You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If //CONFIG_PACKAGE_procd-seccomp=y//, procd will be built with //-DSECCOMP_SUPPORT//.
In practice, this means that if some service’s init script tries to set a seccomp policy, procd will call the ///sbin/seccomp-trace// binary ([[https://git.openwrt.org/?p=project/procd.git;a=blob;f=service/instance.c;h=8cabedb8b0fd789fb0686c7b4a9f35ec3abfd441;hb=HEAD#l489|relevant code]]). The problem is that this binary, which is part of procd, is not installed by the //procd// package, it is contained in a separate //procd-seccomp// package. So, the service which tries to set the policy will fail to start.
I can see the following options:
Any package that wants to do //procd_set_param seccomp// in its init script needs to explicitly depend on //procd-seccomp// (and this needs to be documented somewhere).
Init scripts should request seccomp conditionally, only if it is available (if //procd-seccomp// is installed? or what should the test be?).
//procd-seccomp// needs to be installed by default whenever //CONFIG_PACKAGE_procd-seccomp=y//.
kirelagin:
If //CONFIG_PACKAGE_procd-seccomp=y//, procd will be built with //-DSECCOMP_SUPPORT//.
In practice, this means that if some service’s init script tries to set a seccomp policy, procd will call the ///sbin/seccomp-trace// binary ([[https://git.openwrt.org/?p=project/procd.git;a=blob;f=service/instance.c;h=8cabedb8b0fd789fb0686c7b4a9f35ec3abfd441;hb=HEAD#l489|relevant code]]). The problem is that this binary, which is part of procd, is not installed by the //procd// package, it is contained in a separate //procd-seccomp// package. So, the service which tries to set the policy will fail to start.
I can see the following options:
Currently, I am aware of two packages affected: umdns (https://bugs.openwrt.org/index.php?do=details&task_id=3355) and transmission (openwrt/packages#16972), but, I imagine, eventually there will be more.
The text was updated successfully, but these errors were encountered: