Sdwdate failed to start in debian 12 bookworm (next release)

nurmagoz · October 29, 2022, 8:32pm

sdwdate log:

+ set -e
+ true 'INFO /usr/bin/sdwdate-log-viewer: START'
+ /bin/journalctl --boot --output cat -n 10000 -f _SYSTEMD_UNIT=qubes-sync-time.service + _SYSTEMD_UNIT=qubes-sync-time.timer + _SYSTEMD_UNIT=timesanitycheck.service + _SYSTEMD_UNIT=bootclockrandomization.service + _SYSTEMD_UNIT=sdwdate.service + _SYSTEMD_UNIT=whonix-firewall.service + SYSLOG_IDENTIFIER=suspend-pre + SYSLOG_IDENTIFIER=suspend-post + SYSLOG_IDENTIFIER=anondate + _AUDIT_TYPE_NAME=SECCOMP
Within minimum time 'Fri Feb 18 00:00:00 UTC 2022' and expiration timestamp 'Tue May 17 10:00:00 UTC 2033', ok.
Boot Clock Randomization
https://www.kicksecure.com/wiki/Boot_Clock_Randomization
- 58 314072601
Changed time from Fri Oct 28 10:18:50 PM EDT 2022 (1667009930.522251493)
               to Fri Oct 28 10:17:52 PM EDT 2022 (1667009872.327542096).
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=692 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x780839d88bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=1541 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x7de3739e0bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=2117 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x74c0d6763bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=2890 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x6ffcaa2cfbca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=2898 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x7dbc8d788bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=2970 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x7423fdacebca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3009 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x78cee88c8bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3020 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x7cfa6e377bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3034 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x74a6071eebca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3436 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x7941c7566bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3468 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x7fbb97e37bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3487 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x78edb1e46bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3497 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x749bfe4a6bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3518 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x7fa119ca1bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3544 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x728b82ceabca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3550 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x7d7fda3babca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3570 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x712153c0bbca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3574 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x7922dde05bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3585 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x748e3f8f0bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3591 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x74b1af4d4bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3631 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x79219c660bca code=0x80000000
SECCOMP auid=4294967295 uid=107 gid=118 ses=4294967295 subj=unconfined pid=3635 comm="sdwdate" exe="/usr/bin/python3.10" sig=31 arch=c000003e syscall=262 compat=0 ip=0x75e9d79d0bca code=0x80000000

JeremyRand · May 9, 2023, 12:48pm

You’re on x86_64, correct? If so, this is the newfstatat syscall. It’s already whitelisted on ARM and POWER; it sounds like we should whitelist it regardless of architecture.

JeremyRand · May 10, 2023, 11:04pm

I can reproduce on x86_64. Will see if I can send in a PR.

JeremyRand · May 10, 2023, 11:35pm

PR incoming shortly.

JeremyRand · May 10, 2023, 11:52pm

Patrick · May 11, 2023, 1:29am

Thank you!

I was wondering if the way how it’s handled in sdwdate.postinst (legacy prior your pull request) is worth it. syscall whitelists are difficult to maintain as is and the dynamic creation per architecture makes it even more messy. I was contemplating to remove the sdwdate.postinst dynamic creation and move all to the static systemd unit file.

JeremyRand · May 11, 2023, 11:22pm

No objection from me. At a high level, the different architectures’ syscall whitelists should provide equivalent functionality (otherwise the same application wouldn’t work on all of them), so the attack surface incurred by synchronizing them shouldn’t be very high. I suppose it would still help if there’s some kind of exploitable kernel vulnerability in a syscall implementation but not another implementation of a syscall that provides similar functionality… but like you, I’m not convinced that this marginal benefit is really worth the trouble.

Patrick · May 13, 2023, 8:31am

Thanks! Merged.

Disabled architecture specific whitelist. → Apply systemd sandboxing by default to some services - #83 by Patrick - Development - Whonix Forum

Patrick · May 13, 2023, 9:03am

This is now in the testers repository.