Bug#832713: systemd: after "systemd (231-1) unstable" update systemd-jurnald.service fails to start

Wed, 03 Aug 2016 09:09:50 -0700 

On 1 August 2016 at 18:32, Rick Thomas <rbtho...@pobox.com> wrote:
>
> On Aug 1, 2016, at 2:40 PM, Felipe Sateler <fsate...@debian.org> wrote:
>
>> On 28 July 2016 at 17:04, Michael Biebl <bi...@debian.org> wrote:
>>> Am 28.07.2016 um 22:50 schrieb Rick Thomas:
>>>> In the interest of having a working system, I reverted that machine to 
>>>> systemd version 230-7.  Unsurprisingly, the problem went away.
>>>>
>>>> I’ll try re-installing 231-1 and commenting that line.  I’ll probably have 
>>>> a chance tonight.  I’ll report when I have something.
>>>>
>>>> It may be worth noticing that other things failed as well when 231-1 was 
>>>> in.  I’m attaching a ‘grep -i fail -C20’ of the screen log.  Of particular 
>>>> note are “Failed to start Raise network interfaces” and “Failed to start 
>>>> Login Service.”
>>>>
>>>> Are there other places where I should remove a “SystemCallFilter” ?
>>>>
>>>
>>> Various units were locked down like e.g. in
>>> https://github.com/systemd/systemd/commit/4e069746fe0de1f60bd1b75c113b0f40ffe86736
>>>
>>> If the SystemCallFilter= is what causes journald to fail, it's likely it
>>> also affects those other services.
>>
>> Turns out seccomp is disabled in the arm* kernels:
>>
>> % grep SECCOMP boot/config-4.6.0-1-marvell
>> CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
>> # CONFIG_SECCOMP is not set
>>
>> % grep SECCOMP boot/config-4.6.0-1-armmp
>> CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
>> # CONFIG_SECCOMP is not set
>>
>> So I think the kernel should enable SECCOMP.
>>
>> However, I think systemd should also simply (warn and) ignore seccomp
>> calls if seccomp is not available in the current kernel.
>>
>> --
>>
>> Saludos,
>> Felipe Sateler
>
> Thanks, Filipe!
>
> What do we have to do at this point to test this and then translate it into a 
> patch?

OK, so I have a proof-of-concept patch. Rick, could you test it in your machine?

-- 

Saludos,
Felipe Sateler

diff --git a/src/core/execute.c b/src/core/execute.c
index 7c178b9..2d45bc9 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2103,35 +2103,37 @@ static int exec_child(
                         }
 
 #ifdef HAVE_SECCOMP
-                if (use_address_families) {
-                        r = apply_address_families(context);
-                        if (r < 0) {
-                                *exit_status = EXIT_ADDRESS_FAMILIES;
-                                return r;
+                if (is_seccomp_enabled()) {
+                        if (use_address_families) {
+                                r = apply_address_families(context);
+                                if (r < 0) {
+                                        *exit_status = EXIT_ADDRESS_FAMILIES;
+                                        return r;
+                                }
                         }
-                }
 
-                if (context->memory_deny_write_execute) {
-                        r = apply_memory_deny_write_execute(context);
-                        if (r < 0) {
-                                *exit_status = EXIT_SECCOMP;
-                                return r;
+                        if (context->memory_deny_write_execute) {
+                                r = apply_memory_deny_write_execute(context);
+                                if (r < 0) {
+                                        *exit_status = EXIT_SECCOMP;
+                                        return r;
+                                }
                         }
-                }
 
-                if (context->restrict_realtime) {
-                        r = apply_restrict_realtime(context);
-                        if (r < 0) {
-                                *exit_status = EXIT_SECCOMP;
-                                return r;
+                        if (context->restrict_realtime) {
+                                r = apply_restrict_realtime(context);
+                                if (r < 0) {
+                                        *exit_status = EXIT_SECCOMP;
+                                        return r;
+                                }
                         }
-                }
 
-                if (use_syscall_filter) {
-                        r = apply_seccomp(context);
-                        if (r < 0) {
-                                *exit_status = EXIT_SECCOMP;
-                                return r;
+                        if (use_syscall_filter) {
+                                r = apply_seccomp(context);
+                                if (r < 0) {
+                                        *exit_status = EXIT_SECCOMP;
+                                        return r;
+                                }
                         }
                 }
 #endif
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 8656d11..41e22a4 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -21,6 +21,8 @@
 #include <seccomp.h>
 #include <stddef.h>
 
+#include "alloc-util.h"
+#include "fileio.h"
 #include "macro.h"
 #include "seccomp-util.h"
 #include "string-util.h"
@@ -89,6 +91,11 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) {
 
 }
 
+bool is_seccomp_enabled() {
+        _cleanup_free_ char* field = NULL;
+        return get_proc_field("/proc/self/status", "Seccomp", "\n", &field) == 0;
+}
+
 const SystemCallFilterSet syscall_filter_sets[] = {
         {
                 /* Clock */
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index be33eec..0b6fa9d 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -27,6 +27,8 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret);
 
 int seccomp_add_secondary_archs(scmp_filter_ctx *c);
 
+bool is_seccomp_enabled();
+
 typedef struct SystemCallFilterSet {
         const char *set_name;
         const char *value;

Reply via email to