Re: Seccomp prevented execution of syscall 0000000403 on architecture armhf

[Marc Haber <mh+debian-deity@zugschlus.de>]

On Sun, Feb 02, 2020 at 03:23:21PM +0100, Marc Haber wrote:
> 1 [1/4191]mh@entrada:~ $ sudo apt update
> 0% [Working]
>  **** Seccomp prevented execution of syscall 0000000403 on architecture armhf ****
> Reading package lists... Done
> E: Method http has died unexpectedly!
> E: Sub-process http returned an error code (31)
> 
> Disabling seccomp seems to solve the issue.
> 100 [2/4192]mh@entrada:~ $ cat 999seccomp 
> apt::sandbox::seccomp "false";
> [3/4193]mh@entrada:~ $ sudo mv 999seccomp /etc/apt/apt.conf.d/
> [4/4194]mh@entrada:~ $ sudo apt update
> Hit:1 http://debian-security.debian.zugschlus.de/debian-security buster/updates InRelease
> Hit:2 http://debian.debian.zugschlus.de/debian buster InRelease
> Hit:3 http://zg20150.debian.zugschlus.de/zg20150 buster-zg-stable InRelease
> Hit:4 http://zg20150.debian.zugschlus.de/zg20150 buster-zg-unstable InRelease
> Hit:5 http://security.debian.org buster/updates InRelease
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> All packages are up to date.
> [5/4195]mh@entrada:~ $ 
> 
> What do you think, is this a kernel issue or a possible bug in apt?

In #951012 we settled on that it's not a kernel issue and there was a
fix in unstable's apt. On my buster Banana Pi systems, I have added the
following:

APT::Sandbox::Seccomp::Allow {
  "clock_gettime64";
  "clock_settime64";
  "clock_adjtime64";
  "clock_getres_time64";
  "clock_nanosleep_time64";
  "timer_gettime64";
  "timer_settime64";
  "timerfd_gettime64";
  "timerfd_settime64";
  "utimensat_time64";
  "pselect6_time64";
  "ppoll_time64";
}

to /etc/apt/apt.conf.d/70seccomp, which seems to have solved the issue.

apt on buster, does, however, not work with this:

APT::Sandbox {
  seccomp "true";
};


APT::Sandbox::Seccomp::Allow {
  "clock_gettime64";
  "clock_settime64";
  "clock_adjtime64";
  "clock_getres_time64";
  "clock_nanosleep_time64";
  "timer_gettime64";
  "timer_settime64";
  "timerfd_gettime64";
  "timerfd_settime64";
  "utimensat_time64";
  "pselect6_time64";
  "ppoll_time64";
}

[24/4251]mh@entrada:~ $ sudo apt update
0% [Working]E: Cannot allow clock_gettime64: Invalid argument - aptMethod::Configuration (0: Success)
Reading package lists... Done
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (100)
100 [25/4252]mh@entrada:~ $ 

I guess this might be a parser issue, right? What would be the correct
syntax to set seccomp to true on buster _and_ allow the other syscalls?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421