1546063 – SystemCallFilter= is broken

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1546063 - SystemCallFilter= is broken

Summary: SystemCallFilter= is broken

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	systemd
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	systemd-maint
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-16 09:01 UTC by Susant Sahani
Modified:	2023-09-07 19:03 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-25 20:41:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Susant Sahani 2018-02-16 09:01:31 UTC

Description of problem:

SystemCallFilter= is broken 

Version-Release number of selected component (if applicable):
219

How reproducible:
frequent

Steps to Reproduce:

use 
https://github.com/systemd/systemd-fedora-ci/blob/master/execute/exec-systemcallfilter-failing.service

or 

exec-systemcallfilter-failing2.service

Actual results:
SystemCallFilter= is not working 

Expected results:

Should work



Additional info:

Comment 2 Ján Lalinský 2019-03-19 10:20:20 UTC

Also, according to tigalch here:

https://bugs.centos.org/view.php?id=15934#c34042

SECCOMP is not enabled in RHEL-distributed build of systemd, even though the Linux kernel (I've checked Centos 3.10.0-957.5.1.el7.x86_64) does support SECCOMP and upstream systemd does support using SECCOMP via SystemCallFilter from version 187.

Is this lack of support of SECCOMP in systemd in RHEL 7 intentional? Is this sort of thing (intentional feature drop) expected to be documented somewhere on Redhat's site or in package files?

Comment 3 Kyle Walker 2020-02-25 20:41:30 UTC

Good afternoon,

It isn't that SECCOMP is broken, it's that the systemd revision shipped with RHEL 7 doesn't enable it via the applicable Requires and BuildRequires specfile entries:

# systemctl show | grep Features
Features=+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN

The "-SECCOMP" indicates that this is not enabled at compile time. The reason for this disabled state is due to the libseccomp{,-devel} not being defined as a requirement for the package:

configure.ac:
<snip>
# ------------------------------------------------------------------------------
have_seccomp=no
AC_ARG_ENABLE(seccomp, AS_HELP_STRING([--disable-seccomp], [Disable optional SECCOMP support]))
if test "x$enable_seccomp" != "xno"; then
        PKG_CHECK_MODULES(SECCOMP, [libseccomp >= 1.0.0],
               [AC_DEFINE(HAVE_SECCOMP, 1, [Define if seccomp is available])
                have_seccomp=yes
                M4_DEFINES="$M4_DEFINES -DHAVE_SECCOMP"],
               [have_seccomp=no])
        if test "x$have_seccomp" = "xno" -a "x$enable_seccomp" = "xyes"; then
                AC_MSG_ERROR([*** seccomp support requested but libraries not found])
        fi
fi
AM_CONDITIONAL(HAVE_SECCOMP, [test "$have_seccomp" = "yes"])

# ------------------------------------------------------------------------------
<snip>

systemd.spec - No "--disable-seccomp" included
<snip>
%build
./autogen.sh

CONFIGURE_OPTS=(
    --libexecdir=%{_prefix}/lib
    --with-sysvinit-path=/etc/rc.d/init.d
    --with-rc-local-script-path-start=/etc/rc.d/rc.local
    --disable-timesyncd
    --disable-kdbus
    --disable-terminal
    --enable-gtk-doc
    --enable-compat-libs
    --disable-sysusers
    --disable-ldconfig
    --enable-lz4
%ifarch s390 s390x ppc %{power64} aarch64
    --disable-lto
%endif
)

%configure "${CONFIGURE_OPTS[@]}"
make %{?_smp_mflags} GCC_COLORS="" V=1
<snip>


The feature can be included by altering the BuildRequires and Requires flags as shown below. These pull the libseccomp packages into the build, and result in the feature being enabled.

diff --git a/systemd.spec b/systemd.spec
index d4c7539..187cd7b 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -845,6 +845,7 @@ BuildRequires:  autoconf
 BuildRequires:  libtool
 BuildRequires:  git
 BuildRequires:  libmount-devel
+BuildRequires:  libseccomp-devel
 
 Requires(post): coreutils
 Requires(post): gawk
@@ -858,6 +859,7 @@ Requires:       %{name}-libs = %{version}-%{release}
 Requires:       kmod >= 18-4
 Requires:       redhat-release >= 7.0
 Requires:       diffutils
+Requires:       libseccomp
 
 Provides:       /bin/systemctl
 Provides:       /sbin/shutdown


We now have "+SECCOMP" as it has been built with the libseccomp dependency being available:

# systemctl show | grep Features
Features=+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN


That being said, searching through associated bug reports, there has been another fairly recent private request to enable this functionality. In the process of researching that request, the Development Engineering teams determined that the risk was sufficiently high to avoid including it within the Red Hat Enterprise Linux 7 release. With that being the case, and that this currently meets the criteria of a Feature Enhancement, I am closing this as WONTFIX in accordance with the following. When Red Hat shipped 7.7 on Aug 6, 2019 Red Hat Enterprise Linux 7 entered Maintenance Support 1 Phase.

    https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_1_Phase

That means only "Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released". This BZ does not appear to meet Maintenance Support 1 Phase criteria so is being closed WONTFIX. If this is critical for your environment please open a case in the Red Hat Customer Portal, https://access.redhat.com, provide a thorough business justification and ask that the BZ be re-opened for consideration in the next minor release.

Note You need to log in before you can comment on or make changes to this bug.