APT::Sandbox::Seccomp prevents connect,sendto,socket syscalls on Focal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
# Steps to reproduce:
$ lxc launch images:ubuntu/focal fa1
$ lxc shell fa1
root@fa1:~# echo 'APT::Sandbox:
root@fa1:~# rm /var/lib/
root@fa1:~# apt-get update
Hit:1 http://
Get:2 http://
Hit:3 http://
Get:4 http://
Get:5 http://
30% [4 Packages store 0 B] [5 Packages 100 kB/8,623 kB 1%]
**** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****
Reading package lists... Done
E: Method store has died unexpectedly!
E: Sub-process store returned an error code (31)
This was tested in a container as well as inside a VM, same issue. This used to work with Bionic.
# Workaround
Fortunately, apt supports manual whitelisting of syscalls. A workaround is to allow 3 more syscalls.
root@fa1:~# echo 'APT::Sandbox:
# Additional information
root@fa1:~# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
root@fa1:~# uname -a
Linux fa1 5.3.0-40-generic #32~18.04.1-Ubuntu SMP Mon Feb 3 14:05:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root@fa1:~# apt-cache policy apt libc-bin
apt:
Installed: 1.9.10
Candidate: 1.9.10
Version table:
*** 1.9.10 500
500 http://
100 /var/lib/
libc-bin:
Installed: 2.31-0ubuntu5
Candidate: 2.31-0ubuntu5
Version table:
*** 2.31-0ubuntu5 500
500 http://
100 /var/lib/
description: | updated |
summary: |
- APT::Sandbox::Seccomp prevents socket syscall on Focal + APT::Sandbox::Seccomp prevents connect,sendto,socket syscalls on Focal |
I'm happy to report that apt version 2.0.0 fixed this bug, thanks!
$ apt-cache policy apt archive. ubuntu. com/ubuntu focal/main amd64 Packages dpkg/status
apt:
Installed: 2.0.0
Candidate: 2.0.0
Version table:
*** 2.0.0 500
500 http://
100 /var/lib/