Hello everyone!
After upgrading from Kicksecure 17 to 18 I noticed that sdwdate never finished syncing time. After checking the logs I found several lines similar to this,
SECCOMP auid=4294967295 uid=117 gid=130 ses=4294967295 subj=unconfined pid=6319 comm=“leaprun” exe=“/usr/bin/python3.13” sig=31 arch=c000003e syscall=332 compat=0 ip=0x7c87efbaf31a code=0x80000000
By following the instructions on Debugging Systemd Seccomp, I figure out that syscalls 332 (statx), 138 (fstatfs) and 441 (epoll_pwait2) needed to be added to SystemCallFilter=. And indeed after doing that the issue was completely fixed. Architecture is x86_64.
Sorry if this is not the correct category, I wasn’t sure if I should post this on Support or Development.
2 Likes
Odd that we didn’t run into this during development. Are you using this on baremetal or in a virtual machine? Could you share some details of your hardware or hypervisor if possible? That might help us reproduce the issue.
(All three of those system calls sound pretty benign, so we can probably add them to the filter even if we can’t reproduce this.)
1 Like
It’s on baremetal.
Certainly, just tell me what you want to know. Do you need the output of any particular commands?
The main thing I’d be interested in knowing is what CPU architecture you’re using. This should show it:
lscpu | grep Architecture
1 Like
My architecture is x86_64, I already mentioned that on my original post. I am attaching though the entire output of the lscpu just in case it’s proven useful.
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 48 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 24
On-line CPU(s) list: 0-23
Vendor ID: AuthenticAMD
Model name: AMD Ryzen 9 7900 12-Core Processor
CPU family: 25
Model: 97
Thread(s) per core: 2
Core(s) per socket: 12
Socket(s): 1
Stepping: 2
Frequency boost: enabled
CPU(s) scaling MHz: 64%
CPU max MHz: 5482.0000
CPU min MHz: 545.0000
BogoMIPS: 7400.26
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht sy
scall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good amd_lbr_v2 nopl xtopology nonstop_tsc
cpuid extd_apicid aperfmperf rapl pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt aes x
save avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw
ibs skinit wdt tce topoext perfctr_core perfctr_nb bpext perfctr_llc mwaitx cpb cat_l3 cdp_l3 hw_pstat
e pti ssbd mba perfmon_v2 ibrs ibpb stibp ibrs_enhanced vmmcall fsgsbase bmi1 avx2 smep bmi2 erms invpc
id cqm rdt_a avx512f avx512dq rdseed adx smap avx512ifma clflushopt clwb avx512cd sha_ni avx512bw avx51
2vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local user_shstk avx512_
bf16 clzero irperf xsaveerptr rdpru wbnoinvd cppc arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean
flushbyasid decodeassists pausefilter pfthreshold avic vgif x2avic v_spec_ctrl vnmi avx512vbmi umip pk
u ospke avx512_vbmi2 gfni vaes vpclmulqdq avx512_vnni avx512_bitalg avx512_vpopcntdq rdpid overflow_rec
ov succor smca fsrm flush_l1d amd_lbr_pmc_freeze
Virtualization features:
Virtualization: AMD-V
Caches (sum of all):
L1d: 384 KiB (12 instances)
L1i: 384 KiB (12 instances)
L2: 12 MiB (12 instances)
L3: 64 MiB (2 instances)
NUMA:
NUMA node(s): 1
NUMA node0 CPU(s): 0-23
Vulnerabilities:
Gather data sampling: Not affected
Indirect target selection: Mitigation; Aligned branch/return thunks
Itlb multihit: Not affected
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Mmio stale data: Not affected
Reg file data sampling: Not affected
Retbleed: Not affected
Spec rstack overflow: Mitigation; Safe RET
Spec store bypass: Mitigation; Speculative Store Bypass disabled
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Enhanced / Automatic IBRS; IBPB always-on; STIBP forced; PBRSB-eIBRS Not affected; BHI Not
affected
Srbds: Not affected
Tsa: Vulnerable: Clear CPU buffers attempted, no microcode
Tsx async abort: Not affected
Vmscape: Mitigation; IBPB before exit to userspace
I should probably point out that I have enabled SMT by editing the /etc/default/grub.d/40_cpu_mitigations.cfg following the instructions in the comments. I haven’t touched the rest of the CPU mitigations, I just didn’t want half of my CPU threads to be disabled.
To be clear though, the issue with sdwdate appeared immediately after the first reboot after the upgrade to 18, before I made any configuration changes.
1 Like
you’re right, my apologies, I missed that.
All my machines are Intel-based. I haven’t seen the issue there, but I do know that differences in CPU architectures can cause issues like this, and I note you’re using an AMD machine, so… maybe that’s the issue? In any event, we’ll likely add those syscalls to the filter. Thank you for reporting this!
1 Like