Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#4138 - procd requires seccomp in certain configurations #9191

Closed
openwrt-bot opened this issue Nov 17, 2021 · 1 comment
Closed

FS#4138 - procd requires seccomp in certain configurations #9191

openwrt-bot opened this issue Nov 17, 2021 · 1 comment
Labels

Comments

@openwrt-bot
Copy link

kirelagin:

If //CONFIG_PACKAGE_procd-seccomp=y//, procd will be built with //-DSECCOMP_SUPPORT//.

In practice, this means that if some service’s init script tries to set a seccomp policy, procd will call the ///sbin/seccomp-trace// binary ([[https://git.openwrt.org/?p=project/procd.git;a=blob;f=service/instance.c;h=8cabedb8b0fd789fb0686c7b4a9f35ec3abfd441;hb=HEAD#l489|relevant code]]). The problem is that this binary, which is part of procd, is not installed by the //procd// package, it is contained in a separate //procd-seccomp// package. So, the service which tries to set the policy will fail to start.

I can see the following options:

  1. Any package that wants to do //procd_set_param seccomp// in its init script needs to explicitly depend on //procd-seccomp// (and this needs to be documented somewhere).
  2. Init scripts should request seccomp conditionally, only if it is available (if //procd-seccomp// is installed? or what should the test be?).
  3. //procd-seccomp// needs to be installed by default whenever //CONFIG_PACKAGE_procd-seccomp=y//.

Currently, I am aware of two packages affected: umdns (https://bugs.openwrt.org/index.php?do=details&task_id=3355) and transmission (openwrt/packages#16972), but, I imagine, eventually there will be more.

@openwrt-bot
Copy link
Author

ynezz:

I've just tested it on x86/64 with OpenWrt 21.02.1 and it works fine.

  1. Init scripts should request seccomp conditionally, only if it is available (if procd-seccomp is installed? or what should the test be?).

[ -f /etc/seccomp/umdns.json ] && procd_set_param seccomp /etc/seccomp/umdns.json

In other words if /etc/seccomp config exists, then use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant