4194]mh@entrada:~ $ sudo apt update
> Hit:1 http://debian-security.debian.zugschlus.de/debian-security buster/updates InRelease
> Hit:2 http://debian.debian.zugschlus.de/debian buster InRelease
> Hit:3 http://zg20150.debian.zugschlus.de/zg20150 buster-zg-stable InRelease
> Hit:4 http://zg20150.debian.zugschlus.de/zg20150 buster-zg-unstable InRelease
> Hit:5 http://security.debian.org buster/updates InRelease
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> All packages are up to date.
> [5/4195]mh@entrada:~ $
>
> What do you think, is this a kernel issue or a possible bug in apt?
In #951012 we settled on that it's not a kernel issue and there was a
fix in unstable's apt. On my buster Banana Pi systems, I have added the
following:
APT::Sandbox::Seccomp::Allow {
"clock_gettime64";
"clock_settime64";
"clock_adjtime64";
"clock_getres_time64";
"clock_nanosleep_time64";
"timer_gettime64";
"timer_settime64";
"timerfd_gettime64";
"timerfd_settime64";
"utimensat_time64";
"pselect6_time64";
"ppoll_time64";
}
to /etc/apt/apt.conf.d/70seccomp, which seems to have solved the issue.
apt on buster, does, however, not work with this:
APT::Sandbox {
seccomp "true";
};
APT::Sandbox::Seccomp::Allow {
"clock_gettime64";
"clock_settime64";
"clock_adjtime64";
"clock_getres_time64";
"clock_nanosleep_time64";
"timer_gettime64";
"timer_settime64";
"timerfd_gettime64";
"timerfd_settime64";
"utimensat_time64";
"pselect6_time64";
"ppoll_time64";
}
[24/4251]mh@entrada:~ $ sudo apt update
0% [Working]E: Cannot allow clock_gettime64: Invalid argument - aptMethod::Configuration (0: Success)
Reading package lists... Done
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (100)
100 [25/4252]mh@entrada:~ $
I guess this might be a parser issue, right? What would be the correct
syntax to set seccomp to true on buster _and_ allow the other syscalls?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Reply to: