Public bug reported:
I have just upgraded to the development version of Ubuntu 26.04. Shortly after
login (and perhaps after trying to play audio in firefox?), pipewire-pulse
fails in the user session with:
pipewire-pulse.service: Main process exited, code=dumped, status=31/SYS
Expected result:
pipewire-pulse should start and remain running on boot. When restarted, it
should not subsequently crash upon
Actual result:
pipewire-pulse is killed with SIGSYS (seccomp violation) on startup, and when
restarted.
Evidence:
- systemd user log:
pipewire-pulse.service: Main process exited, code=dumped, status=31/SYS
- kernel audit log at the same timestamps:
type=1326 ... comm="pipewire-pulse" exe="/usr/bin/pipewire" sig=31
syscall=459 ...
- syscall 459 on x86_64 is lsm_get_self_attr
- apport StacktraceTop shows:
syscall()
... libapparmor.so.1
aa_get_self_attr()
This seems to indicate to me that pipewire-pulse is calling AppArmor LSM
query APIs, but seccomp in the unit blocks the syscall.
Installed versions:
- pipewire-pulse 1.5.84-1ubuntu2
- pipewire-bin 1.5.84-1ubuntu2
- systemd 259-1ubuntu3
- kernel 6.19.0-6-generic
Apparent cause:
`/usr/lib/systemd/user/pipewire-pulse.service` uses
`SystemCallFilter=@system-service`, and on my system the
allowlist does not include:
lsm_get_self_attr
lsm_set_self_attr
lsm_list_modules
Workaround:
A temporary override which avoids the crash is to insert into
`~/.config/systemd/user/pipewire-pulse.service.d/10-allow-lsm.conf` the content:
[Service]
SystemCallFilter=
SystemCallFilter=@system-service lsm_get_self_attr lsm_set_self_attr
lsm_list_modules
And do:
systemctl --user daemon-reload
systemctl --user restart pipewire-pulse.service
** Affects: pipewire (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- pipewire-pulse is killed by seccomp (SIGSYS) on lsm_get_self_attr (syscall
459)
+ pipewire-pulse is killed by seccomp (SIGSYS) on lsm_get_self_attr
** Description changed:
- I have just upgraded to the development version of Ubuntu 26.04. Immediately
shortly after login (and perhaps after trying to play audio in firefox?),
pipewire-pulse fails in the user session with:
- pipewire-pulse.service: Main process exited, code=dumped, status=31/SYS
+ I have just upgraded to the development version of Ubuntu 26.04. Shortly
after login (and perhaps after trying to play audio in firefox?),
pipewire-pulse fails in the user session with:
+ pipewire-pulse.service: Main process exited, code=dumped, status=31/SYS
Expected result:
pipewire-pulse should start and remain running on boot. When restarted, it
should not subsequently crash upon
Actual result:
pipewire-pulse is killed with SIGSYS (seccomp violation) on startup, and when
restarted.
Evidence:
- systemd user log:
- pipewire-pulse.service: Main process exited, code=dumped, status=31/SYS
+ pipewire-pulse.service: Main process exited, code=dumped, status=31/SYS
- kernel audit log at the same timestamps:
- type=1326 ... comm="pipewire-pulse" exe="/usr/bin/pipewire" sig=31
syscall=459 ...
+ type=1326 ... comm="pipewire-pulse" exe="/usr/bin/pipewire" sig=31
syscall=459 ...
- syscall 459 on x86_64 is lsm_get_self_attr
- apport StacktraceTop shows:
- syscall()
- ... libapparmor.so.1
- aa_get_self_attr()
+ syscall()
+ ... libapparmor.so.1
+ aa_get_self_attr()
This seems to indicate to me that pipewire-pulse is calling AppArmor LSM
query APIs, but seccomp in the unit blocks the syscall.
Installed versions:
- pipewire-pulse 1.5.84-1ubuntu2
- pipewire-bin 1.5.84-1ubuntu2
- systemd 259-1ubuntu3
- kernel 6.19.0-6-generic
Apparent cause:
`/usr/lib/systemd/user/pipewire-pulse.service` uses
`SystemCallFilter=@system-service`, and on my system the
allowlist does not include:
- lsm_get_self_attr
- lsm_set_self_attr
- lsm_list_modules
+ lsm_get_self_attr
+ lsm_set_self_attr
+ lsm_list_modules
Workaround:
A temporary override which avoids the crash is to insert into
`~/.config/systemd/user/pipewire-pulse.service.d/10-allow-lsm.conf` the content:
- [Service]
- SystemCallFilter=
- SystemCallFilter=@system-service lsm_get_self_attr lsm_set_self_attr
lsm_list_modules
+ [Service]
+ SystemCallFilter=
+ SystemCallFilter=@system-service lsm_get_self_attr lsm_set_self_attr
lsm_list_modules
And do:
- systemctl --user daemon-reload
- systemctl --user restart pipewire-pulse.service
+ systemctl --user daemon-reload
+ systemctl --user restart pipewire-pulse.service
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2143308
Title:
pipewire-pulse is killed by seccomp (SIGSYS) on lsm_get_self_attr
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/2143308/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
