[Pkg-libvirt-maintainers] Bug#934474: libnss-libvirt: fails to work with apt when seccomp is enabled

Thomas Luzat thomas at luzat.com
Sun Aug 11 12:43:44 BST 2019 

Package: libnss-libvirt
Version: 5.2.0-2
Severity: normal

Dear Maintainer,

when:

- libnss-libvirt (5.0.0-4 or 5.2.0-2) is active in /etc/nsswitch.conf (libvirt
or libvirt_guest)
- being on x86-64 (not sure about other platforms, but may be relevant)
- apt has seccomp enabled (APT::Sandbox::Seccomp "true";)

apt fails when trying to contact hosts (see log below), because syscall 217
(getdents64) can't be executed. /etc/apt/apt.conf.d/90libnss-libvirt specifies
that getdents is allowed:

// the nss module (once enabled) will make apt call getdents (LP: #1732030)
apt::sandbox::seccomp::allow { "getdents" };

Changing getdents to getdents64 makes it work, but I suppose some systems may
use getdents while others may use getdents64. It would probably be best to
allow only the one that is required on that architecture, but allowing both is
probably not too bad:

apt::sandbox::seccomp::allow { "getdents", "getdents64" };

Cheers,

Thomas Luzat


apt-get source libnss-libvirt
Reading package lists... Done
Picking 'libvirt' as source package instead of 'libnss-libvirt'
NOTICE: 'libvirt' packaging is maintained in the 'Git' version control system
at:
https://salsa.debian.org/libvirt-team/libvirt.git
Please use:
git clone https://salsa.debian.org/libvirt-team/libvirt.git
to retrieve the latest (possibly unreleased) updates to the package.
Need to get 15.1 MB of source archives.
0% [Working]
 **** Seccomp prevented execution of syscall 0000000217 on architecture amd64
****
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (31)
E: Failed to fetch some archives.



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (501, 'unstable'), (500, 'unstable-debug'), (500, 'testing-debug'), (400, 'testing'), (101, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.8-wopr (SMP w/8 CPU cores; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libnss-libvirt depends on:
ii  libc6     2.28-10
ii  libgcc1   1:9.1.0-10
ii  libvirt0  5.2.0-2
ii  libyajl2  2.1.0-3

libnss-libvirt recommends no packages.

libnss-libvirt suggests no packages.

-- no debconf information

More information about the Pkg-libvirt-maintainers mailing list