[Bug 1969141] Re: [snap] seccomp denials for syscall=312, 314, 330 on amd64

Simon Déziel Thu, 14 Apr 2022 08:35:48 -0700

Here is the syscall number => name mapping on amd64:

312: sys_kcmp
314: sys_sched_setattr  (so also covered in LP: #1900679)
330: pkey_alloc


** Description changed:

  # Steps to reproduce
  
  1) Install Chromium's snap
  snap install chromium
  2) Monitor logs
  journalctl -o cat -f --grep chromium
  3) Start Chromium
  
  journalctl will be filled with errors due to some syscalls not permitted
  by the seccomp policy, like those:
  
  Apr 14 11:18:14 sdeziel-lemur audit[1734639]: SECCOMP auid=1000 uid=1000 
gid=1000 ses=3 subj=snap.chromium.chromium pid=1734639 comm="chrome" 
exe="/snap/chromium/1961/usr/lib/chromium-browser/chrome" sig=0 arch=c000003e 
syscall=314 compat=0 ip=0x77ccfac2276d code=0x50000
  Apr 14 11:18:14 sdeziel-lemur audit[1734751]: SECCOMP auid=1000 uid=1000 
gid=1000 ses=3 subj=snap.chromium.chromium pid=1734751 comm="chrome" 
exe="/snap/chromium/1961/usr/lib/chromium-browser/chrome" sig=0 arch=c000003e 
syscall=312 compat=0 ip=0x7a9d5be7f76d code=0x50000
  Apr 14 11:18:14 sdeziel-lemur audit[1734790]: SECCOMP auid=1000 uid=1000 
gid=1000 ses=3 subj=snap.chromium.chromium pid=1734790 comm="chrome" 
exe="/snap/chromium/1961/usr/lib/chromium-browser/chrome" sig=0 arch=c000003e 
syscall=330 compat=0 ip=0x735f8ecd303b code=0x50000
  
- 
  # Additional information
  $ uname -a
  Linux sdeziel-lemur 5.13.0-39-generic #44~20.04.1-Ubuntu SMP Thu Mar 24 
16:43:35 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
  $ lsb_release -rd
  Description:  Ubuntu 20.04.4 LTS
  Release:      20.04
  $ snap list chromium
  Name      Version        Rev   Tracking       Publisher   Notes
  chromium  100.0.4896.88  1961  latest/stable  canonical✓  -
+ 
+ $ snap connections chromium
+ Interface                 Plug                                    Slot        
                     Notes
+ audio-playback            chromium:audio-playback                 
:audio-playback                  -
+ audio-record              chromium:audio-record                   
:audio-record                    -
+ bluez                     chromium:bluez                          :bluez      
                     -
+ browser-support           chromium:browser-sandbox                
:browser-support                 -
+ camera                    chromium:camera                         :camera     
                     manual
+ content[gnome-3-38-2004]  chromium:gnome-3-38-2004                
gnome-3-38-2004:gnome-3-38-2004  -
+ content[gtk-3-themes]     chromium:gtk-3-themes                   
gtk-common-themes:gtk-3-themes   -
+ content[icon-themes]      chromium:icon-themes                    
gtk-common-themes:icon-themes    -
+ content[sound-themes]     chromium:sound-themes                   
gtk-common-themes:sound-themes   -
+ cups-control              chromium:cups-control                   
:cups-control                    -
+ desktop                   chromium:desktop                        :desktop    
                     -
+ desktop-legacy            chromium:desktop-legacy                 
:desktop-legacy                  -
+ gsettings                 chromium:gsettings                      :gsettings  
                     -
+ home                      chromium:home                           :home       
                     -
+ joystick                  chromium:joystick                       :joystick   
                     -
+ mount-observe             chromium:mount-observe                  -           
                     -
+ mpris                     -                                       
chromium:mpris                   -
+ network                   chromium:network                        :network    
                     -
+ network-bind              chromium:network-bind                   
:network-bind                    -
+ network-manager           chromium:network-manager                -           
                     -
+ opengl                    chromium:opengl                         :opengl     
                     -
+ password-manager-service  chromium:password-manager-service       -           
                     -
+ personal-files            chromium:chromium-config                
:personal-files                  -
+ pulseaudio                chromium:pulseaudio                     -           
                     -
+ raw-usb                   chromium:raw-usb                        -           
                     -
+ removable-media           chromium:removable-media                
:removable-media                 -
+ screen-inhibit-control    chromium:screen-inhibit-control         
:screen-inhibit-control          -
+ system-files              chromium:etc-chromium-browser-policies  
:system-files                    -
+ system-packages-doc       chromium:system-packages-doc            
:system-packages-doc             -
+ u2f-devices               chromium:u2f-devices                    
:u2f-devices                     -
+ unity7                    chromium:unity7                         :unity7     
                     -
+ upower-observe            chromium:upower-observe                 
:upower-observe                  -
+ wayland                   chromium:wayland                        :wayland    
                     -
+ x11                       chromium:x11                            :x11        
                     -

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1969141

Title:
  [snap] seccomp denials for syscall=312,314,330 on amd64

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1969141/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1969141] Re: [snap] seccomp denials for syscall=312, 314, 330 on amd64

Reply via email to