[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Seccomp prevented execution of syscall 0000000403 on architecture armhf



On Sun, Feb 16, 2020 at 07:04:12PM +0100, Marc Haber wrote:
> In #951012 we settled on that it's not a kernel issue and there was a
> fix in unstable's apt. On my buster Banana Pi systems, I have added the
> following:
> 
> APT::Sandbox::Seccomp::Allow {
>   "clock_gettime64";
>   "clock_settime64";
>   "clock_adjtime64";
>   "clock_getres_time64";
>   "clock_nanosleep_time64";
>   "timer_gettime64";
>   "timer_settime64";
>   "timerfd_gettime64";
>   "timerfd_settime64";
>   "utimensat_time64";
>   "pselect6_time64";
>   "ppoll_time64";
> }
> 
> to /etc/apt/apt.conf.d/70seccomp, which seems to have solved the issue.

Giving that seccomp is disabled by default, it was actually disabling
seccomp entirely, stupid me.

> apt on buster, does, however, not work with this:
> 
> APT::Sandbox {
>   seccomp "true";
> };
> 
> 
> APT::Sandbox::Seccomp::Allow {
>   "clock_gettime64";
>   "clock_settime64";
>   "clock_adjtime64";
>   "clock_getres_time64";
>   "clock_nanosleep_time64";
>   "timer_gettime64";
>   "timer_settime64";
>   "timerfd_gettime64";
>   "timerfd_settime64";
>   "utimensat_time64";
>   "pselect6_time64";
>   "ppoll_time64";
> }
> 
> [24/4251]mh@entrada:~ $ sudo apt update
> 0% [Working]E: Cannot allow clock_gettime64: Invalid argument - aptMethod::Configuration (0: Success)
> Reading package lists... Done
> E: Method http has died unexpectedly!
> E: Sub-process http returned an error code (100)
> 100 [25/4252]mh@entrada:~ $ 

Same thing happens with
APT::Sandbox {
  seccomp "true";
  Seccomp::Allow {
    "clock_gettime64";
    "clock_settime64";
    "clock_adjtime64";
    "clock_getres_time64";
    "clock_nanosleep_time64";
    "timer_gettime64";
    "timer_settime64";
    "timerfd_gettime64";
    "timerfd_settime64";
    "utimensat_time64";
    "pselect6_time64";
    "ppoll_time64";
  }
};

and the simplified and streamlined to what is in
/usr/share/doc/apt/examples/configure-index.gz

APT::Sandbox
{
   seccomp "true"
   {
      allow "clock_gettime64";
   };
};

so we now have a docs discrepancy.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421


Reply to: