When trying to install net-misc/lldpd on a non-x86 architecture (first must keyword for your architecture, in my case ppc64), if seccomp is enabled (as it is by default, at least with a systemd stage3), it will fail to build with an #error because the code does not support non-x86 architectures. As a workaround, you can remove the seccomp USE flag for this package. Ideally, seccomp should be supported on non-x86 architectures in lldpd, or the ebuild modified so that seccomp is not enabled on unsupported architectures. Reproducible: Always Actual Results: priv-seccomp.c:38:4: error: #error "Platform does not support seccomp filter yet" 38 | # error "Platform does not support seccomp filter yet" | ^~~~~ compilation terminated due to -Wfatal-errors. This is because the code has trap handling that relies on looking at architecture-specific registers: Since I can't post URLs as a new user, look at lldp commit hash 3186d95e4e70a84b2c0af182c4446693a45a3b95 src/daemon/priv-seccomp.c line 31 It turns out it really was based on code that the upstream kernel told you to write in the seccomp filter documentation page, i.e. it references samples/seccomp/bpf-direct.c. This seems pretty gross; is there a better way? Worth discussing with upstream?
For now, we can p.use.mask seccomp for lldpd on everywhere but amd64/x86, but yuck.
OK I masked the USE flag everywhere except x86/amd64. It would definitely be worth filing a ticket upstream for this.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ad37aff49d45732b65342d7484f12ec021798cf commit 6ad37aff49d45732b65342d7484f12ec021798cf Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2024-09-23 17:45:20 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2024-09-23 17:46:43 +0000 profiles: Mask seccomp on net-misc/lldpd except x86 (bug #940014) Closes: https://bugs.gentoo.org/940014 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> profiles/arch/amd64/package.use.mask | 4 ++++ profiles/arch/x86/package.use.mask | 4 ++++ profiles/base/package.use.mask | 4 ++++ 3 files changed, 12 insertions(+)
The annoying thing is I don't really know what's the best solution for it. The code upstream is ugly and architecture whack-a-mole feels unsustainable, but the fact the code came from Linux as an example to be copied from... who knows how many places that is too, and from a pretty authoritative source at that?
I don't think there really is a good way to do it at the moment. It's whack-a-mole because libc changes the syscalls it uses behind the scenes pretty frequently. Really the only way to have a filter that only allows the syscalls that you actually use without playing whack-a-mole is not use libc wrappers at all, and just use syscall() directly to make all your syscalls. You can easily keep track what syscalls you are using then, and create your filters accordingly. Unfortunately you will likely have to reimplement a bunch of extra work that libc does for you though.
I filed the issue upstream here, at least: https://github.com/lldpd/lldpd/discussions/677
