[Bug 1867488] [NEW] APT::Sandbox::Seccomp prevents connect, sendto, socket syscalls on Focal
Simon Déziel
1867488 at bugs.launchpad.net
Sun Mar 15 01:34:07 UTC 2020
Public bug reported:
# Steps to reproduce:
$ lxc launch images:ubuntu/focal fa1
$ lxc shell fa1
root at fa1:~# echo 'APT::Sandbox::Seccomp "true";' > /etc/apt/apt.conf.d/01apt-seccomp
root at fa1:~# rm /var/lib/apt/lists/*Release # makes sure we fetch stuff from the network
root at fa1:~# apt-get update
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [255 kB]
Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [976 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [8,623 kB]
30% [4 Packages store 0 B] [5 Packages 100 kB/8,623 kB 1%]
**** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****
Reading package lists... Done
E: Method store has died unexpectedly!
E: Sub-process store returned an error code (31)
This was tested in a container as well as inside a VM, same issue. This
used to work with Bionic.
# Workaround
Fortunately, apt supports manual whitelisting of syscalls. A workaround
is to allow 3 more syscalls.
root at fa1:~# echo 'APT::Sandbox::Seccomp::Allow "connect,sendto,socket";'
>> /etc/apt/apt.conf.d/01apt-seccomp
# Additional information
root at fa1:~# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
root at fa1:~# uname -a
Linux fa1 5.3.0-40-generic #32~18.04.1-Ubuntu SMP Mon Feb 3 14:05:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root at fa1:~# apt-cache policy apt libc-bin
apt:
Installed: 1.9.10
Candidate: 1.9.10
Version table:
*** 1.9.10 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
libc-bin:
Installed: 2.31-0ubuntu5
Candidate: 2.31-0ubuntu5
Version table:
*** 2.31-0ubuntu5 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
** Affects: apt (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
# Steps to reproduce:
$ lxc launch images:ubuntu/focal fa1
$ lxc shell fa1
root at fa1:~# echo 'APT::Sandbox::Seccomp "true";' > /etc/apt/apt.conf.d/01apt-seccomp
root at fa1:~# rm /var/lib/apt/lists/*Release # makes sure we fetch stuff from the network
root at fa1:~# apt-get update
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [255 kB]
Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [976 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [8,623 kB]
30% [4 Packages store 0 B] [5 Packages 100 kB/8,623 kB 1%]
- **** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****
- Reading package lists... Done
+ **** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****
+ Reading package lists... Done
E: Method store has died unexpectedly!
E: Sub-process store returned an error code (31)
This was tested in a container as well as inside a VM, same issue. This
used to work with Bionic.
-
# Workaround
Fortunately, apt supports manual whitelisting of syscalls. A workaround
- is to allow the socket and connect syscalls as simply allowing socket
- fails with:
+ is to allow 3 more syscalls.
- **** Seccomp prevented execution of syscall 0000000042 on architecture
- amd64 ****
-
- root at fa1:~# echo 'APT::Sandbox::Seccomp::Allow "socket,connect";' >>
- /etc/apt/apt.conf.d/01apt-seccomp
-
+ root at fa1:~# echo 'APT::Sandbox::Seccomp::Allow "connect,sendto,socket";'
+ >> /etc/apt/apt.conf.d/01apt-seccomp
# Additional information
root at fa1:~# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
root at fa1:~# uname -a
Linux fa1 5.3.0-40-generic #32~18.04.1-Ubuntu SMP Mon Feb 3 14:05:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root at fa1:~# apt-cache policy apt libc-bin
apt:
- Installed: 1.9.10
- Candidate: 1.9.10
- Version table:
- *** 1.9.10 500
- 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
- 100 /var/lib/dpkg/status
+ Installed: 1.9.10
+ Candidate: 1.9.10
+ Version table:
+ *** 1.9.10 500
+ 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
+ 100 /var/lib/dpkg/status
libc-bin:
- Installed: 2.31-0ubuntu5
- Candidate: 2.31-0ubuntu5
- Version table:
- *** 2.31-0ubuntu5 500
- 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
- 100 /var/lib/dpkg/status
+ Installed: 2.31-0ubuntu5
+ Candidate: 2.31-0ubuntu5
+ Version table:
+ *** 2.31-0ubuntu5 500
+ 500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
+ 100 /var/lib/dpkg/status
** Summary changed:
- APT::Sandbox::Seccomp prevents socket syscall on Focal
+ APT::Sandbox::Seccomp prevents connect,sendto,socket syscalls on Focal
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1867488
Title:
APT::Sandbox::Seccomp prevents connect,sendto,socket syscalls on Focal
Status in apt package in Ubuntu:
New
Bug description:
# Steps to reproduce:
$ lxc launch images:ubuntu/focal fa1
$ lxc shell fa1
root at fa1:~# echo 'APT::Sandbox::Seccomp "true";' > /etc/apt/apt.conf.d/01apt-seccomp
root at fa1:~# rm /var/lib/apt/lists/*Release # makes sure we fetch stuff from the network
root at fa1:~# apt-get update
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [255 kB]
Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [976 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [8,623 kB]
30% [4 Packages store 0 B] [5 Packages 100 kB/8,623 kB 1%]
**** Seccomp prevented execution of syscall 0000000041 on architecture amd64 ****
Reading package lists... Done
E: Method store has died unexpectedly!
E: Sub-process store returned an error code (31)
This was tested in a container as well as inside a VM, same issue.
This used to work with Bionic.
# Workaround
Fortunately, apt supports manual whitelisting of syscalls. A
workaround is to allow 3 more syscalls.
root at fa1:~# echo 'APT::Sandbox::Seccomp::Allow
"connect,sendto,socket";' >> /etc/apt/apt.conf.d/01apt-seccomp
# Additional information
root at fa1:~# lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
root at fa1:~# uname -a
Linux fa1 5.3.0-40-generic #32~18.04.1-Ubuntu SMP Mon Feb 3 14:05:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root at fa1:~# apt-cache policy apt libc-bin
apt:
Installed: 1.9.10
Candidate: 1.9.10
Version table:
*** 1.9.10 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
libc-bin:
Installed: 2.31-0ubuntu5
Candidate: 2.31-0ubuntu5
Version table:
*** 2.31-0ubuntu5 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1867488/+subscriptions
More information about the foundations-bugs
mailing list