'apt update' dies with seccomp error

Bug #1732030 reported by Tamas Papp on 2017-11-13
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Undecided
Unassigned
libvirt (Ubuntu)
Undecided
Unassigned

Bug Description

$ apt-get update
0% [Working]
 **** Seccomp prevented execution of syscall 0000000078 on architecture amd64 ****
Reading package lists... Done
E: Method mirror has died unexpectedly!
E: Sub-process mirror returned an error code (31)

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: apt 1.6~alpha5
ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
Uname: Linux 4.13.0-16-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.7-0ubuntu4
Architecture: amd64
Date: Mon Nov 13 23:10:57 2017
ProcEnviron:
 LANGUAGE=en_US:en
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/zsh
SourcePackage: apt
UpgradeStatus: Upgraded to bionic on 2017-05-20 (177 days ago)

Tamas Papp (tomposmiko) wrote :
Tamas Papp (tomposmiko) wrote :

Workaround:

echo 'apt::sandbox::seccomp "false";' > /etc/apt/apt.conf.d/999seccomp

Julian Andres Klode (juliank) wrote :

Hi,

thanks for your bug report. It seems that something is trying to read a directory. Could you perhaps run with apt::sandbox::seccomp::print set to false and gather a stack trace and attach that here? (or let apport do its magic and report it separately?). This would help figuring out what needs that.

In the meantime, feel free to add
  apt::sandbox::seccomp::allow { "getdents" };

to your apt.conf and try again (you can use scmp_sys_resolver to resolve any other numbers to names and add them). Compared to just disabling it, that would keep that sandboxing feature active :)

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Download full text (6.4 KiB)

I hit this today in a Bionic container trying to use "apt-get download".
Found this bug and based on this trying to provide the debug data that was requested back then.

So I gathered the crash file with JulianK's hint and then used Tamas workaround to get all apport tools as needed.

# apport-retrace --rebuild-package-info --stdout /var/crash/_usr_lib_apt_methods_http.0.crash
dpkg-source: info: extracting apt in apt-1.6~alpha5
dpkg-source: info: unpacking apt_1.6~alpha5.tar.xz
W: Download is performed unsandboxed as root as file 'apt_1.6~alpha5.dsc' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
--- stack trace ---
#0 0x00007faff80f04eb in __getdents (fd=3, buf=0x561fff2a96d0 "\035g\233", <incomplete sequence \305>, nbytes=32768) at ../sysdeps/unix/sysv/linux/getdents.c:96
        resultvar = 78
        retval = <optimized out>
#1 0x00007faff80f00b5 in __readdir (dirp=0x561fff2a96a0) at ../sysdeps/posix/readdir.c:65
        maxread = <optimized out>
        bytes = <optimized out>
        reclen = <optimized out>
        dp = <optimized out>
        saved_errno = 0
#2 0x00007faff55e826e in ?? () from /lib/x86_64-linux-gnu/libnss_libvirt.so.2
No symbol table info available.
#3 0x00007faff55cebdf in ?? () from /lib/x86_64-linux-gnu/libnss_libvirt.so.2
No symbol table info available.
#4 0x00007faff55cf657 in _nss_libvirt_gethostbyname4_r () from /lib/x86_64-linux-gnu/libnss_libvirt.so.2
No symbol table info available.
#5 0x00007faff81155df in gaih_inet (name=name@entry=0x561fff26cba0 "archive.ubuntu.com", service=<optimized out>, req=req@entry=0x7fffa2434860, pai=pai@entry=0x7fffa2434328, naddrs=naddrs@entry=0x7fffa2434324, tmpbuf=tmpbuf@entry=0x7fffa2434390) at ../sysdeps/posix/getaddrinfo.c:790
        fct4 = 0x7faff55cf5f0 <_nss_libvirt_gethostbyname4_r>
        pat = 0x7fffa2434118
        no_inet6_data = <optimized out>
        nip = 0x561fff2a93d0
        status = <optimized out>
        no_more = 0
        no_data = 0
        inet6_status = NSS_STATUS_UNAVAIL
        res_ctx = 0x561fff295a00
        res_enable_inet6 = false
        tp = <optimized out>
        st = 0x7fffa2434040
        at = 0x7fffa2434000
        got_ipv6 = false
        canon = 0x0
        orig_name = 0x561fff26cba0 "archive.ubuntu.com"
        alloca_used = <optimized out>
        port = <optimized out>
        malloc_name = false
        addrmem = 0x0
        canonbuf = 0x0
        result = 0
#6 0x00007faff81175c7 in __GI_getaddrinfo (name=<optimized out>, service=<optimized out>, hints=0x7fffa2434860, pai=0x561ffdb8b370) at ../sysdeps/posix/getaddrinfo.c:2304
        tmpbuf = {data = 0x7fffa24343a0, length = 1024, __space = "\377\002", '\000' <repeats 13 times>, "\003\240CC\242\377\177\000\000\000\000\000\000\000\000\000\000ff02::3\000ip6-allhosts", '\000' <repeats 28 times>, "able hosts\n\000\257\177\000\000\030\000\000\000\000\000\000\000\000<\360\251\300\071s\362\230|?\370\257\177\000\000\000\000\000\000\000\000\000\000\260\346(\377\037V\000\000\000\350(\377\037V\000\000\220m)\377\037V\000\000ps)\377\037V\000\000\000\000\000\000\000\000\000\000\376\263\n\370\257\177\000\000\240b+\377\037V\000\000\006\000\000\000\000\000\00...

Read more...

Note: adding getdents as suggested was enough, there were no further seccomp hits triggered later on.

Julian Andres Klode (juliank) wrote :

It would be nice if libvirt-nss could ship an /etc/apt/apt.conf.d/libvirt-nss.conf, or a numbered file like the others, that allows getdents. I don't think I want to turn it on in general because not being able to list a directory is kind of useful.

Hi Julian,
I have broken down the testcase into reproducible steps:

Testcase - TL;DR get running guest with IP and enable libvirt nss:
$ apt install libnss-libvirt libvirt-dameon-system
$ apt update
$ uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=artful
$ uvt-kvm create --password=ubuntu testguest release=artful arch=amd64 label=daily
$ vim /etc/nsswitch.conf
# add libvirt to the hosts line
$ apt download hello

So would the following be good then?
$ cat /etc/apt/apt.conf.d/90libnss-libvirt
apt::sandbox::seccomp::allow { "getdents" };

I wonder about a few things:
1. is there a format that does not "set" but append this to ensure if one placed other seccomp allows that they do not interfere?
2. I'm not sure everybody is hitting that through libnss-libvirt so I might only fix one of many incarnations of this.
3. this is only for newer apt needs this right - so only >=bionic ok?

Changed in libvirt (Ubuntu):
status: New → Confirmed
Julian Andres Klode (juliank) wrote :

1. This is appending. You could also write it apt::sandbox::seccomp::allow:: "getdents" but the list notation is documented.

2. Right. Others might have other issues, mostly depending on their NSS modules. I don't think we'll fix all of them. But I don't think there are many users with non-standard NSS modules, so this maybe affects what, 1 to 5% of the users?

3. Exactly

We can eventually also enable getdents in apt itself, once the methods do not need write access to partial/ anymore (because the main process then opens the file and sends it via a socket). I only disabled it for now so one method cannot find files used by other methods (except for guessing).

Ok, so I will add this on the next libvirt merge to be safe on bionic.

Changed in libvirt (Ubuntu):
status: Confirmed → Triaged

@Tamas - your stack trace might help to identify another source of such issues, let us know.

tags: added: libvirt-18.04
Mathias Hermansson (herman-s) wrote :

Had the same issue, but wihtout libnss-libvirt installed. Switching to the mirror method also triggers the error.

# sed -i 's/http:\/\/archive.ubuntu.com\/ubuntu\//mirror:\/\/mirrors.ubuntu.com\/mirrors.txt/g' /etc/apt/sources.list
# apt update
0% [Working]
 **** Seccomp prevented execution of syscall 0000000078 on architecture amd64 ****
Reading package lists... Done
E: Method mirror has died unexpectedly!
E: Sub-process mirror returned an error code (31)

Interesting, thanks Mathias for the update.

@Julian - I think this means you have to tackle that from apt itself then? (or at least find out via which path it triggers the issue now).
How far are you in regard to comment #9 number 3 atm - can you take it into apt itself already?

Note: my source.lust had no trailing / so for me it was
$ sed -i 's/http:\/\/archive.ubuntu.com\/ubuntu/mirror:\/\/mirrors.ubuntu.com\/mirrors.txt/g' /etc/apt/sources.list
to trigger the issue

Note (2): Also this feature is still undocumented since all the time :-/.

Julian Andres Klode (juliank) wrote :

OK, so I think we let this sit for a few more weeks and see what else we get. So far we have 4 people affected by this. Does not happen for me, BTW, and yes, I use the mirror method (from -proposed, the old one does not work and the new one is much better :D).

Now, as to documentation: There is not really supposed to be any. There's a NEWS entry for it telling you how to enable more syscalls for debugging, and it's listed in configure-index. But it's not something people should really configure in normal use.

Turi Peter (peter.turi) wrote :

I ran into the same problem when updating from a fully patched artfull to bioninc using the following apt sources:

deb http://archive.ubuntu.com/ubuntu/ bionic main restricted
deb-src http://archive.ubuntu.com/ubuntu/ bionic universe main restricted multiverse

deb http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted
deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates universe main restricted multiverse

deb http://archive.ubuntu.com/ubuntu/ bionic universe
deb http://archive.ubuntu.com/ubuntu/ bionic-updates universe

deb http://archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://archive.ubuntu.com/ubuntu/ bionic-updates multiverse

deb http://archive.ubuntu.com/ubuntu/ bionic non-free
deb http://archive.ubuntu.com/ubuntu/ bionic-updates non-free

deb http://archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse

deb http://archive.canonical.com/ubuntu bionic partner
deb-src http://archive.canonical.com/ubuntu bionic partner

deb http://security.ubuntu.com/ubuntu bionic-security main restricted non-free
deb-src http://security.ubuntu.com/ubuntu bionic-security universe main restricted multiverse
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse

(Originally it was same with artful).

I have a lot of other ppa sources lists, but the strange thing is that after dist-upgrade, the issue persists however after reboot the system works as usual when removing the seccomp fix proposed in #2.

Julian Andres Klode (juliank) wrote :

@Turi with the same number 0000000078? That's important :)

Turi Peter (peter.turi) wrote :
Download full text (5.1 KiB)

Sorry I don't have the old log.

But it's also happening now:
turip@turip-xps-ws:~$ sudo -i
root@turip-xps-ws:~# apt-get update
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Ign:2 http://dl.google.com/linux/chrome/deb stable InRelease
Get:3 http://hu.archive.ubuntu.com/ubuntu bionic InRelease [235 kB]
Ign:4 http://hu.archive.canonical.com/ubuntu bionic InRelease
Get:5 http://hu.archive.ubuntu.com/ubuntu bionic-updates InRelease [65.4 kB]
Err:6 http://hu.archive.canonical.com/ubuntu bionic Release
  404 Not Found
Get:7 http://hu.archive.ubuntu.com/ubuntu bionic-backports InRelease [65.5 kB]
Hit:8 http://dl.google.com/linux/chrome/deb stable Release
Hit:9 https://packages.microsoft.com/repos/vscode stable InRelease
Get:10 http://hu.archive.ubuntu.com/ubuntu bionic/main Sources [833 kB]
0% [10 Sources store 0 B] [5 InRelease gpgv 65.4 kB] [Waiting for headers] [Con
 **** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****

Reading package lists... Done
E: The repository 'http://hu.archive.canonical.com/ubuntu bionic Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: Skipping acquire of configured file 'non-free/binary-amd64/Packages' as repository 'http://security.ubuntu.com/ubuntu bionic-security InRelease' doesn't have the component 'non-free' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'non-free/binary-i386/Packages' as repository 'http://security.ubuntu.com/ubuntu bionic-security InRelease' doesn't have the component 'non-free' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'non-free/i18n/Translation-en' as repository 'http://security.ubuntu.com/ubuntu bionic-security InRelease' doesn't have the component 'non-free' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'non-free/i18n/Translation-en_US' as repository 'http://security.ubuntu.com/ubuntu bionic-security InRelease' doesn't have the component 'non-free' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'non-free/dep11/Components-amd64.yml' as repository 'http://security.ubuntu.com/ubuntu bionic-security InRelease' doesn't have the component 'non-free' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'non-free/dep11/icons-64x64.tar' as repository 'http://security.ubuntu.com/ubuntu bionic-security InRelease' doesn't have the component 'non-free' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'non-free/Contents-amd64' as repository 'http://security.ubuntu.com/ubuntu bionic-security InRelease' doesn't have the component 'non-free' (component misspelt in sources.list?)
W: Skipping acquire of configured file 'non-free/Contents-i386' as repository 'http://security.ubuntu.com/ubuntu bionic-security InRelease' doesn...

Read more...

Julian Andres Klode (juliank) wrote :

Wow, store method opens a socket. I wonder what for. This is frustrating. Workaround for that would probably be

  apt::sandbox::seccomp::allow { "socket" };

+ some more socket operations.

Launchpad Janitor (janitor) wrote :
Download full text (13.5 KiB)

This bug was fixed in the package libvirt - 4.0.0-1ubuntu1

---------------
libvirt (4.0.0-1ubuntu1) bionic; urgency=medium

  * Merged with Debian unstable (4.0)
    This closes several bugs:
    - Error generating apparmor profile when hostname contains spaces
      (LP: #799997)
    - qemu 2.10 locks files, libvirt shared now sets share-rw=on (LP: #1716028)
    - libvirt usb passthrough throws apparmor denials related to
      /run/udev/data/+usb (LP: #1727311)
    - AppArmor denies access to /sys/block/*/queue/max_segments (LP: #1729626)
    - iohelper improvements to let bypass-cache work without opening up the
      apparmor isolation (LP: #1719579)
    - nodeinfo on s390x to contain more CPU info (LP: #1733688)
    - Upgrade libvirt >= 4.0 (LP: #1745934)
  * Remaining changes:
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Disable selinux
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Additional apport package-hook
    - Modifications to adapt for our delayed switch away from libvirt-bin (can
      be dropped >18.04).
      + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias
        to old service name so that old references work
      + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias
        to old service name so that old references work
      + d/control: transitional package with the old name and maintainer
        scripts to handle the transition
    - Backwards compatible handling of group rename (can be dropped >18.04).
    - config details and autostart of default bridged network. Creating that is
      now the default in general, yet our solution provides the following on
      top as of today:
      + autostart the default network by default
      + do not autostart if subnet is already taken (e.g. in guests).
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm
      which provided a separate kvm-spice.
    - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
      section that adapts the path of the emulator to the Debian/Ubuntu
      packaging is kept.
    - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto
      set VRAM to minimum requirements
    - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts
    - Add libxl log directory
    - libvirt-uri.sh: Automatically switch default libvirt URI for users on
      Xen dom0 via user profile (was missing on changelogs before)
    - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from
      included_files to avoid build failures due to duplicate definitions.
    - Update README.Debian with Ubuntu changes
    - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch.
    - Enable some additional features on ppc...

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
Tamas Papp (tomposmiko) wrote :

I've just tried it and I does not face the error anymore.

Tamas Papp (tomposmiko) wrote :

I've just tried it and I do not face the error anymore.

Jimmy Olsen (mavask71-p) wrote :

Idk if I did has something to do with the bug itself. I noticed this bug happened just after when I added PPA as seen from https://www.omgubuntu.co.uk/2018/03/gimp-2-10-release-candidate-released and ran "sudo apt update && sudo apt upgrade" commands. Once it was removed,no error was shown anymore.

The actual seccomp fail is important.
Eventually it is a sandbox and we want to add exceptions after we know it has a valid use case.
As the above libvirt nss case which we added.

Trying the ppa you mentioned I can run just fine - so something is special in your setup.

Please the exact details are important to Julian - see comment #17 - if it is the same you could also try the suggested workaround via config in comment #19.

Jimmy Olsen (mavask71-p) wrote :

Hi Chistian. I tried to add the PPA and it shows me that error:

marcos@marcos:~$ sudo add-apt-repository ppa:otto-kesselgulasch/gimp -y && sudo apt-get update
[sudo] password for marcos:
gpg: keybox '/tmp/tmp935_1y_p/pubring.gpg' created
gpg: key 3BDAAC08614C4B38: 1 signature not checked due to a missing key
gpg: /tmp/tmp935_1y_p/trustdb.gpg: trustdb created
gpg: key 3BDAAC08614C4B38: public key "Launchpad otto06217" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
OK
Hit:1 http://linux.teamviewer.com/deb stable InRelease
Hit:2 http://linux.teamviewer.com/deb preview InRelease
Hit:3 http://br.archive.ubuntu.com/ubuntu bionic InRelease
Hit:4 http://br.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://br.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:6 http://archive.canonical.com/ubuntu bionic InRelease
Hit:7 http://security.ubuntu.com/ubuntu bionic-security InRelease
Get:8 http://ppa.launchpad.net/otto-kesselgulasch/gimp/ubuntu bionic InRelease [15,4 kB]
Hit:9 http://ppa.launchpad.net/ubuntubudgie/backports/ubuntu bionic InRelease
Get:10 http://ppa.launchpad.net/otto-kesselgulasch/gimp/ubuntu bionic/main amd64 Packages [3.096 B]
83% [10 Packages store 0 B] [Connecting to ppa.launchpad.net (91.189.95.83)]
 **** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****
Reading package lists... Done
E: Method store has died unexpectedly!
E: Sub-process store returned an error code (31)
marcos@marcos:~$

As said before, once PPA is removed,it goes back to normal.

Assuming it could be something from my computer settings, I send attached info sys about it. Hope it helps bug be fixed.

Jimmy Olsen (mavask71-p) wrote :

Just tried to add another PPA (from another program), same error going on. and I get it fixed when PPA is removed...

Hmm,
0041 should be sys_socket

With the error present (in your case ppa enabled), could you add this and retry:

echo 'apt::sandbox::seccomp::allow { "socket" };' > /etc/apt/apt.conf.d/99seccomp

If it works with that it really was the socket call, and Julian can consider adding it.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879814#15 has listed 0041 as well, and I thought it is done, but your check will help Julian for sure.

Jimmy Olsen (mavask71-p) wrote :

Hi Christian. I tried to run this command but it didnt work:

marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' > /etc/apt/apt.conf.d/99seccomp
bash: /etc/apt/apt.conf.d/99seccomp: Permission denied
marcos@marcos:~$ sudo marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' > /etc/apt/apt.conf.d/99seccomp
bash: /etc/apt/apt.conf.d/99seccomp: Permission denied
marcos@marcos:~$ bash: /etc/apt/apt.c

On Wed, Apr 4, 2018 at 8:29 AM, Jimmy Olsen <email address hidden> wrote:

> Hi Christian. I tried to run this command but it didnt work:
>
> marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' >
> /etc/apt/apt.conf.d/99seccomp
> bash: /etc/apt/apt.conf.d/99seccomp: Permission denied
>

The path this gets placed in is only writable by root.
So you either need to "sudo su" before you do the above.
Or you can use sudo to write with permissions through tee, like:

 $ echo 'apt::sandbox::seccomp::allow { "socket" };' | sudo tee
/etc/apt/apt.conf.d/99seccomp

Jimmy Olsen (mavask71-p) wrote :

It`still giving me same error:

marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' | sudo tee
[sudo] password for marcos:
apt::sandbox::seccomp::allow { "socket" };
marcos@marcos:~$ sudo apt update
Get:1 http://br.archive.ubuntu.com/ubuntu bionic InRelease [235 kB]
Hit:2 http://linux.teamviewer.com/deb stable InRelease
Hit:3 http://linux.teamviewer.com/deb preview InRelease
Hit:4 http://br.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://br.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:6 http://ppa.launchpad.net/ubuntubudgie/backports/ubuntu bionic InRelease
Hit:7 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:8 http://archive.canonical.com/ubuntu bionic InRelease
Get:9 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages [1.016 kB]
0% [9 Packages store 0 B] [5 InRelease gpgv 65,5 kB] [Waiting for headers]
 **** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****

On Wed, Apr 4, 2018 at 10:12 AM, Jimmy Olsen <email address hidden> wrote:

> It`still giving me same error:
>
> marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' | sudo
> tee
> [sudo] password for marcos:
> apt::sandbox::seccomp::allow { "socket" };
> marcos@marcos:~$ sudo apt update
>
[...]

> **** Seccomp prevented execution of syscall 0000000041 on architecture
> amd64 ****
>

Hmm, maybe my override isn't perfect - yet since I can't reproduce to
improve it I have to wait for Julian to take a look at this.

Julian Andres Klode (juliank) wrote :

Well, no filename was specified for "tee"

:-)
Oh I see the line break added by LP in my example lead Jimmy the wrong way.
Obviously for the config to work it needs to be there :-)

@Jimmy - Please retry, and check the file content with e.g. cat after the echo.

Jimmy Olsen (mavask71-p) wrote :

Ok, tried again.. It still not working. Error is 42 though:

marcos@marcos:~$ echo 'apt::sandbox::seccomp::allow { "socket" };' | sudo tee /etc/apt/apt.conf.d/99seccomp
[sudo] password for marcos:
apt::sandbox::seccomp::allow { "socket" };
marcos@marcos:~$ sudo apt update
Get:1 http://br.archive.ubuntu.com/ubuntu bionic InRelease [235 kB]
Hit:2 http://linux.teamviewer.com/deb stable InRelease
Hit:3 http://linux.teamviewer.com/deb preview InRelease
Hit:4 http://br.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:5 http://br.archive.ubuntu.com/ubuntu bionic-backports InRelease
Hit:6 http://archive.canonical.com/ubuntu bionic InRelease
Hit:7 http://ppa.launchpad.net/ubuntubudgie/backports/ubuntu bionic InRelease
Hit:8 http://security.ubuntu.com/ubuntu bionic-security InRelease
Get:9 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages [1.018 kB]
0% [9 Packages store 0 B] [4 InRelease gpgv 65,4 kB] [Waiting for headers]
 **** Seccomp prevented execution of syscall 0000000042 on architecture amd64 ****
Reading package lists... Done
E: Method store has died unexpectedly!
E: Sub-process store returned an error code (31)
marcos@marcos:~$

Something seems broken on your config, all those basic things should be allowed IMHO (and they are, or I'd hit them as well).

You could iterate on this with [1] which for this would let you also add "connect".
But I doubt that will eventually resolve your issue.
The question is why does it break on you at all while it is working for others in general.

If you iterate adding more and more excuses you might come back with the list that you needed.
But I'm pretty sure connect and socket would have been allowed already if everything would be right.

[1]: https://filippo.io/linux-syscall-table/

Julian Andres Klode (juliank) wrote :

No - it's the "store" method that's failing (e.g. recompressing/decompressing files). I disallowed socket and friends for that, so that's failing. I mean, it's a decompress/compress method, it should not have network access.

Julian Andres Klode (juliank) wrote :

I wonder if we should turn the sandbox off by default for bionic. Not sure.

Julian Andres Klode (juliank) wrote :

Or generally allow network and the getdents stuff, and just block more esoteric syscalls for now.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.6~rc1

---------------
apt (1.6~rc1) unstable; urgency=medium

  [ Julian Andres Klode ]
  * Experimental support for zstd (LP: #1763839)
  * Fix debian/NEWS entry for 1.6~beta1
  * Use https for Ubuntu changelogs
  * Bump cache major version to allow different 1.5 and 1.6 updates
  * CI: Switch testing to use ubuntu:bionic for 1.6.y
  * Turn off seccomp sandboxing by default (LP: #1732030) (Closes: #890489)
  * Allow restart_syscall() syscall in seccomp sandboxes (Closes: #891644)
  * Delete /etc/dpkg/dpkg.cfg.d/excludes on Docker CI images
  * test: export GCOV_ERROR_FILE=/dev/null to make it fail less/no tests
  * apt-private: Collect not found packages in CacheSetHelperAPTGet
  * Introduce experimental new hooks for command-line tools (LP: #1763839)

  [ David Kalnischkies ]
  * remove duplicate changelog lines from 1.6~beta1 entry
  * fix communication typo in https manpage
  * set our two libapt libraries to prio:optional
  * document Acquire::AllowReleaseInfoChange without extra s

  [ jean-pierre giraud ]
  * French man pages translation (Closes: #895117)

 -- Julian Andres Klode <email address hidden> Sun, 15 Apr 2018 21:41:44 +0200

Changed in apt (Ubuntu):
status: Confirmed → Fix Released
Simon Déziel (sdeziel) wrote :

It's already mentioned in the NEWS file but for those who would like to test the seccomp sanbox, all that's needed is:

  APT::Sandbox::Seccomp "true";

Thanks Julian

Tanks

On Tue, Apr 17, 2018 at 4:16 PM, Simon Déziel <email address hidden>
wrote:

> It's already mentioned in the NEWS file but for those who would like to
> test the seccomp sanbox, all that's needed is:
>
> APT::Sandbox::Seccomp "true";
>
> Thanks Julian
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (1756652).
> https://bugs.launchpad.net/bugs/1732030
>
> Title:
> 'apt update' dies with seccomp error
>
> Status in apt package in Ubuntu:
> Fix Released
> Status in libvirt package in Ubuntu:
> Fix Released
>
> Bug description:
> $ apt-get update
> 0% [Working]
> **** Seccomp prevented execution of syscall 0000000078 on architecture
> amd64 ****
> Reading package lists... Done
> E: Method mirror has died unexpectedly!
> E: Sub-process mirror returned an error code (31)
>
> ProblemType: Bug
> DistroRelease: Ubuntu 18.04
> Package: apt 1.6~alpha5
> ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
> Uname: Linux 4.13.0-16-generic x86_64
> NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
> ApportVersion: 2.20.7-0ubuntu4
> Architecture: amd64
> Date: Mon Nov 13 23:10:57 2017
> ProcEnviron:
> LANGUAGE=en_US:en
> TERM=xterm
> PATH=(custom, no user)
> LANG=en_US.UTF-8
> SHELL=/bin/zsh
> SourcePackage: apt
> UpgradeStatus: Upgraded to bionic on 2017-05-20 (177 days ago)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1732030/+subscriptions
>

Roger Light (roger.light) wrote :

I've been hit by this problem as well, but for the pread64 syscall. It's working for me now after playing with my apt conf, getting the bug fix and then reverting my apt conf, but thought it was worth mentioning anyway.

I'm on a system with nfs/autofs home directories and nis for logins, which I bet is the contributing factor.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.