Re: Seccomp prevented execution of syscall 0000000403 on architecture armhf

To: deity@lists.debian.org
Subject: Re: Seccomp prevented execution of syscall 0000000403 on architecture armhf
From: Marc Haber <mh+debian-deity@zugschlus.de>
Date: Sun, 16 Feb 2020 19:27:33 +0100
Message-id: <[🔎] 20200216182733.GM16644@torres.zugschlus.de>
In-reply-to: <[🔎] 20200216180412.GL16644@torres.zugschlus.de>
References: <[🔎] 20200202142321.GO5981@torres.zugschlus.de> <[🔎] 20200216180412.GL16644@torres.zugschlus.de>

On Sun, Feb 16, 2020 at 07:04:12PM +0100, Marc Haber wrote:
> In #951012 we settled on that it's not a kernel issue and there was a
> fix in unstable's apt. On my buster Banana Pi systems, I have added the
> following:
> 
> APT::Sandbox::Seccomp::Allow {
>   "clock_gettime64";
>   "clock_settime64";
>   "clock_adjtime64";
>   "clock_getres_time64";
>   "clock_nanosleep_time64";
>   "timer_gettime64";
>   "timer_settime64";
>   "timerfd_gettime64";
>   "timerfd_settime64";
>   "utimensat_time64";
>   "pselect6_time64";
>   "ppoll_time64";
> }
> 
> to /etc/apt/apt.conf.d/70seccomp, which seems to have solved the issue.

Giving that seccomp is disabled by default, it was actually disabling
seccomp entirely, stupid me.

> apt on buster, does, however, not work with this:
> 
> APT::Sandbox {
>   seccomp "true";
> };
> 
> 
> APT::Sandbox::Seccomp::Allow {
>   "clock_gettime64";
>   "clock_settime64";
>   "clock_adjtime64";
>   "clock_getres_time64";
>   "clock_nanosleep_time64";
>   "timer_gettime64";
>   "timer_settime64";
>   "timerfd_gettime64";
>   "timerfd_settime64";
>   "utimensat_time64";
>   "pselect6_time64";
>   "ppoll_time64";
> }
> 
> [24/4251]mh@entrada:~ $ sudo apt update
> 0% [Working]E: Cannot allow clock_gettime64: Invalid argument - aptMethod::Configuration (0: Success)
> Reading package lists... Done
> E: Method http has died unexpectedly!
> E: Sub-process http returned an error code (100)
> 100 [25/4252]mh@entrada:~ $ 

Same thing happens with
APT::Sandbox {
  seccomp "true";
  Seccomp::Allow {
    "clock_gettime64";
    "clock_settime64";
    "clock_adjtime64";
    "clock_getres_time64";
    "clock_nanosleep_time64";
    "timer_gettime64";
    "timer_settime64";
    "timerfd_gettime64";
    "timerfd_settime64";
    "utimensat_time64";
    "pselect6_time64";
    "ppoll_time64";
  }
};

and the simplified and streamlined to what is in
/usr/share/doc/apt/examples/configure-index.gz

APT::Sandbox
{
   seccomp "true"
   {
      allow "clock_gettime64";
   };
};

so we now have a docs discrepancy.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Reply to:

References:
- Seccomp prevented execution of syscall 0000000403 on architecture armhf
  - From: Marc Haber <mh+debian-deity@zugschlus.de>
- Re: Seccomp prevented execution of syscall 0000000403 on architecture armhf
  - From: Marc Haber <mh+debian-deity@zugschlus.de>

Prev by Date: Re: Seccomp prevented execution of syscall 0000000403 on architecture armhf
Next by Date: Bug#951479: [files list file for package 'base-passwd' is missing final newline] [debian buster 10.3]
Previous by thread: Re: Seccomp prevented execution of syscall 0000000403 on architecture armhf
Next by thread: Bug#950524: apt: Please let users specify how deeply to update the dependency tree
Index(es):
- Date
- Thread