Bug#951718: selectively enable seccomp not working as documented
On Thu, Feb 20, 2020 at 05:40:51PM +0100, Marc Haber wrote: > So, at the moment, seccomp in apt in stable is unuseable with a more > recent kernel because of this, and should be switched off on my affected > systems? No comments here? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#951718: selectively enable seccomp not working as documented
On Thu, Feb 20, 2020 at 05:21:31PM +0100, Julian Andres Klode wrote: > It is the correct syntax. libseccomp2 in stable is too old to know > the new syscalls, and there's no way to override by syscall number in > apt. Both should be fixed IMO: > > - the list of syscalls the libseccomp library handles in stable > does not match the syscalls used in stable I am not using a stable kernel though. Does that change things? > - apt should allow you to override by number because that's easier. So, at the moment, seccomp in apt in stable is unuseable with a more recent kernel because of this, and should be switched off on my affected systems? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#951718: selectively enable seccomp not working as documented
Control: clone -1 -2
Control: reassign -2 libseccomp/2.3.3-4
Control: retitle -1 apt: allow seccomp overrides by number
Control: retitle -2 libseccomp: syscalls missing in stable
On Thu, Feb 20, 2020 at 05:00:18PM +0100, Marc Haber wrote:
> Package: apt
> Version: 1.8.2
> Severity: normal
>
> Hi,
>
> /usr/share/doc/apt/examples/configure-index.gz says:
>
> APT::Sandbox
> {
>User "";
>ResetEnvironment "";
>Verify ""
>{
> Groups "";
> IDs "";
> Regain "";
>};
>seccomp ""
>{
> print ""; // print what syscall was trapped
> allow "";
> trap "";
>};
> };
>
> To selectively allow the clock_gettime64 syscall as suggested by Julian in
> #951012, I made this
>
> APT::Sandbox
> {
>seccomp "true"
>{
> allow "clock_gettime64";
>};
> };
>
> which results in "E: Cannot allow clock_gettime64: Invalid argument -
> aptMethod::Configuration (0: Success)".
>
> What would be the correct syntax? Can the docs be fixed please?
It is the correct syntax. libseccomp2 in stable is too old to know
the new syscalls, and there's no way to override by syscall number in
apt. Both should be fixed IMO:
- the list of syscalls the libseccomp library handles in stable
does not match the syscalls used in stable
- apt should allow you to override by number because that's easier.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Bug#951718: selectively enable seccomp not working as documented
Package: apt
Version: 1.8.2
Severity: normal
Hi,
/usr/share/doc/apt/examples/configure-index.gz says:
APT::Sandbox
{
User "";
ResetEnvironment "";
Verify ""
{
Groups "";
IDs "";
Regain "";
};
seccomp ""
{
print ""; // print what syscall was trapped
allow "";
trap "";
};
};
To selectively allow the clock_gettime64 syscall as suggested by Julian in
#951012, I made this
APT::Sandbox
{
seccomp "true"
{
allow "clock_gettime64";
};
};
which results in "E: Cannot allow clock_gettime64: Invalid argument -
aptMethod::Configuration (0: Success)".
What would be the correct syntax? Can the docs be fixed please?
Greetings
Marc
-- System Information:
Debian Release: 10.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: armhf (armv7l)
Kernel: Linux 5.5.2-zgbpi-armmp-lpae (SMP w/2 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apt depends on:
ii adduser 3.118
ii debian-archive-keyring 2019.1
ii gpgv2.2.12-1+deb10u1
ii libapt-pkg5.0 1.8.2
ii libc6 2.28-10
ii libgcc1 1:8.3.0-6
ii libgnutls30 3.6.7-4+deb10u2
ii libseccomp2 2.3.3-4
ii libstdc++6 8.3.0-6
Versions of packages apt recommends:
ii ca-certificates 20190110
Versions of packages apt suggests:
pn apt-doc
ii aptitude0.8.11-7
pn dpkg-dev
ii gnupg 2.2.12-1+deb10u1
pn powermgmt-base
-- Configuration Files:
/etc/logrotate.d/apt changed [not included]
-- no debconf information
