Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#55125 - [systemd] 234.11-6: Seccomp has been disabled since 233.75-3
Attached to Project:
Arch Linux
Opened by MushiMushy (MushiMushy) - Sunday, 13 August 2017, 11:02 GMT
Last edited by Christian Hesse (eworm) - Monday, 14 August 2017, 08:02 GMT
Opened by MushiMushy (MushiMushy) - Sunday, 13 August 2017, 11:02 GMT
Last edited by Christian Hesse (eworm) - Monday, 14 August 2017, 08:02 GMT
|
DetailsThe last version of systemd that was build with support for seccomp was 233.75-2 and for about a month now systemd has been reporting -SECCOMP in the journal. Disabling seccomp seems to disable some security features such as MemoryDenyWriteExecute and SystemCallFilter which were all used in many of the units that come with systemd at least.
I was trying to use MemoryDenyWriteExecute as a replacement for a PAX_MPROTECT now that linux-grsec is no more which made me notice that the option is silently ignored. I wonder if disabling seccomp was done on purpose as I find no mention of disabling it in release logs and PKGBUILD still depends on libseccomp. Maybe it should be enabled? |
This task depends upon
Closed by Christian Hesse (eworm)
Monday, 14 August 2017, 08:02 GMT
Reason for closing: Fixed
Additional comments about closing: systemd 234.11-8
Monday, 14 August 2017, 08:02 GMT
Reason for closing: Fixed
Additional comments about closing: systemd 234.11-8
systemd 234
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN default-hierarchy=hybrid
However /usr/lib/systemd/system/systemd-journald.service uses SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
With systemd 234.11-6 I am not seeing any output from that service refering to -SECCOMP
So is the meson autodetection of libseccomp failing? https://github.com/systemd/systemd/blob/v234/meson.build#L649
$ systemctl show systemd-journald --property=SystemCallFilter --property=MemoryDenyWriteExecute
SystemCallFilter=~
MemoryDenyWriteExecute=no
If I rebuild systemd without any changes in PKGBUILD, libseccomp does get detected and the above command shows:
SystemCallFilter=~_sysctl add_key adjtimex afs_syscall bdflush break chroot cloc k_adjtime...
MemoryDenyWriteExecute=yes
$ grep libseccomp .BUILDINFO
So libseccomp was not present in the build environment.
I'm not sure about having to include libseccomp in makedepends though. I cannot run makepkg before I have installed all packages that are defined in the depends array.
Ok, I thought a build was not possible without libseccomp.
See https://ptpb.pw/CyvI as a quick example I through together.
FWIW the only reason systemd was ever in the build environment either is because device-mapper<=2.02.172-2 depended on it, though now it depends on libsystemd only. :)
Nice to see this getting attention so soon.