FS#74637 - [matrix-appservice-irc] Attempted call to pkey_alloc() violates SystemCallFilter
Attached to Project:
Community Packages
Opened by Leon Möller (jkhsjdhjs) - Wednesday, 04 May 2022, 10:34 GMT
Last edited by Toolybird (Toolybird) - Friday, 19 May 2023, 06:06 GMT
Opened by Leon Möller (jkhsjdhjs) - Wednesday, 04 May 2022, 10:34 GMT
Last edited by Toolybird (Toolybird) - Friday, 19 May 2023, 06:06 GMT
|
Details
Description:
When attempting to start matrix-appservice-irc.service it immediately gets terminated on my system, because it attempts to call pkey_alloc() which is not contained in the SystemCallFilter directive of the .service file. To find out which system call results in termination, I ran it with strace: [...] May 04 09:54:09 matrix strace[1637]: futex(0x7ffd212a04b0, FUTEX_WAKE_PRIVATE, 1) = 0 May 04 09:54:09 matrix strace[1637]: futex(0x7ffd212a04b0, FUTEX_WAKE_PRIVATE, 1) = 0 May 04 09:54:09 matrix strace[1637]: uname({sysname="Linux", nodename="matrix", ...}) = 0 May 04 09:54:09 matrix strace[1637]: pkey_alloc(0, PKEY_DISABLE_ACCESS) = ? May 04 09:54:09 matrix strace[1637]: +++ killed by SIGSYS +++ May 04 09:54:09 matrix systemd[1]: matrix-appservice-irc.service: Main process exited, code=killed, status=31/SYS May 04 09:54:09 matrix systemd[1]: matrix-appservice-irc.service: Failed with result 'signal'. There isn't a pre-defined system call set which includes pkey_alloc (except @known), but adding just pkey_alloc to the SystemCallFilter allows it to run without further issues: [...] May 04 09:55:34 matrix strace[1738]: futex(0x7ffd8e869980, FUTEX_WAKE_PRIVATE, 1) = 0 May 04 09:55:34 matrix strace[1738]: futex(0x7ffd8e869980, FUTEX_WAKE_PRIVATE, 1) = 0 May 04 09:55:34 matrix strace[1738]: uname({sysname="Linux", nodename="matrix", ...}) = 0 May 04 09:55:34 matrix strace[1738]: pkey_alloc(0, PKEY_DISABLE_ACCESS) = -1 EINVAL (Invalid argument) May 04 09:55:34 matrix strace[1738]: epoll_create1(EPOLL_CLOEXEC) = 13 May 04 09:55:34 matrix strace[1738]: pipe2([14, 15], O_NONBLOCK|O_CLOEXEC) = 0 May 04 09:55:34 matrix strace[1738]: eventfd2(0, EFD_CLOEXEC|EFD_NONBLOCK) = 16 [...] Additional info: * package version(s) 0.33.1-1, 0.34.0-1 Steps to reproduce: 1. systemctl start matrix-appservice-irc.service The issue probably depends on the system configuration to some extent, otherwise someone else would've already reported it. Maybe it uses uname to check what kind of system it runs on and only executes pkey_alloc() on some? uname -a: Linux matrix 5.13.19-1-pve #1 SMP PVE 5.13.19-2 (Tue, 09 Nov 2021 12:59:38 +0100) x86_64 GNU/Linux It's an LXC container on a proxmox host. |
This task depends upon
Closed by Toolybird (Toolybird)
Friday, 19 May 2023, 06:06 GMT
Reason for closing: Fixed
Additional comments about closing: matrix-appservice-irc 0.34.0-2
Friday, 19 May 2023, 06:06 GMT
Reason for closing: Fixed
Additional comments about closing: matrix-appservice-irc 0.34.0-2
Please let me know whether 0.34.0-2 in [community-testing] fixes this for you.
Maybe we also need to add pkey_free (when looking at the man page: https://man.archlinux.org/man/pkey_alloc.2).
systemd should probably also add a system call set for these, or include them in an existing one.