Looks like libapparmor 5.0 beta introduced use of the new Linux 6.8 LSM
stacking syscalls, but pipewire-pulse's systemd seccomp filter hasn't
been updated to allow them.
1. A snap client connects to pipewire-pulse
2. snap-policy.c calls aa_getcon()
3. aa_getcon() calls the new aa_get_self_attr@@APPARMOR_5.0
4. aa_get_self_attr uses pthread_once to lazily initialize the init routine
calls:
lsm_get_self_attr(LSM_ATTR_CURRENT=100, ctx, &size, flags=1)
= syscall(459, 100, ctx_ptr, size_ptr, 1)
4. This is syscall 459 (__NR_lsm_get_self_attr), a Linux 6.8 addition.
5. pipewire-pulse.service has SystemCallFilter=@system-service
6. The @system-service group does not include syscall 459/460/461 (the new
LSM stacking syscalls added in 6.8)
7. Seccomp kills the process with SIGSYS right at the syscall instruction,
before any error-handling code in libapparmor can run
There's some error handling to catches ENOSYS/EOPNOTSUPP for graceful
fallback, but a SIGSYS kill signal never gets there :(
Installing
[Service]
SystemCallFilter=lsm_get_self_attr lsm_set_self_attr lsm_list_modules
To /etc/systemd/user/pipewire-pulse.service.d/lsm-syscalls.conf and then
running systemctl --user daemon-reload && systemctl --user restart
pipewire-pulse seems to workaround the issue for now
** Also affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142428
Title:
pipewire-pulse.service crashes with signal=SYS on Ubuntu 26.04
(Resolute) – No audio, “Not connected to PulseAudio server”
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2142428/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
