Bug#951718: selectively enable seccomp not working as documented
On Thu, Feb 20, 2020 at 05:40:51PM +0100, Marc Haber wrote: > So, at the moment, seccomp in apt in stable is unuseable with a more > recent kernel because of this, and should be switched off on my affected > systems? No comments here? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#951718: selectively enable seccomp not working as documented
On Thu, Feb 20, 2020 at 05:21:31PM +0100, Julian Andres Klode wrote: > It is the correct syntax. libseccomp2 in stable is too old to know > the new syscalls, and there's no way to override by syscall number in > apt. Both should be fixed IMO: > > - the list of syscalls the libseccomp library handles in stable > does not match the syscalls used in stable I am not using a stable kernel though. Does that change things? > - apt should allow you to override by number because that's easier. So, at the moment, seccomp in apt in stable is unuseable with a more recent kernel because of this, and should be switched off on my affected systems? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#951718: selectively enable seccomp not working as documented
Control: clone -1 -2 Control: reassign -2 libseccomp/2.3.3-4 Control: retitle -1 apt: allow seccomp overrides by number Control: retitle -2 libseccomp: syscalls missing in stable On Thu, Feb 20, 2020 at 05:00:18PM +0100, Marc Haber wrote: > Package: apt > Version: 1.8.2 > Severity: normal > > Hi, > > /usr/share/doc/apt/examples/configure-index.gz says: > > APT::Sandbox > { >User ""; >ResetEnvironment ""; >Verify "" >{ > Groups ""; > IDs ""; > Regain ""; >}; >seccomp "" >{ > print ""; // print what syscall was trapped > allow ""; > trap ""; >}; > }; > > To selectively allow the clock_gettime64 syscall as suggested by Julian in > #951012, I made this > > APT::Sandbox > { >seccomp "true" >{ > allow "clock_gettime64"; >}; > }; > > which results in "E: Cannot allow clock_gettime64: Invalid argument - > aptMethod::Configuration (0: Success)". > > What would be the correct syntax? Can the docs be fixed please? It is the correct syntax. libseccomp2 in stable is too old to know the new syscalls, and there's no way to override by syscall number in apt. Both should be fixed IMO: - the list of syscalls the libseccomp library handles in stable does not match the syscalls used in stable - apt should allow you to override by number because that's easier. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Bug#951718: selectively enable seccomp not working as documented
Package: apt Version: 1.8.2 Severity: normal Hi, /usr/share/doc/apt/examples/configure-index.gz says: APT::Sandbox { User ""; ResetEnvironment ""; Verify "" { Groups ""; IDs ""; Regain ""; }; seccomp "" { print ""; // print what syscall was trapped allow ""; trap ""; }; }; To selectively allow the clock_gettime64 syscall as suggested by Julian in #951012, I made this APT::Sandbox { seccomp "true" { allow "clock_gettime64"; }; }; which results in "E: Cannot allow clock_gettime64: Invalid argument - aptMethod::Configuration (0: Success)". What would be the correct syntax? Can the docs be fixed please? Greetings Marc -- System Information: Debian Release: 10.3 APT prefers stable APT policy: (500, 'stable') Architecture: armhf (armv7l) Kernel: Linux 5.5.2-zgbpi-armmp-lpae (SMP w/2 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii adduser 3.118 ii debian-archive-keyring 2019.1 ii gpgv2.2.12-1+deb10u1 ii libapt-pkg5.0 1.8.2 ii libc6 2.28-10 ii libgcc1 1:8.3.0-6 ii libgnutls30 3.6.7-4+deb10u2 ii libseccomp2 2.3.3-4 ii libstdc++6 8.3.0-6 Versions of packages apt recommends: ii ca-certificates 20190110 Versions of packages apt suggests: pn apt-doc ii aptitude0.8.11-7 pn dpkg-dev ii gnupg 2.2.12-1+deb10u1 pn powermgmt-base -- Configuration Files: /etc/logrotate.d/apt changed [not included] -- no debconf information