[FS#4138] procd requires seccomp in certain configurations

OpenWrt Bugs openwrt-bugs at lists.openwrt.org
Tue Nov 16 20:33:30 PST 2021


THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Kirill Elagin (kirelagin) 

Attached to Project - OpenWrt/LEDE Project
Summary - procd requires seccomp in certain configurations
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Low
Priority - Very Low
Reported Version - openwrt-21.02
Due in Version - Undecided
Due Date - Undecided
Details - If //CONFIG_PACKAGE_procd-seccomp=y//, procd will be built with //-DSECCOMP_SUPPORT//.

In practice, this means that if some service’s init script tries to set a seccomp policy, procd will call the ///sbin/seccomp-trace// binary ([[https://git.openwrt.org/?p=project/procd.git;a=blob;f=service/instance.c;h=8cabedb8b0fd789fb0686c7b4a9f35ec3abfd441;hb=HEAD#l489|relevant code]]). The problem is that this binary, which is part of procd, is not installed by the //procd// package, it is contained in a separate //procd-seccomp// package. So, the service which tries to set the policy will fail to start.

I can see the following options:

1. Any package that wants to do //procd_set_param seccomp// in its init script needs to explicitly depend on //procd-seccomp// (and this needs to be documented somewhere).
2. Init scripts should request seccomp conditionally, only if it is available (if //procd-seccomp// is installed? or what should the test be?).
3. //procd-seccomp// needs to be installed by default whenever //CONFIG_PACKAGE_procd-seccomp=y//.

Currently, I am aware of two packages affected: umdns (https://bugs.openwrt.org/index.php?do=details&task_id=3355) and transmission (https://github.com/openwrt/packages/issues/16972), but, I imagine, eventually there will be more.

More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=4138

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.



More information about the openwrt-bugs mailing list