Mailinglist Archive: opensuse-factory (1324 mails)

< Previous Next >
Re: [opensuse-factory] 32bit apps on OS 13.2 64bit responses with Bad system call
03.10.2015 20:47, Peter Ragosch пишет:
Am Sat, 3 Oct 2015 18:55:47 +0300
schrieb Andrei Borzenkov <arvidjaar@xxxxxxxxx>:

raven:~ # cat /proc/self/status | grep -i seccomp
Seccomp: 2
raven:~ #


Yes, you have seccomp enabled in mode 2. Unfortunately, I do not know
if it is possible to fetch actual seccomp filter in use.

Please read man systemd-system.conf. Check every file and directory
mentioned in this page - does it have SystemCallAcritectures set and
to which value. If there is none - something enables seccomp and you
will find out what. Start with booting with init=/bin/sh. What value
Seccomp has now? Boot into run level 1 - what value Seccomp has now?

Under /etc/systemd/ I found two files containing SystemCallArchitectures

/etc/systemd/system.conf:
SystemCallArchitectures=x86-64
other entries commented out

/etc/systemd/user.conf:
all entries commented out

I found:
SystemCallArchitectures= Takes a space-separated list of architecture
identifiers. Selects from which architectures system calls may be
invoked on this system.

So I guess "x86-64" is not correct in case 32bit code should be
executable, too. It should be "x86 x86-64". Right?


Default is nothing (this line is commented out). This means - no seccomp filters at all installed by systemd. So comment it out.

init=/bin/sh Seccomp: 2

Well, it is probably got copied into initrd so every process now inherits filter. You need to also recreate initrd after commenting out SystemCallArchitectures.

init 1 to 5 Seccomp: 2

I think, I got the intention of SECure COMputing.
(I'm not a programmer, only a user)
But I can't see what is able to set the Seccomp mode, except it depends
on the SystemCallArchitectures option. And if so, what has changed the
option and why?

That I cannot answer. You can check modification time of this file and try to remember what happened at this point. But unless you had audit enabled unfortunately there is no way to know it for sure.

On the other hand, is it secure to change the SystemCallArchitectures
option simply to "x86 x86-64"?



--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups