Created attachment 535684 [details, diff] Add brk syscall to seccomp syscall filter. Since upgrading sys-libs/glibc to 2.26-r7, net-misc/lldpd[seccomp] failed to start with "invalid syscall attempted: brk(12)". Attached patch adds brk syscall to the list of allowed syscalls in lldpd's seccomp privileges part. The patch applies cleanly, builds and runs without error as far as tested.
i can confirm the problem, running ~amd64, net-misc/lldpd-1.0.1[seccomp]: Program terminated with signal SIGSYS, Bad system call. #0 0x00007f18abb5375d in brk () from /lib64/libc.so.6 (gdb) bt #0 0x00007f18abb5375d in brk () from /lib64/libc.so.6 #1 0x00007f18abb53869 in sbrk () from /lib64/libc.so.6 #2 0x00007f18abae32e9 in __default_morecore () from /lib64/libc.so.6 #3 0x00007f18abadee1c in sysmalloc () from /lib64/libc.so.6 #4 0x00007f18abae0023 in _int_malloc () from /lib64/libc.so.6 #5 0x00007f18abae24a5 in calloc () from /lib64/libc.so.6 #6 0x00007f18abad2cc3 in open_memstream () from /lib64/libc.so.6 #7 0x00007f18abb575f1 in __vsyslog_chk () from /lib64/libc.so.6 #8 0x000055961d673831 in vlog () #9 0x000055961d673d59 in log_warnx () #10 0x000055961d67a927 in priv_seccomp_trap_handler () #11 <signal handler called> #12 0x00007f18abb5375d in brk () from /lib64/libc.so.6 #13 0x00007f18abb53869 in sbrk () from /lib64/libc.so.6 #14 0x00007f18abae32e9 in __default_morecore () from /lib64/libc.so.6 #15 0x00007f18abadee1c in sysmalloc () from /lib64/libc.so.6 #16 0x00007f18abae0023 in _int_malloc () from /lib64/libc.so.6 #17 0x00007f18abae24a5 in calloc () from /lib64/libc.so.6 #18 0x00007f18abb3462b in build_trtable () from /lib64/libc.so.6 #19 0x00007f18abb3e705 in re_search_internal () from /lib64/libc.so.6 #20 0x00007f18abb406aa in regexec () from /lib64/libc.so.6 #21 0x000055961d67305d in asroot_open () #22 0x000055961d6775c2 in priv_init () #23 0x000055961d66b137 in lldpd_main () #24 0x00007f18aba779fa in __libc_start_main () from /lib64/libc.so.6 #25 0x000055961d667dca in _start ()
And i can confirm the attached patch fixes the problem.
On another computer, even with the patch, if fails with the same error. The only difference i can spot is that this other computer is using the profile default/linux/amd64/17.0/hardened.
(In reply to Thomas Capricelli from comment #3) > On another computer, even with the patch, if fails with the same error. The > only difference i can spot is that this other computer is using the profile > default/linux/amd64/17.0/hardened. Interesting. It works for me with hardened/linux/amd64 profile.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b41cdc9a3dab0701f044ed053a15690b5daa4410 commit b41cdc9a3dab0701f044ed053a15690b5daa4410 Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2018-07-20 21:30:11 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2018-07-20 21:30:35 +0000 net-misc/lldpd: Revision bump, allow brk with seccomp (bug #657932) Closes: https://bugs.gentoo.org/657932 Package-Manager: Portage-2.3.43, Repoman-2.3.10 .../lldpd/files/lldpd-1.0.1-seccomp-add-brk.patch | 11 +++ net-misc/lldpd/lldpd-1.0.1-r1.ebuild | 103 +++++++++++++++++++++ 2 files changed, 114 insertions(+)
