Summary: | net-misc/ntpsec-1.1.8 on ARM: SIGSYS/seccomp bad syscall - missing SCMP_SYS for newfstatat faccessat | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | crabbed halo ablution <crabbedhaloablution> |
Component: | Current packages | Assignee: | Steve Arnold <nerdboy> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | blueness, jamesb.fe80, sam |
Priority: | Normal | Keywords: | PATCH |
Version: | unspecified | ||
Hardware: | ARM64 | ||
OS: | Linux | ||
See Also: |
https://gitlab.com/NTPsec/ntpsec/issues/639 https://bugs.gentoo.org/show_bug.cgi?id=721150 https://bugs.gentoo.org/show_bug.cgi?id=786228 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 732234 | ||
Bug Blocks: | 713688 | ||
Attachments: |
seccomp.patch
configure output ntpsecstrace.txt seccomp-v2.patch proposed patch to add syscalls to NTPsec seccomp sandbox |
Description
crabbed halo ablution
2020-01-10 21:08:42 UTC
Created attachment 602932 [details, diff]
seccomp.patch
Naive patch to fix the problem.
Created attachment 602934 [details]
configure output
Created attachment 602936 [details]
ntpsecstrace.txt
strace of ntpd startup with seccomp violation
Created attachment 603094 [details, diff]
seccomp-v2.patch
Caught another trap (renameat). Also, narrowed it down to only being an issue on aarch64, so it's ifdef'ed neatly.
(In reply to crabbed halo ablution from comment #4) > Created attachment 603094 [details, diff] [details, diff] > seccomp-v2.patch > > Caught another trap (renameat). Also, narrowed it down to only being an > issue on aarch64, so it's ifdef'ed neatly. I caught a few of these myself on amd64. Let's wait till your patch lands upstream and then I'll backport or version bump so the fix gets in. handled upstream in merge request [1] with patch [2]. Please test and report back upstream to close the issue. [1] https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1090 [2] https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1090/diffs?commit_id=823bcf1abf8a57b12fc0a2ab3ac45ce86f24a65d Upstream patch is in for testing (should be in the next release). Also I'd probably prefer nuking the older ebuilds and stabilizing something reasonably current (1..1.8 looks decent with the patch). With the current patches for net-misc/ntpsec-1.2.0-r1 I'm getting another lovely seccomp error: nerdboy@genson ~ $ sudo tail /var/log/daemon.log Apr 18 16:47:11 genson kernel: udevd[611]: starting eudev-3.2.10 Apr 18 17:27:00 genson /etc/init.d/ntp[4336]: start-stop-daemon: no matching processes found Apr 18 17:27:00 genson ntpd[4366]: INIT: ntpd ntpsec-1.2.0 2021-04-15T19:42:17Z: Starting Apr 18 17:27:00 genson ntpd[4366]: INIT: Command line: /usr/sbin/ntpd -p /run/ntpd.pid -g -u ntp:ntp Apr 18 17:27:00 genson ntpd[4367]: INIT: precision = 0.583 usec (-21) Apr 18 17:27:00 genson ntpd[4367]: INIT: successfully locked into RAM Apr 18 17:27:00 genson ntpd[4367]: INIT: sandbox: seccomp enabled. Apr 18 17:27:00 genson ntpd[4367]: CONFIG: readconfig: parsing file: /etc/ntp.conf Apr 18 17:27:00 genson ntpd[4367]: ERR: SIGSYS: got a trap. Apr 18 17:27:00 genson ntpd[4367]: ERR: SIGSYS/seccomp bad syscall 397/0x40000028 nerdboy@genson ~ $ qlist -ICv ntpsec net-misc/ntpsec-1.2.0-r1 Sorry, previous was on armv7, also this one on riscv64 as well: Apr 29 22:54:38 beaglev ntpd[9773]: IO: Listen and drop on 0 v4wildcard 0.0.0.0:123 Apr 29 22:54:38 beaglev ntpd[9773]: IO: Listen normally on 1 lo 127.0.0.1:123 Apr 29 22:54:38 beaglev ntpd[9773]: IO: Listen normally on 2 eth0 192.168.0.98:123 Apr 29 22:54:38 beaglev ntpd[9773]: IO: Listening on routing socket on fd #19 for interface updates Apr 29 22:54:38 beaglev ntpd[9773]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes Apr 29 22:54:38 beaglev ntpd[9773]: INIT: OpenSSL 1.1.1k 25 Mar 2021, 101010bf Apr 29 22:54:38 beaglev ntpd[9773]: NTSc: Using system default root certificates. Apr 29 22:54:38 beaglev ntpd[9773]: INIT: sandbox: seccomp enabled. Apr 29 22:54:38 beaglev ntpd[9773]: ERR: SIGSYS: got a trap. Apr 29 22:54:38 beaglev ntpd[9773]: ERR: SIGSYS/seccomp bad syscall 48/0xc00000f3 Kernel version is needed to be sure which syscall it is (to look up in the tables), but strace is useful as well Portage 3.0.18 (python 3.8.9-final-0, default/linux/arm/17.0/armv7a/desktop/gnome, gcc-10.3.0, glibc-2.33, 5.11.0-rc5-tegra-r0 armv7l) ================================================================= System uname: Linux-5.11.0-rc5-tegra-r0-armv7l-ARMv7_Processor_rev_3_-v7l-with-glibc2.4 KiB Mem: 1984236 total, 1536496 free KiB Swap: 1048572 total, 1048572 free Timestamp of repository gentoo: Thu, 15 Apr 2021 00:45:01 +0000 sh bash 5.1_p4 ld GNU gold (Gentoo 2.35.2 p1 2.35.2) 1.16 app-shells/bash: 5.1_p4::gentoo dev-lang/perl: 5.32.1::gentoo dev-lang/python: 3.8.9::gentoo, 3.9.4::gentoo dev-lang/rust-bin: 1.51.0::gentoo dev-util/cmake: 3.20.1::gentoo sys-apps/baselayout: 2.7-r1::gentoo sys-apps/openrc: 0.42.1-r1::gentoo sys-apps/sandbox: 2.23::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r5::gentoo sys-devel/automake: 1.16.3-r1::gentoo sys-devel/binutils: 2.35.2::gentoo sys-devel/gcc: 10.3.0::gentoo sys-devel/gcc-config: 2.4::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.11::gentoo (virtual/os-headers) sys-libs/glibc: 2.33::gentoo Repositories: # /usr/sbin/ntpd 2021-05-23T10:40:12 ntpd[29899]: INIT: ntpd ntpsec-1.2.0 2021-05-23T17:22:20Z: Starting 2021-05-23T10:40:12 ntpd[29899]: INIT: Command line: /usr/sbin/ntpd # tail /var/log/daemon.log May 23 10:40:12 genson ntpd[29899]: INIT: ntpd ntpsec-1.2.0 2021-05-23T17:22:20Z: Starting May 23 10:40:12 genson ntpd[29899]: INIT: Command line: /usr/sbin/ntpd May 23 10:40:12 genson ntpd[29900]: INIT: precision = 0.500 usec (-21) May 23 10:40:12 genson ntpd[29900]: INIT: successfully locked into RAM May 23 10:40:12 genson ntpd[29900]: INIT: sandbox: seccomp enabled. May 23 10:40:12 genson ntpd[29900]: CONFIG: readconfig: parsing file: /etc/ntp.conf May 23 10:40:12 genson ntpd[29900]: ERR: SIGSYS: got a trap. May 23 10:40:12 genson ntpd[29900]: ERR: SIGSYS/seccomp bad syscall 397/0x40000028 # strace /usr/sbin/ntpd execve("/usr/sbin/ntpd", ["/usr/sbin/ntpd"], 0xbecd6350 /* 35 vars */) = 0 brk(NULL) = 0xc20000 mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6f33000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=36694, ...}) = 0 mmap2(NULL, 36694, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb6f2a000 close(3) = 0 openat(AT_FDCWD, "/usr/lib/libcrypto.so.1.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\0P\4\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=2025368, ...}) = 0 mmap2(NULL, 2105604, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb6cfd000 mprotect(0xb6ed4000, 65536, PROT_NONE) = 0 mmap2(0xb6ee4000, 98304, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d7000) = 0xb6ee4000 mmap2(0xb6efc000, 12548, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb6efc000 close(3) = 0 openat(AT_FDCWD, "/usr/lib/libssl.so.1.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0X\22\1\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=464816, ...}) = 0 mmap2(NULL, 529384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb6c7b000 mprotect(0xb6ce4000, 65536, PROT_NONE) = 0 mmap2(0xb6cf4000, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x69000) = 0xb6cf4000 close(3) = 0 openat(AT_FDCWD, "/lib/libm.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\230u\0\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=374084, ...}) = 0 mmap2(NULL, 438396, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb6c0f000 mprotect(0xb6c6a000, 61440, PROT_NONE) = 0 mmap2(0xb6c79000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5a000) = 0xb6c79000 close(3) = 0 openat(AT_FDCWD, "/lib/librt.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0p\27\0\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=30492, ...}) = 0 mmap2(NULL, 94744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb6bf7000 mprotect(0xb6bfd000, 65536, PROT_NONE) = 0 mmap2(0xb6c0d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0xb6c0d000 close(3) = 0 openat(AT_FDCWD, "/lib/libcap.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\240\30\0\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=26052, ...}) = 0 mmap2(NULL, 90420, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb6be0000 mprotect(0xb6be6000, 61440, PROT_NONE) = 0 mmap2(0xb6bf5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0xb6bf5000 close(3) = 0 openat(AT_FDCWD, "/usr/lib/libseccomp.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\250\17\0\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=128356, ...}) = 0 mmap2(NULL, 192732, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb6bb0000 mprotect(0xb6bcf000, 61440, PROT_NONE) = 0 mmap2(0xb6bde000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e000) = 0xb6bde000 close(3) = 0 openat(AT_FDCWD, "/lib/libpthread.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\350I\0\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=136340, ...}) = 0 mmap2(NULL, 168508, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb6b86000 mprotect(0xb6b9d000, 61440, PROT_NONE) = 0 mmap2(0xb6bac000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0xb6bac000 mmap2(0xb6bae000, 4668, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb6bae000 close(3) = 0 openat(AT_FDCWD, "/usr/lib/libbsd.so.0", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\0\0\0\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=104748, ...}) = 0 mmap2(NULL, 110540, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb6b6b000 mmap2(0xb6b84000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0xb6b84000 close(3) = 0 openat(AT_FDCWD, "/lib/libc.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\\\177\1\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=1302820, ...}) = 0 mmap2(NULL, 1372256, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb6a1b000 mprotect(0xb6b55000, 65536, PROT_NONE) = 0 mmap2(0xb6b65000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13a000) = 0xb6b65000 mmap2(0xb6b68000, 8288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb6b68000 close(3) = 0 openat(AT_FDCWD, "/lib/libz.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\270\32\0\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=83420, ...}) = 0 mmap2(NULL, 147680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb69f6000 mprotect(0xb6a0a000, 61440, PROT_NONE) = 0 mmap2(0xb6a19000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13000) = 0xb6a19000 close(3) = 0 openat(AT_FDCWD, "/lib/libdl.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\374\t\0\0004\0\0\0"..., 512) = 512 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=13664, ...}) = 0 mmap2(NULL, 78020, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb69e2000 mprotect(0xb69e5000, 61440, PROT_NONE) = 0 mmap2(0xb69f4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0xb69f4000 close(3) = 0 mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6f28000 set_tls(0xb6f29400) = 0 mprotect(0xb6b65000, 8192, PROT_READ) = 0 mprotect(0xb69f4000, 4096, PROT_READ) = 0 mprotect(0xb6a19000, 4096, PROT_READ) = 0 mprotect(0xb6b84000, 4096, PROT_READ) = 0 mprotect(0xb6bac000, 4096, PROT_READ) = 0 mprotect(0xb6bde000, 4096, PROT_READ) = 0 mprotect(0xb6bf5000, 4096, PROT_READ) = 0 mprotect(0xb6c0d000, 4096, PROT_READ) = 0 mprotect(0xb6c79000, 4096, PROT_READ) = 0 mprotect(0xb6ee4000, 90112, PROT_READ) = 0 mprotect(0xb6cf4000, 20480, PROT_READ) = 0 mprotect(0x4ee000, 8192, PROT_READ) = 0 mprotect(0xb6f35000, 4096, PROT_READ) = 0 munmap(0xb6f2a000, 36694) = 0 set_tid_address(0xb6f28f28) = 29918 set_robust_list(0xb6f28f30, 12) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0xb6b8a354, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0xb6a4ad60}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0xb6b8a410, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0xb6a4ad60}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 ugetrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1 prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument) prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1 prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument) prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument) prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument) rt_sigprocmask(SIG_SETMASK, ~[ILL TRAP BUS FPE SEGV RTMIN RT_1], [], 8) = 0 rt_sigaction(SIGILL, {sa_handler=0xb6d438f4, sa_mask=~[ILL TRAP BUS FPE SEGV RTMIN RT_1], sa_flags=SA_RESTORER, sa_restorer=0xb6a4ad50}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, ~[ILL TRAP BUS FPE KILL SEGV STOP RTMIN RT_1], 8) = 0 rt_sigaction(SIGILL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0xb6a4ad50}, NULL, 8) = 0 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 umask(000) = 022 umask(022) = 000 brk(NULL) = 0xc20000 brk(0xc41000) = 0xc41000 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4 statx(4, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=2310, ...}) = 0 statx(4, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=2310, ...}) = 0 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 2310 _llseek(4, -1465, [845], SEEK_CUR) = 0 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 1465 close(4) = 0 getpid() = 29918 send(3, "<29>May 23 10:40:46 ntpd[29918]:"..., 87, MSG_NOSIGNAL) = 87 getpid() = 29918 statx(1, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFCHR|0620, stx_size=0, ...}) = 0 write(1, "2021-05-23T10:40:46 ntpd[29918]:"..., 882021-05-23T10:40:46 ntpd[29918]: INIT: ntpd ntpsec-1.2.0 2021-05-23T17:22:20Z: Starting ) = 88 getpid() = 29918 send(3, "<29>May 23 10:40:46 ntpd[29918]:"..., 67, MSG_NOSIGNAL) = 67 getpid() = 29918 write(1, "2021-05-23T10:40:46 ntpd[29918]:"..., 682021-05-23T10:40:46 ntpd[29918]: INIT: Command line: /usr/sbin/ntpd ) = 68 getuid32() = 0 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 4 close(4) = 0 socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 4 getsockname(4, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_scope_id=0}, [28]) = 0 close(4) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb6f28f28) = 29919 exit_group(0) = ? +++ exited with 0 +++ Portage 3.0.18 (python 3.8.9-final-0, default/linux/riscv/17.0/rv64gc/lp64d, gcc-10.3.0, glibc-2.33, 5.13.0-rc2-riscv64-r0.8 riscv64) ================================================================= System uname: Linux-5.13.0-rc2-riscv64-r0.8-riscv64-with-glibc2.27 KiB Mem: 7406052 total, 7055860 free KiB Swap: 524284 total, 524284 free Timestamp of repository gentoo: Fri, 21 May 2021 19:20:33 +0000 Head commit of repository gentoo: 5801b566d115b7caa344210c4426c8e1436e535c Head commit of repository lto-overlay: 9dfccddf1d70240b1ea62ec2725baf7caa9dce91 Head commit of repository mv: 371645b6bff0d387b84dd34f0793983fdb235989 sh bash 5.1_p4 ld GNU ld (Gentoo 2.36.1 p3) 2.36.1 ccache version 4.2.1 [disabled] app-shells/bash: 5.1_p4::gentoo dev-lang/perl: 5.32.1::gentoo dev-lang/python: 3.8.9::gentoo dev-util/ccache: 4.2.1::gentoo dev-util/cmake: 3.20.1::gentoo sys-apps/baselayout: 2.7-r2::gentoo sys-apps/openrc: 0.42.1-r1::gentoo sys-apps/sandbox: 2.23::gentoo sys-devel/autoconf: 2.69-r5::gentoo sys-devel/automake: 1.16.3-r1::gentoo sys-devel/binutils: 2.36.1-r1::gentoo sys-devel/gcc: 10.3.0::gentoo sys-devel/gcc-config: 2.4::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.11::gentoo (virtual/os-headers) sys-libs/glibc: 2.33::gentoo # tail /var/log/daemon.log May 23 11:25:45 beaglev ntpd[20230]: IO: Listen normally on 3 eth0 192.168.0.98:123 May 23 11:25:45 beaglev ntpd[20230]: IO: Listen normally on 4 lo [::1]:123 May 23 11:25:45 beaglev ntpd[20230]: IO: Listen normally on 5 eth0 [fe80::2ef7:f1ff:fe1b:e3b1%2]:123 May 23 11:25:45 beaglev ntpd[20230]: IO: Listening on routing socket on fd #22 for interface updates May 23 11:25:45 beaglev ntpd[20230]: INIT: MRU 10922 entries, 13 hash bits, 65536 bytes May 23 11:25:45 beaglev ntpd[20230]: INIT: OpenSSL 1.1.1k 25 Mar 2021, 101010bf May 23 11:25:45 beaglev ntpd[20230]: NTSc: Using system default root certificates. May 23 11:25:45 beaglev ntpd[20230]: INIT: sandbox: seccomp enabled. May 23 11:25:45 beaglev ntpd[20230]: ERR: SIGSYS: got a trap. May 23 11:25:45 beaglev ntpd[20230]: ERR: SIGSYS/seccomp bad syscall 48/0xc00000f3 # strace /usr/sbin/ntpd execve("/usr/sbin/ntpd", ["/usr/sbin/ntpd"], 0x3fffcab350 /* 28 vars */) = 0 brk(NULL) = 0x2b1c07e000 faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=15226, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 15226, PROT_READ, MAP_PRIVATE, 3, 0) = 0x3fcbb34000 close(3) = 0 openat(AT_FDCWD, "/usr/lib64/lp64d/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0\320e\7\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1878408, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3fcbb32000 mmap(NULL, 1898216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3fcb962000 mmap(0x3fcbb03000, 176128, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a0000) = 0x3fcbb03000 mmap(0x3fcbb2e000, 14056, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3fcbb2e000 close(3) = 0 openat(AT_FDCWD, "/usr/lib64/lp64d/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0\200\322\1\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=445168, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 448176, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3fcb8f4000 mprotect(0x3fcb954000, 4096, PROT_NONE) = 0 mmap(0x3fcb955000, 53248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x60000) = 0x3fcb955000 close(3) = 0 openat(AT_FDCWD, "/lib64/lp64d/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0@\265\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=526432, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 528560, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3fcb872000 mprotect(0x3fcb8f1000, 4096, PROT_NONE) = 0 mmap(0x3fcb8f2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7f000) = 0x3fcb8f2000 close(3) = 0 openat(AT_FDCWD, "/lib64/lp64d/librt.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0\340\36\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=22976, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 25448, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3fcb86b000 mmap(0x3fcb870000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x3fcb870000 close(3) = 0 openat(AT_FDCWD, "/lib64/lp64d/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0 &\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=26608, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 29256, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3fcb863000 mmap(0x3fcb869000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x3fcb869000 close(3) = 0 openat(AT_FDCWD, "/usr/lib64/lp64d/libseccomp.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0p\30\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=108440, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 111112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3fcb847000 mprotect(0x3fcb860000, 4096, PROT_NONE) = 0 mmap(0x3fcb861000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19000) = 0x3fcb861000 close(3) = 0 openat(AT_FDCWD, "/lib64/lp64d/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0*X\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=116704, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3fcb845000 mmap(NULL, 99360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3fcb82c000 mmap(0x3fcb83f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12000) = 0x3fcb83f000 mmap(0x3fcb841000, 13344, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3fcb841000 close(3) = 0 openat(AT_FDCWD, "/lib64/lp64d/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/lib64/lp64d/tls", 0x3fff812230, 0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib64/lp64d/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0\250\7\2\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1057064, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 1068336, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3fcb727000 mmap(0x3fcb823000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xfb000) = 0x3fcb823000 mmap(0x3fcb829000, 11568, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3fcb829000 close(3) = 0 openat(AT_FDCWD, "/lib64/lp64d/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0\320#\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=71584, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 74152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3fcb714000 mmap(0x3fcb725000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x3fcb725000 close(3) = 0 openat(AT_FDCWD, "/lib64/lp64d/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\363\0\1\0\0\0\200\r\0\0\0\0\0\0"..., 832) = 832 newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=9968, ...}, AT_EMPTY_PATH) = 0 mmap(NULL, 12616, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3fcb710000 mmap(0x3fcb712000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x3fcb712000 close(3) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3fcb70e000 mprotect(0x3fcb823000, 16384, PROT_READ) = 0 mprotect(0x3fcb712000, 4096, PROT_READ) = 0 mprotect(0x3fcb725000, 4096, PROT_READ) = 0 mprotect(0x3fcb83f000, 4096, PROT_READ) = 0 mprotect(0x3fcb861000, 4096, PROT_READ) = 0 mprotect(0x3fcb869000, 4096, PROT_READ) = 0 mprotect(0x3fcb870000, 4096, PROT_READ) = 0 mprotect(0x3fcb8f2000, 4096, PROT_READ) = 0 mprotect(0x3fcbb03000, 163840, PROT_READ) = 0 mprotect(0x3fcb955000, 32768, PROT_READ) = 0 mprotect(0x2ae2149000, 12288, PROT_READ) = 0 mprotect(0x3fcbb55000, 4096, PROT_READ) = 0 munmap(0x3fcbb34000, 15226) = 0 set_tid_address(0x3fcb70e8a0) = 20238 set_robust_list(0x3fcb70e8b0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x3fcb83141a, sa_mask=[], sa_flags=SA_SIGINFO}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x3fcb83149a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1 prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument) prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1 prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument) prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument) prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument) umask(000) = 022 umask(022) = 000 brk(NULL) = 0x2b1c07e000 brk(0x2b1c09f000) = 0x2b1c09f000 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4 newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=2310, ...}, AT_EMPTY_PATH) = 0 newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=2310, ...}, AT_EMPTY_PATH) = 0 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 2310 lseek(4, -1465, SEEK_CUR) = 845 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 1465 close(4) = 0 getpid() = 20238 sendto(3, "<29>May 23 11:26:03 ntpd[20238]:"..., 87, MSG_NOSIGNAL, NULL, 0) = 87 getpid() = 20238 newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x1), ...}, AT_EMPTY_PATH) = 0 write(1, "2021-05-23T11:26:03 ntpd[20238]:"..., 882021-05-23T11:26:03 ntpd[20238]: INIT: ntpd ntpsec-1.2.0 2021-05-23T17:23:02Z: Starting ) = 88 getpid() = 20238 sendto(3, "<29>May 23 11:26:03 ntpd[20238]:"..., 67, MSG_NOSIGNAL, NULL, 0) = 67 getpid() = 20238 write(1, "2021-05-23T11:26:03 ntpd[20238]:"..., 682021-05-23T11:26:03 ntpd[20238]: INIT: Command line: /usr/sbin/ntpd ) = 68 getuid() = 0 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 4 close(4) = 0 socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 4 getsockname(4, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_scope_id=0}, [28]) = 0 close(4) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x3fcb70e8a0) = 20239 exit_group(0) = ? +++ exited with 0 +++ Created attachment 712926 [details, diff]
proposed patch to add syscalls to NTPsec seccomp sandbox
If it is reasonably convenient could you test the patch on NTPsec. If it resolves your issues (which should have been in a couple of new issues), I could get it included in the release after next. Also, I seem to have forgotten if you said 32 bit ARM or aarch64.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a87107cfff01e74e3519624360dbd72a60a1fdd9 commit a87107cfff01e74e3519624360dbd72a60a1fdd9 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-10 21:09:31 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-10 21:09:31 +0000 net-misc/ntpsec: add seccomp patch from upstream Closes: https://bugs.gentoo.org/786228 Closes: https://bugs.gentoo.org/705128 Signed-off-by: Sam James <sam@gentoo.org> net-misc/ntpsec/files/ntpsec-1.2.0-seccomp.patch | 19 +++++++++++++++++++ ...{ntpsec-1.2.0-r1.ebuild => ntpsec-1.2.0-r2.ebuild} | 5 +++-- 2 files changed, 22 insertions(+), 2 deletions(-) |