'apt update' dies with seccomp error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
libvirt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
$ apt-get update
0% [Working]
**** Seccomp prevented execution of syscall 0000000078 on architecture amd64 ****
Reading package lists... Done
E: Method mirror has died unexpectedly!
E: Sub-process mirror returned an error code (31)
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: apt 1.6~alpha5
ProcVersionSign
Uname: Linux 4.13.0-16-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.7-0ubuntu4
Architecture: amd64
Date: Mon Nov 13 23:10:57 2017
ProcEnviron:
LANGUAGE=en_US:en
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/zsh
SourcePackage: apt
UpgradeStatus: Upgraded to bionic on 2017-05-20 (177 days ago)
Tamas Papp (tomposmiko) wrote : | #1 |
- Dependencies.txt Edit (2.1 KiB, text/plain; charset="utf-8")
- JournalErrors.txt Edit (108.7 KiB, text/plain; charset="utf-8")
- ProcCpuinfoMinimal.txt Edit (1.0 KiB, text/plain; charset="utf-8")
Tamas Papp (tomposmiko) wrote : | #2 |
Julian Andres Klode (juliank) wrote : | #3 |
Hi,
thanks for your bug report. It seems that something is trying to read a directory. Could you perhaps run with apt::sandbox:
In the meantime, feel free to add
apt::
to your apt.conf and try again (you can use scmp_sys_resolver to resolve any other numbers to names and add them). Compared to just disabling it, that would keep that sandboxing feature active :)
Launchpad Janitor (janitor) wrote : | #4 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in apt (Ubuntu): | |
status: | New → Confirmed |
Christian Ehrhardt (paelzer) wrote : | #5 |
I hit this today in a Bionic container trying to use "apt-get download".
Found this bug and based on this trying to provide the debug data that was requested back then.
So I gathered the crash file with JulianK's hint and then used Tamas workaround to get all apport tools as needed.
# apport-retrace --rebuild-
dpkg-source: info: extracting apt in apt-1.6~alpha5
dpkg-source: info: unpacking apt_1.6~
W: Download is performed unsandboxed as root as file 'apt_1.
--- stack trace ---
#0 0x00007faff80f04eb in __getdents (fd=3, buf=0x561fff2a96d0 "\035g\233", <incomplete sequence \305>, nbytes=32768) at ../sysdeps/
resultvar = 78
retval = <optimized out>
#1 0x00007faff80f00b5 in __readdir (dirp=0x561fff2
maxread = <optimized out>
bytes = <optimized out>
reclen = <optimized out>
dp = <optimized out>
saved_errno = 0
#2 0x00007faff55e826e in ?? () from /lib/x86_
No symbol table info available.
#3 0x00007faff55cebdf in ?? () from /lib/x86_
No symbol table info available.
#4 0x00007faff55cf657 in _nss_libvirt_
No symbol table info available.
#5 0x00007faff81155df in gaih_inet (name=name@
fct4 = 0x7faff55cf5f0 <_nss_libvirt_
pat = 0x7fffa2434118
nip = 0x561fff2a93d0
status = <optimized out>
no_more = 0
no_data = 0
res_ctx = 0x561fff295a00
tp = <optimized out>
st = 0x7fffa2434040
at = 0x7fffa2434000
got_ipv6 = false
canon = 0x0
orig_name = 0x561fff26cba0 "archive.
alloca_used = <optimized out>
port = <optimized out>
malloc_name = false
addrmem = 0x0
canonbuf = 0x0
result = 0
#6 0x00007faff81175c7 in __GI_getaddrinfo (name=<optimized out>, service=<optimized out>, hints=0x7fffa24
tmpbuf = {data = 0x7fffa24343a0, length = 1024, __space = "\377\002", '\000' <repeats 13 times>, "\003\240CC\
Christian Ehrhardt (paelzer) wrote : | #6 |
Note: adding getdents as suggested was enough, there were no further seccomp hits triggered later on.
Julian Andres Klode (juliank) wrote : | #7 |
It would be nice if libvirt-nss could ship an /etc/apt/
Christian Ehrhardt (paelzer) wrote : | #8 |
Hi Julian,
I have broken down the testcase into reproducible steps:
Testcase - TL;DR get running guest with IP and enable libvirt nss:
$ apt install libnss-libvirt libvirt-
$ apt update
$ uvt-simplestrea
$ uvt-kvm create --password=ubuntu testguest release=artful arch=amd64 label=daily
$ vim /etc/nsswitch.conf
# add libvirt to the hosts line
$ apt download hello
So would the following be good then?
$ cat /etc/apt/
apt::sandbox:
I wonder about a few things:
1. is there a format that does not "set" but append this to ensure if one placed other seccomp allows that they do not interfere?
2. I'm not sure everybody is hitting that through libnss-libvirt so I might only fix one of many incarnations of this.
3. this is only for newer apt needs this right - so only >=bionic ok?
Changed in libvirt (Ubuntu): | |
status: | New → Confirmed |
Julian Andres Klode (juliank) wrote : | #9 |
1. This is appending. You could also write it apt::sandbox:
2. Right. Others might have other issues, mostly depending on their NSS modules. I don't think we'll fix all of them. But I don't think there are many users with non-standard NSS modules, so this maybe affects what, 1 to 5% of the users?
3. Exactly
We can eventually also enable getdents in apt itself, once the methods do not need write access to partial/ anymore (because the main process then opens the file and sends it via a socket). I only disabled it for now so one method cannot find files used by other methods (except for guessing).
Christian Ehrhardt (paelzer) wrote : | #10 |
Ok, so I will add this on the next libvirt merge to be safe on bionic.
Changed in libvirt (Ubuntu): | |
status: | Confirmed → Triaged |
Christian Ehrhardt (paelzer) wrote : | #11 |
@Tamas - your stack trace might help to identify another source of such issues, let us know.
tags: | added: libvirt-18.04 |
Mathias Hermansson (herman-s) wrote : | #12 |
Had the same issue, but wihtout libnss-libvirt installed. Switching to the mirror method also triggers the error.
# sed -i 's/http:
# apt update
0% [Working]
**** Seccomp prevented execution of syscall 0000000078 on architecture amd64 ****
Reading package lists... Done
E: Method mirror has died unexpectedly!
E: Sub-process mirror returned an error code (31)
Christian Ehrhardt (paelzer) wrote : | #13 |
Interesting, thanks Mathias for the update.
@Julian - I think this means you have to tackle that from apt itself then? (or at least find out via which path it triggers the issue now).
How far are you in regard to comment #9 number 3 atm - can you take it into apt itself already?
Christian Ehrhardt (paelzer) wrote : | #14 |
Note: my source.lust had no trailing / so for me it was
$ sed -i 's/http:
to trigger the issue
Note (2): Also this feature is still undocumented since all the time :-/.
Julian Andres Klode (juliank) wrote : | #15 |
OK, so I think we let this sit for a few more weeks and see what else we get. So far we have 4 people affected by this. Does not happen for me, BTW, and yes, I use the mirror method (from -proposed, the old one does not work and the new one is much better :D).
Now, as to documentation: There is not really supposed to be any. There's a NEWS entry for it telling you how to enable more syscalls for debugging, and it's listed in configure-index. But it's not something people should really configure in normal use.
Turi Peter (peter.turi) wrote : | #16 |
I ran into the same problem when updating from a fully patched artfull to bioninc using the following apt sources:
deb http://
deb-src http://
deb http://
deb-src http://
deb http://
deb http://
deb http://
deb http://
deb http://
deb http://
deb http://
deb-src http://
deb http://
deb-src http://
deb http://
deb-src http://
deb http://
deb http://
(Originally it was same with artful).
I have a lot of other ppa sources lists, but the strange thing is that after dist-upgrade, the issue persists however after reboot the system works as usual when removing the seccomp fix proposed in #2.
Julian Andres Klode (juliank) wrote : | #17 |
@Turi with the same number 0000000078? That's important :)
Turi Peter (peter.turi) wrote : | #18 |
Sorry I don't have the old log.
But it's also happening now:
turip@turip-
root@turip-
Hit:1 http://
Ign:2 http://
Get:3 http://
Ign:4 http://
Get:5 http://
Err:6 http://
404 Not Found
Get:7 http://
Hit:8 http://
Hit:9 https:/
Get:10 http://
0% [10 Sources store 0 B] [5 InRelease gpgv 65.4 kB] [Waiting for headers] [Con
**** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****
Reading package lists... Done
E: The repository 'http://
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: Skipping acquire of configured file 'non-free/
W: Skipping acquire of configured file 'non-free/
W: Skipping acquire of configured file 'non-free/
W: Skipping acquire of configured file 'non-free/
W: Skipping acquire of configured file 'non-free/
W: Skipping acquire of configured file 'non-free/
W: Skipping acquire of configured file 'non-free/
W: Skipping acquire of configured file 'non-free/
Julian Andres Klode (juliank) wrote : | #19 |
Wow, store method opens a socket. I wonder what for. This is frustrating. Workaround for that would probably be
apt::
+ some more socket operations.
Launchpad Janitor (janitor) wrote : | #20 |
This bug was fixed in the package libvirt - 4.0.0-1ubuntu1
---------------
libvirt (4.0.0-1ubuntu1) bionic; urgency=medium
* Merged with Debian unstable (4.0)
This closes several bugs:
- Error generating apparmor profile when hostname contains spaces
(LP: #799997)
- qemu 2.10 locks files, libvirt shared now sets share-rw=on (LP: #1716028)
- libvirt usb passthrough throws apparmor denials related to
/
- AppArmor denies access to /sys/block/
- iohelper improvements to let bypass-cache work without opening up the
apparmor isolation (LP: #1719579)
- nodeinfo on s390x to contain more CPU info (LP: #1733688)
- Upgrade libvirt >= 4.0 (LP: #1745934)
* Remaining changes:
- Disable libssh2 support (universe dependency)
- Disable firewalld support (universe dependency)
- Disable selinux
- Set qemu-group to kvm (for compat with older ubuntu)
- Additional apport package-hook
- Modifications to adapt for our delayed switch away from libvirt-bin (can
be dropped >18.04).
+ d/p/ubuntu/
to old service name so that old references work
+ d/p/ubuntu/
to old service name so that old references work
+ d/control: transitional package with the old name and maintainer
scripts to handle the transition
- Backwards compatible handling of group rename (can be dropped >18.04).
- config details and autostart of default bridged network. Creating that is
now the default in general, yet our solution provides the following on
top as of today:
+ autostart the default network by default
+ do not autostart if subnet is already taken (e.g. in guests).
- d/p/ubuntu/
the group based access to libvirt functions as it was used in Ubuntu
for quite long.
+ d/p/ubuntu/
due to the group access change.
- ubuntu/
- d/p/ubuntu/
which provided a separate kvm-spice.
- d/p/ubuntu/
section that adapts the path of the emulator to the Debian/Ubuntu
packaging is kept.
- d/p/ubuntu/
set VRAM to minimum requirements
- d/p/ubuntu/
- Add libxl log directory
- libvirt-uri.sh: Automatically switch default libvirt URI for users on
Xen dom0 via user profile (was missing on changelogs before)
- d/p/ubuntu/
included_
- Update README.Debian with Ubuntu changes
- Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch.
- Enable some additional features on ppc...
Changed in libvirt (Ubuntu): | |
status: | Triaged → Fix Released |
Tamas Papp (tomposmiko) wrote : | #21 |
I've just tried it and I does not face the error anymore.
Tamas Papp (tomposmiko) wrote : | #22 |
I've just tried it and I do not face the error anymore.
Jimmy Olsen (mavask71-p) wrote : | #23 |
Idk if I did has something to do with the bug itself. I noticed this bug happened just after when I added PPA as seen from https:/
Christian Ehrhardt (paelzer) wrote : | #24 |
The actual seccomp fail is important.
Eventually it is a sandbox and we want to add exceptions after we know it has a valid use case.
As the above libvirt nss case which we added.
Trying the ppa you mentioned I can run just fine - so something is special in your setup.
Please the exact details are important to Julian - see comment #17 - if it is the same you could also try the suggested workaround via config in comment #19.
Jimmy Olsen (mavask71-p) wrote : | #25 |
- system info from my computer as from 03th April 2018 Edit (113.0 KiB, text/html)
Hi Chistian. I tried to add the PPA and it shows me that error:
marcos@marcos:~$ sudo add-apt-repository ppa:otto-
[sudo] password for marcos:
gpg: keybox '/tmp/tmp935_
gpg: key 3BDAAC08614C4B38: 1 signature not checked due to a missing key
gpg: /tmp/tmp935_
gpg: key 3BDAAC08614C4B38: public key "Launchpad otto06217" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
OK
Hit:1 http://
Hit:2 http://
Hit:3 http://
Hit:4 http://
Hit:5 http://
Hit:6 http://
Hit:7 http://
Get:8 http://
Hit:9 http://
Get:10 http://
83% [10 Packages store 0 B] [Connecting to ppa.launchpad.net (91.189.95.83)]
**** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****
Reading package lists... Done
E: Method store has died unexpectedly!
E: Sub-process store returned an error code (31)
marcos@marcos:~$
As said before, once PPA is removed,it goes back to normal.
Assuming it could be something from my computer settings, I send attached info sys about it. Hope it helps bug be fixed.
Jimmy Olsen (mavask71-p) wrote : | #26 |
Just tried to add another PPA (from another program), same error going on. and I get it fixed when PPA is removed...
Christian Ehrhardt (paelzer) wrote : | #27 |
Hmm,
0041 should be sys_socket
With the error present (in your case ppa enabled), could you add this and retry:
echo 'apt::sandbox:
If it works with that it really was the socket call, and Julian can consider adding it.
https:/
Jimmy Olsen (mavask71-p) wrote : | #28 |
Hi Christian. I tried to run this command but it didnt work:
marcos@marcos:~$ echo 'apt::sandbox:
bash: /etc/apt/
marcos@marcos:~$ sudo marcos@marcos:~$ echo 'apt::sandbox:
bash: /etc/apt/
marcos@marcos:~$ bash: /etc/apt/apt.c
Christian Ehrhardt (paelzer) wrote : Re: [Bug 1732030] Re: 'apt update' dies with seccomp error | #29 |
On Wed, Apr 4, 2018 at 8:29 AM, Jimmy Olsen <email address hidden> wrote:
> Hi Christian. I tried to run this command but it didnt work:
>
> marcos@marcos:~$ echo 'apt::sandbox:
> /etc/apt/
> bash: /etc/apt/
>
The path this gets placed in is only writable by root.
So you either need to "sudo su" before you do the above.
Or you can use sudo to write with permissions through tee, like:
$ echo 'apt::sandbox:
/etc/apt/
Jimmy Olsen (mavask71-p) wrote : | #30 |
It`still giving me same error:
marcos@marcos:~$ echo 'apt::sandbox:
[sudo] password for marcos:
apt::sandbox:
marcos@marcos:~$ sudo apt update
Get:1 http://
Hit:2 http://
Hit:3 http://
Hit:4 http://
Hit:5 http://
Hit:6 http://
Hit:7 http://
Hit:8 http://
Get:9 http://
0% [9 Packages store 0 B] [5 InRelease gpgv 65,5 kB] [Waiting for headers]
**** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****
Christian Ehrhardt (paelzer) wrote : | #31 |
On Wed, Apr 4, 2018 at 10:12 AM, Jimmy Olsen <email address hidden> wrote:
> It`still giving me same error:
>
> marcos@marcos:~$ echo 'apt::sandbox:
> tee
> [sudo] password for marcos:
> apt::sandbox:
> marcos@marcos:~$ sudo apt update
>
[...]
> **** Seccomp prevented execution of syscall 0000000041 on architecture
> amd64 ****
>
Hmm, maybe my override isn't perfect - yet since I can't reproduce to
improve it I have to wait for Julian to take a look at this.
Julian Andres Klode (juliank) wrote : | #32 |
Well, no filename was specified for "tee"
Christian Ehrhardt (paelzer) wrote : | #33 |
:-)
Oh I see the line break added by LP in my example lead Jimmy the wrong way.
Obviously for the config to work it needs to be there :-)
@Jimmy - Please retry, and check the file content with e.g. cat after the echo.
Jimmy Olsen (mavask71-p) wrote : | #34 |
Ok, tried again.. It still not working. Error is 42 though:
marcos@marcos:~$ echo 'apt::sandbox:
[sudo] password for marcos:
apt::sandbox:
marcos@marcos:~$ sudo apt update
Get:1 http://
Hit:2 http://
Hit:3 http://
Hit:4 http://
Hit:5 http://
Hit:6 http://
Hit:7 http://
Hit:8 http://
Get:9 http://
0% [9 Packages store 0 B] [4 InRelease gpgv 65,4 kB] [Waiting for headers]
**** Seccomp prevented execution of syscall 0000000042 on architecture amd64 ****
Reading package lists... Done
E: Method store has died unexpectedly!
E: Sub-process store returned an error code (31)
marcos@marcos:~$
Christian Ehrhardt (paelzer) wrote : | #35 |
Something seems broken on your config, all those basic things should be allowed IMHO (and they are, or I'd hit them as well).
You could iterate on this with [1] which for this would let you also add "connect".
But I doubt that will eventually resolve your issue.
The question is why does it break on you at all while it is working for others in general.
If you iterate adding more and more excuses you might come back with the list that you needed.
But I'm pretty sure connect and socket would have been allowed already if everything would be right.
Julian Andres Klode (juliank) wrote : | #36 |
No - it's the "store" method that's failing (e.g. recompressing/
Julian Andres Klode (juliank) wrote : | #37 |
I wonder if we should turn the sandbox off by default for bionic. Not sure.
Julian Andres Klode (juliank) wrote : | #38 |
Or generally allow network and the getdents stuff, and just block more esoteric syscalls for now.
Launchpad Janitor (janitor) wrote : | #39 |
This bug was fixed in the package apt - 1.6~rc1
---------------
apt (1.6~rc1) unstable; urgency=medium
[ Julian Andres Klode ]
* Experimental support for zstd (LP: #1763839)
* Fix debian/NEWS entry for 1.6~beta1
* Use https for Ubuntu changelogs
* Bump cache major version to allow different 1.5 and 1.6 updates
* CI: Switch testing to use ubuntu:bionic for 1.6.y
* Turn off seccomp sandboxing by default (LP: #1732030) (Closes: #890489)
* Allow restart_syscall() syscall in seccomp sandboxes (Closes: #891644)
* Delete /etc/dpkg/
* test: export GCOV_ERROR_
* apt-private: Collect not found packages in CacheSetHelperA
* Introduce experimental new hooks for command-line tools (LP: #1763839)
[ David Kalnischkies ]
* remove duplicate changelog lines from 1.6~beta1 entry
* fix communication typo in https manpage
* set our two libapt libraries to prio:optional
* document Acquire:
[ jean-pierre giraud ]
* French man pages translation (Closes: #895117)
-- Julian Andres Klode <email address hidden> Sun, 15 Apr 2018 21:41:44 +0200
Changed in apt (Ubuntu): | |
status: | Confirmed → Fix Released |
Simon Déziel (sdeziel) wrote : | #40 |
It's already mentioned in the NEWS file but for those who would like to test the seccomp sanbox, all that's needed is:
APT::
Thanks Julian
Balan Cosmin Tudorel (resedintabalan) wrote : | #41 |
Tanks
On Tue, Apr 17, 2018 at 4:16 PM, Simon Déziel <email address hidden>
wrote:
> It's already mentioned in the NEWS file but for those who would like to
> test the seccomp sanbox, all that's needed is:
>
> APT::Sandbox:
>
> Thanks Julian
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1756652).
> https:/
>
> Title:
> 'apt update' dies with seccomp error
>
> Status in apt package in Ubuntu:
> Fix Released
> Status in libvirt package in Ubuntu:
> Fix Released
>
> Bug description:
> $ apt-get update
> 0% [Working]
> **** Seccomp prevented execution of syscall 0000000078 on architecture
> amd64 ****
> Reading package lists... Done
> E: Method mirror has died unexpectedly!
> E: Sub-process mirror returned an error code (31)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 18.04
> Package: apt 1.6~alpha5
> ProcVersionSign
> Uname: Linux 4.13.0-16-generic x86_64
> NonfreeKernelMo
> ApportVersion: 2.20.7-0ubuntu4
> Architecture: amd64
> Date: Mon Nov 13 23:10:57 2017
> ProcEnviron:
> LANGUAGE=en_US:en
> TERM=xterm
> PATH=(custom, no user)
> LANG=en_US.UTF-8
> SHELL=/bin/zsh
> SourcePackage: apt
> UpgradeStatus: Upgraded to bionic on 2017-05-20 (177 days ago)
>
> To manage notifications about this bug go to:
> https:/
>
Roger Light (roger.light) wrote : | #42 |
I've been hit by this problem as well, but for the pread64 syscall. It's working for me now after playing with my apt conf, getting the bug fix and then reverting my apt conf, but thought it was worth mentioning anyway.
I'm on a system with nfs/autofs home directories and nis for logins, which I bet is the contributing factor.
Workaround:
echo 'apt::sandbox: :seccomp "false";' > /etc/apt/ apt.conf. d/999seccomp