Bug#951718: selectively enable seccomp not working as documented
Package: apt
Version: 1.8.2
Severity: normal
Hi,
/usr/share/doc/apt/examples/configure-index.gz says:
APT::Sandbox
{
User "<STRING>";
ResetEnvironment "<BOOL>";
Verify "<BOOL>"
{
Groups "<BOOL>";
IDs "<BOOL>";
Regain "<BOOL>";
};
seccomp "<BOOL>"
{
print "<BOOL>"; // print what syscall was trapped
allow "<LIST>";
trap "<LIST>";
};
};
To selectively allow the clock_gettime64 syscall as suggested by Julian in
#951012, I made this
APT::Sandbox
{
seccomp "true"
{
allow "clock_gettime64";
};
};
which results in "E: Cannot allow clock_gettime64: Invalid argument -
aptMethod::Configuration (0: Success)".
What would be the correct syntax? Can the docs be fixed please?
Greetings
Marc
-- System Information:
Debian Release: 10.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: armhf (armv7l)
Kernel: Linux 5.5.2-zgbpi-armmp-lpae (SMP w/2 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apt depends on:
ii adduser 3.118
ii debian-archive-keyring 2019.1
ii gpgv 2.2.12-1+deb10u1
ii libapt-pkg5.0 1.8.2
ii libc6 2.28-10
ii libgcc1 1:8.3.0-6
ii libgnutls30 3.6.7-4+deb10u2
ii libseccomp2 2.3.3-4
ii libstdc++6 8.3.0-6
Versions of packages apt recommends:
ii ca-certificates 20190110
Versions of packages apt suggests:
pn apt-doc <none>
ii aptitude 0.8.11-7
pn dpkg-dev <none>
ii gnupg 2.2.12-1+deb10u1
pn powermgmt-base <none>
-- Configuration Files:
/etc/logrotate.d/apt changed [not included]
-- no debconf information
Reply to: