Public bug reported: # Steps to reproduce:
$ lxc launch images:ubuntu/focal fa1 $ lxc shell fa1 root@fa1:~# echo 'APT::Sandbox::Seccomp "true";' > /etc/apt/apt.conf.d/01apt-seccomp root@fa1:~# rm /var/lib/apt/lists/*Release # makes sure we fetch stuff from the network root@fa1:~# apt-get update Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [255 kB] Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [976 kB] Get:5 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [8,623 kB] 30% [4 Packages store 0 B] [5 Packages 100 kB/8,623 kB 1%] **** Seccomp prevented execution of syscall 0000000041 on architecture amd64 **** Reading package lists... Done E: Method store has died unexpectedly! E: Sub-process store returned an error code (31) This was tested in a container as well as inside a VM, same issue. This used to work with Bionic. # Workaround Fortunately, apt supports manual whitelisting of syscalls. A workaround is to allow 3 more syscalls. root@fa1:~# echo 'APT::Sandbox::Seccomp::Allow "connect,sendto,socket";' >> /etc/apt/apt.conf.d/01apt-seccomp # Additional information root@fa1:~# lsb_release -rd Description: Ubuntu Focal Fossa (development branch) Release: 20.04 root@fa1:~# uname -a Linux fa1 5.3.0-40-generic #32~18.04.1-Ubuntu SMP Mon Feb 3 14:05:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux root@fa1:~# apt-cache policy apt libc-bin apt: Installed: 1.9.10 Candidate: 1.9.10 Version table: *** 1.9.10 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status libc-bin: Installed: 2.31-0ubuntu5 Candidate: 2.31-0ubuntu5 Version table: *** 2.31-0ubuntu5 500 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages 100 /var/lib/dpkg/status ** Affects: apt (Ubuntu) Importance: Undecided Status: New ** Description changed: # Steps to reproduce: $ lxc launch images:ubuntu/focal fa1 $ lxc shell fa1 root@fa1:~# echo 'APT::Sandbox::Seccomp "true";' > /etc/apt/apt.conf.d/01apt-seccomp root@fa1:~# rm /var/lib/apt/lists/*Release # makes sure we fetch stuff from the network root@fa1:~# apt-get update Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [255 kB] Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [976 kB] Get:5 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [8,623 kB] 30% [4 Packages store 0 B] [5 Packages 100 kB/8,623 kB 1%] - **** Seccomp prevented execution of syscall 0000000041 on architecture amd64 **** - Reading package lists... Done + **** Seccomp prevented execution of syscall 0000000041 on architecture amd64 **** + Reading package lists... Done E: Method store has died unexpectedly! E: Sub-process store returned an error code (31) This was tested in a container as well as inside a VM, same issue. This used to work with Bionic. - # Workaround Fortunately, apt supports manual whitelisting of syscalls. A workaround - is to allow the socket and connect syscalls as simply allowing socket - fails with: + is to allow 3 more syscalls. - **** Seccomp prevented execution of syscall 0000000042 on architecture - amd64 **** - - root@fa1:~# echo 'APT::Sandbox::Seccomp::Allow "socket,connect";' >> - /etc/apt/apt.conf.d/01apt-seccomp - + root@fa1:~# echo 'APT::Sandbox::Seccomp::Allow "connect,sendto,socket";' + >> /etc/apt/apt.conf.d/01apt-seccomp # Additional information root@fa1:~# lsb_release -rd Description: Ubuntu Focal Fossa (development branch) Release: 20.04 root@fa1:~# uname -a Linux fa1 5.3.0-40-generic #32~18.04.1-Ubuntu SMP Mon Feb 3 14:05:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux root@fa1:~# apt-cache policy apt libc-bin apt: - Installed: 1.9.10 - Candidate: 1.9.10 - Version table: - *** 1.9.10 500 - 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 1.9.10 + Candidate: 1.9.10 + Version table: + *** 1.9.10 500 + 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages + 100 /var/lib/dpkg/status libc-bin: - Installed: 2.31-0ubuntu5 - Candidate: 2.31-0ubuntu5 - Version table: - *** 2.31-0ubuntu5 500 - 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 2.31-0ubuntu5 + Candidate: 2.31-0ubuntu5 + Version table: + *** 2.31-0ubuntu5 500 + 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages + 100 /var/lib/dpkg/status ** Summary changed: - APT::Sandbox::Seccomp prevents socket syscall on Focal + APT::Sandbox::Seccomp prevents connect,sendto,socket syscalls on Focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1867488 Title: APT::Sandbox::Seccomp prevents connect,sendto,socket syscalls on Focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1867488/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs