add missing syscalls

[tugytur]

With version 1.0.0 and landlock this systemd service will fail.

It will exit with polkadot.service: Main process exited, code=killed, status=31/SYS

journalctl _AUDIT_TYPE_NAME=SECCOMP shows that it's because it can't do landlock related syscalls.

[matthewmarcus]

Adding the following new line to service file:

SystemCallFilter=landlock_add_rule landlock_create_ruleset landlock_restrict_self seccomp

and reloading daemon resulted in these error messages:

/etc/systemd/system/polkadot.service:35: Failed to parse system call, ignoring: landlock_add_rule /etc/systemd/system/polkadot.service:35: Failed to parse system call, ignoring: landlock_create_ruleset /etc/systemd/system/polkadot.service:35: Failed to parse system call, ignoring: landlock_restrict_self

Can anyone advise how to fix?

[matthewmarcus]

Upon further research, the landlock directives are not available in Ubuntu 20.04, only 23.04. Is / will there be a fix for those of us running 20.04?

Adding the following new line to service file:

SystemCallFilter=landlock_add_rule landlock_create_ruleset landlock_restrict_self seccomp

[alexggh]

Upon further research, the landlock directives are not available in Ubuntu 20.04, only 23.04. Is / will there be a fix for those of us running 20.04?

Adding the following new line to service file:
SystemCallFilter=landlock_add_rule landlock_create_ruleset landlock_restrict_self seccomp

That's most likely because your system doesn't know about the landlock, you can try to replace the landlock part with @sandbox see here

If that still fails, as an workaround adding @obsolete to allow unimplemented systemcalls should suffice, but it comes with the downside it is too permisive from the documentation:

@obsolete	Unusual, obsolete or unimplemented (create_module(2), gtty(2), …)

[matthewmarcus]

So what should the systemd line be using @sandbox?

SystemCallFilter=@sandbox landlock_add_rule landlock_create_ruleset landlock_restrict_self seccomp

??

[alexggh]

You should replace:

SystemCallFilter=landlock_add_rule landlock_create_ruleset landlock_restrict_self seccomp

with

SystemCallFilter=@sandbox

[mrcnski]

If that works, should we raise a PR applying the fix?

Please let us know how it goes @matthewmarcus!

[matthewmarcus]

Unfortunately, adding the SystemCallFilter=@sandbox to the service file did not fix the issue.

Log result:

-- Logs begin at Fri 2023-07-28 19:37:17 CDT. --
Jul 29 11:43:07 Good-KarMa systemd[1]: Started Polkadot Validator (Kusama).
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 ----------------------------
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 This chain is not in any way
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 endorsed by the
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 KUSAMA FOUNDATION
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 ----------------------------
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 Parity Polkadot
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 ✌️ version 1.0.0-1ed6e2e50a4
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 ❤️ by Parity Technologies [email protected], 2017-2023
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 📋 Chain specification: Kusama
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 🏷 Node name: Good Karma
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 👤 Role: AUTHORITY
Jul 29 11:43:07 Good-KarMa polkadot[656409]: 2023-07-29 11:43:07 💾 Database: RocksDb at /home/polkadot/.local/share/polkadot/chains/ksmcc3/db/full
Jul 29 11:43:19 Good-KarMa polkadot[656409]: 2023-07-29 11:43:19 🏷 Local node identity is: 12D3KooWK2bWMZHSMDkGTEpPG9JdvGE9WFPwWUsVPn8eW1NrZ4g4
Jul 29 11:43:20 Good-KarMa systemd[1]: polkadot.service: Main process exited, code=killed, status=31/SYS
Jul 29 11:43:20 Good-KarMa systemd[1]: polkadot.service: Failed with result 'signal'.

[matthewmarcus]

Additionally, I noticed when reloading the daemon, this message is shown:

Jul 29 11:49:30 Good-KarMa systemd[1]: /etc/systemd/system/polkadot.service:36: Unknown system call group, ignoring: @sandbox

[matthewmarcus]

Per @alexggh suggestion, I tried SystemCallFilter=@obsolete as well but received the same fail messages as when trying with @sandbox.

Jul 29 11:51:32 Good-KarMa systemd[1]: polkadot.service: Main process exited, code=killed, status=31/SYS
Jul 29 11:51:32 Good-KarMa systemd[1]: polkadot.service: Failed with result 'signal'.

[mrcnski]

@matthewmarcus Can you please try with the following settings? (landlock calls removed + SystemCallErrorNumber=EPERM added):

SystemCallFilter=seccomp
SystemCallErrorNumber=EPERM

Expected behavior is that you get a warning about landlock being unavailable but the node keeps running.

Thanks for your patience while we troubleshoot this. ⭐️

[matthewmarcus]

SystemCallFilter=seccomp
SystemCallErrorNumber=EPERM

That seems to have worked. Node is running and syncing again.

This is the warning message we received when starting, which is what I believe you were referring to:

Jul 31 11:16:25 Good-KarMa polkadot[677547]: 2023-07-31 11:16:25 Cannot fully enable landlock, a Linux kernel security feature. Running validation of malicious PVF code has a higher risk of compromising this machine. Consider upgrading the kernel version for maximum security. status=Ok(NotEnforced) abi=1

[mrcnski]

@matthewmarcus Great! 🥳

Unfortunately I'm not sure how to fix this for the general case without removing the landlock calls from the whitelist, which would make landlock not work. So probably no further changes needed, apart from documenting this fix somewhere?