[Bug 1732030] Re: 'apt update' dies with seccomp error

I've been hit by this problem as well, but for the pread64 syscall. It's working for me now after playing with my apt conf, getting the bug fix and then reverting my apt conf, but thought it was worth mentioning anyway. I'm on a system with nfs/autofs home directories and nis for logins, which I

Re: [Bug 1732030] Re: 'apt update' dies with seccomp error

Tanks On Tue, Apr 17, 2018 at 4:16 PM, Simon Déziel <1732...@bugs.launchpad.net> wrote: > It's already mentioned in the NEWS file but for those who would like to > test the seccomp sanbox, all that's needed is: > > APT::Sandbox::Seccomp "true"; > > Thanks Julian > > -- > You received this bug

[Bug 1732030] Re: 'apt update' dies with seccomp error

It's already mentioned in the NEWS file but for those who would like to test the seccomp sanbox, all that's needed is: APT::Sandbox::Seccomp "true"; Thanks Julian -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1732030] Re: 'apt update' dies with seccomp error

This bug was fixed in the package apt - 1.6~rc1 --- apt (1.6~rc1) unstable; urgency=medium [ Julian Andres Klode ] * Experimental support for zstd (LP: #1763839) * Fix debian/NEWS entry for 1.6~beta1 * Use https for Ubuntu changelogs * Bump cache major version to allow

[Bug 1732030] Re: 'apt update' dies with seccomp error

Or generally allow network and the getdents stuff, and just block more esoteric syscalls for now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies with seccomp error

[Bug 1732030] Re: 'apt update' dies with seccomp error

No - it's the "store" method that's failing (e.g. recompressing/decompressing files). I disallowed socket and friends for that, so that's failing. I mean, it's a decompress/compress method, it should not have network access. -- You received this bug notification because you are a member of

[Bug 1732030] Re: 'apt update' dies with seccomp error

I wonder if we should turn the sandbox off by default for bionic. Not sure. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies with seccomp error To manage

[Bug 1732030] Re: 'apt update' dies with seccomp error

Something seems broken on your config, all those basic things should be allowed IMHO (and they are, or I'd hit them as well). You could iterate on this with [1] which for this would let you also add "connect". But I doubt that will eventually resolve your issue. The question is why does it break

[Bug 1732030] Re: 'apt update' dies with seccomp error

Ok, tried again.. It still not working. Error is 42 though: marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' | sudo tee /etc/apt/apt.conf.d/99seccomp [sudo] password for marcos: apt::sandbox::seccomp::allow { "socket" }; marcos@marcos:~$ sudo apt update Get:1

[Bug 1732030] Re: 'apt update' dies with seccomp error

:-) Oh I see the line break added by LP in my example lead Jimmy the wrong way. Obviously for the config to work it needs to be there :-) @Jimmy - Please retry, and check the file content with e.g. cat after the echo. -- You received this bug notification because you are a member of Ubuntu

[Bug 1732030] Re: 'apt update' dies with seccomp error

Well, no filename was specified for "tee" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies with seccomp error To manage notifications about this bug go to:

Re: [Bug 1732030] Re: 'apt update' dies with seccomp error

On Wed, Apr 4, 2018 at 10:12 AM, Jimmy Olsen wrote: > It`still giving me same error: > > marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' | sudo > tee > [sudo] password for marcos: > apt::sandbox::seccomp::allow { "socket" }; > marcos@marcos:~$ sudo apt

[Bug 1732030] Re: 'apt update' dies with seccomp error

It`still giving me same error: marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' | sudo tee [sudo] password for marcos: apt::sandbox::seccomp::allow { "socket" }; marcos@marcos:~$ sudo apt update Get:1 http://br.archive.ubuntu.com/ubuntu bionic InRelease [235 kB] Hit:2

Re: [Bug 1732030] Re: 'apt update' dies with seccomp error

On Wed, Apr 4, 2018 at 8:29 AM, Jimmy Olsen wrote: > Hi Christian. I tried to run this command but it didnt work: > > marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' > > /etc/apt/apt.conf.d/99seccomp > bash: /etc/apt/apt.conf.d/99seccomp: Permission denied

[Bug 1732030] Re: 'apt update' dies with seccomp error

Hi Christian. I tried to run this command but it didnt work: marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' > /etc/apt/apt.conf.d/99seccomp bash: /etc/apt/apt.conf.d/99seccomp: Permission denied marcos@marcos:~$ sudo marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow {

[Bug 1732030] Re: 'apt update' dies with seccomp error

Hmm, 0041 should be sys_socket With the error present (in your case ppa enabled), could you add this and retry: echo 'apt::sandbox::seccomp::allow { "socket" };' > /etc/apt/apt.conf.d/99seccomp If it works with that it really was the socket call, and Julian can consider adding it.

[Bug 1732030] Re: 'apt update' dies with seccomp error

Just tried to add another PPA (from another program), same error going on. and I get it fixed when PPA is removed... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies

[Bug 1732030] Re: 'apt update' dies with seccomp error

Hi Chistian. I tried to add the PPA and it shows me that error: marcos@marcos:~$ sudo add-apt-repository ppa:otto-kesselgulasch/gimp -y && sudo apt-get update [sudo] password for marcos: gpg: keybox '/tmp/tmp935_1y_p/pubring.gpg' created gpg: key 3BDAAC08614C4B38: 1 signature not checked due to

[Bug 1732030] Re: 'apt update' dies with seccomp error

The actual seccomp fail is important. Eventually it is a sandbox and we want to add exceptions after we know it has a valid use case. As the above libvirt nss case which we added. Trying the ppa you mentioned I can run just fine - so something is special in your setup. Please the exact details

[Bug 1732030] Re: 'apt update' dies with seccomp error

Idk if I did has something to do with the bug itself. I noticed this bug happened just after when I added PPA as seen from https://www.omgubuntu.co.uk/2018/03/gimp-2-10-release-candidate-released and ran "sudo apt update && sudo apt upgrade" commands. Once it was removed,no error was shown

[Bug 1732030] Re: 'apt update' dies with seccomp error

I've just tried it and I does not face the error anymore. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies with seccomp error To manage notifications about this bug

[Bug 1732030] Re: 'apt update' dies with seccomp error

I've just tried it and I do not face the error anymore. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies with seccomp error To manage notifications about this bug go

[Bug 1732030] Re: 'apt update' dies with seccomp error

This bug was fixed in the package libvirt - 4.0.0-1ubuntu1 --- libvirt (4.0.0-1ubuntu1) bionic; urgency=medium * Merged with Debian unstable (4.0) This closes several bugs: - Error generating apparmor profile when hostname contains spaces (LP: #77) - qemu 2.10

[Bug 1732030] Re: 'apt update' dies with seccomp error

Wow, store method opens a socket. I wonder what for. This is frustrating. Workaround for that would probably be apt::sandbox::seccomp::allow { "socket" }; + some more socket operations. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to

[Bug 1732030] Re: 'apt update' dies with seccomp error

Sorry I don't have the old log. But it's also happening now: turip@turip-xps-ws:~$ sudo -i root@turip-xps-ws:~# apt-get update Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease Ign:2 http://dl.google.com/linux/chrome/deb stable InRelease Get:3

[Bug 1732030] Re: 'apt update' dies with seccomp error

@Turi with the same number 78? That's important :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies with seccomp error To manage notifications about this bug

[Bug 1732030] Re: 'apt update' dies with seccomp error

I ran into the same problem when updating from a fully patched artfull to bioninc using the following apt sources: deb http://archive.ubuntu.com/ubuntu/ bionic main restricted deb-src http://archive.ubuntu.com/ubuntu/ bionic universe main restricted multiverse deb

[Bug 1732030] Re: 'apt update' dies with seccomp error

OK, so I think we let this sit for a few more weeks and see what else we get. So far we have 4 people affected by this. Does not happen for me, BTW, and yes, I use the mirror method (from -proposed, the old one does not work and the new one is much better :D). Now, as to documentation: There is

[Bug 1732030] Re: 'apt update' dies with seccomp error

Note: my source.lust had no trailing / so for me it was $ sed -i 's/http:\/\/archive.ubuntu.com\/ubuntu/mirror:\/\/mirrors.ubuntu.com\/mirrors.txt/g' /etc/apt/sources.list to trigger the issue Note (2): Also this feature is still undocumented since all the time :-/. -- You received this bug

[Bug 1732030] Re: 'apt update' dies with seccomp error

Interesting, thanks Mathias for the update. @Julian - I think this means you have to tackle that from apt itself then? (or at least find out via which path it triggers the issue now). How far are you in regard to comment #9 number 3 atm - can you take it into apt itself already? -- You

[Bug 1732030] Re: 'apt update' dies with seccomp error

Had the same issue, but wihtout libnss-libvirt installed. Switching to the mirror method also triggers the error. # sed -i 's/http:\/\/archive.ubuntu.com\/ubuntu\//mirror:\/\/mirrors.ubuntu.com\/mirrors.txt/g' /etc/apt/sources.list # apt update 0% [Working] Seccomp prevented execution of

[Bug 1732030] Re: 'apt update' dies with seccomp error

** Tags added: libvirt-18.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies with seccomp error To manage notifications about this bug go to:

[Bug 1732030] Re: 'apt update' dies with seccomp error

@Tamas - your stack trace might help to identify another source of such issues, let us know. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies with seccomp error To

[Bug 1732030] Re: 'apt update' dies with seccomp error

Ok, so I will add this on the next libvirt merge to be safe on bionic. ** Changed in: libvirt (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030

[Bug 1732030] Re: 'apt update' dies with seccomp error

1. This is appending. You could also write it apt::sandbox::seccomp::allow:: "getdents" but the list notation is documented. 2. Right. Others might have other issues, mostly depending on their NSS modules. I don't think we'll fix all of them. But I don't think there are many users with

[Bug 1732030] Re: 'apt update' dies with seccomp error

Hi Julian, I have broken down the testcase into reproducible steps: Testcase - TL;DR get running guest with IP and enable libvirt nss: $ apt install libnss-libvirt libvirt-dameon-system $ apt update $ uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64

[Bug 1732030] Re: 'apt update' dies with seccomp error

It would be nice if libvirt-nss could ship an /etc/apt/apt.conf.d /libvirt-nss.conf, or a numbered file like the others, that allows getdents. I don't think I want to turn it on in general because not being able to list a directory is kind of useful. ** Also affects: libvirt (Ubuntu)

[Bug 1732030] Re: 'apt update' dies with seccomp error

I hit this today in a Bionic container trying to use "apt-get download". Found this bug and based on this trying to provide the debug data that was requested back then. So I gathered the crash file with JulianK's hint and then used Tamas workaround to get all apport tools as needed. #

[Bug 1732030] Re: 'apt update' dies with seccomp error

Note: adding getdents as suggested was enough, there were no further seccomp hits triggered later on. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies with seccomp

[Bug 1732030] Re: 'apt update' dies with seccomp error

Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apt (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt

[Bug 1732030] Re: 'apt update' dies with seccomp error

Hi, thanks for your bug report. It seems that something is trying to read a directory. Could you perhaps run with apt::sandbox::seccomp::print set to false and gather a stack trace and attach that here? (or let apport do its magic and report it separately?). This would help figuring out what

[Bug 1732030] Re: 'apt update' dies with seccomp error

Workaround: echo 'apt::sandbox::seccomp "false";' > /etc/apt/apt.conf.d/999seccomp -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1732030 Title: 'apt update' dies with seccomp error To manage