OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version openwrt-21.02
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Kirill Elagin - 17.11.2021
Last edited by Petr Štetiar - 27.12.2021

FS#4138 - procd requires seccomp in certain configurations

If CONFIG_PACKAGE_procd-seccomp=y, procd will be built with -DSECCOMP_SUPPORT.

In practice, this means that if some service’s init script tries to set a seccomp policy, procd will call the /sbin/seccomp-trace binary (relevant code). The problem is that this binary, which is part of procd, is not installed by the procd package, it is contained in a separate procd-seccomp package. So, the service which tries to set the policy will fail to start.

I can see the following options:

1. Any package that wants to do procd_set_param seccomp in its init script needs to explicitly depend on procd-seccomp (and this needs to be documented somewhere).
2. Init scripts should request seccomp conditionally, only if it is available (if procd-seccomp is installed? or what should the test be?).
3. procd-seccomp needs to be installed by default whenever CONFIG_PACKAGE_procd-seccomp=y.

Currently, I am aware of two packages affected: umdns (https://bugs.openwrt.org/index.php?do=details&task_id=3355) and transmission (https://github.com/openwrt/packages/issues/16972), but, I imagine, eventually there will be more.

Closed by  Petr Štetiar
27.12.2021 10:18
Reason for closing:  Works for me
Additional comments about closing:  

I've just tested it on x86/64 with OpenWrt 21.02.1 r16325-88151b8303 and it works fine.

Admin
Petr Štetiar commented on 27.12.2021 10:09

I've just tested it on x86/64 with OpenWrt 21.02.1 and it works fine.

2. Init scripts should request seccomp conditionally, only if it is available (if procd-seccomp is installed? or what should the test be?).

[ -f /etc/seccomp/umdns.json ] && procd_set_param seccomp /etc/seccomp/umdns.json

In other words if /etc/seccomp config exists, then use it.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing