tracker-extract killed by seccomp sandbox on i386
On my i386 based NAS tracker-extract repeatedly is killed via SIGSYS by the seccomp sandbox. Excerpt from strace:
17167 execve("/usr/lib/tracker/tracker-extract", ["/usr/lib/tracker/tracker-extract"], ...) = 0
...
17167 clone(child_stack=0xab1ad324,
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
parent_tidptr=0xab1adba8, tls={entry_number=6, base_addr=0xab1adb40,
limit=0x0fffff, seg_32bit=1, contents=0, read_exec_only=0, limit_in_pages=1,
seg_not_present=0, useable=1}0xbf9039bc, child_tidptr=0xab1adba8) = 17188
17167 poll([{fd=4, events=POLLIN}], 1, -1 <unfinished ...>
17188 set_robust_list(0xab1adbb0, 12) = 0
17188 prctl(PR_SET_NAME, "single") = 0
17188 mprotect(0xb3321000, 4096, PROT_READ|PROT_WRITE) = 0
17188 mprotect(0xb3322000, 4096, PROT_READ|PROT_WRITE) = 0
17188 prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
17188 seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
17188 seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=135,
filter=[BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 0x4), BPF_JUMP(BPF_JMP|BPF_K|BPF_JEQ,
0x40000003, 0, 0x84), BPF_STMT(BPF_LD|BPF_W|BPF_ABS, 0),...
17188 lstat64("/home/roderich/Music/Jeff Beck with Terry Bozzio and Tony
Hymas/Jeff Beck's Guitar Shop/album.jpg", {st_dev=makedev(9, 1),
st_ino=159253366, st_mode=S_IFREG|0644, st_nlink=1, st_uid=2000, st_gid=2000,
st_blksize=4096, st_blocks=112, st_size=56447, st_atime=1460929067 /*
2016-04-17T23:37:47.747261334+0200 */, st_atime_nsec=747261334,
st_mtime=1460501084 /* 2016-04-13T00:44:44.971829499+0200 */,
st_mtime_nsec=971829499, st_ctime=1460929067 /*
2016-04-17T23:37:47.807259666+0200 */, st_ctime_nsec=807259666}) = 0
17188 openat(AT_FDCWD, "/home/roderich/Music/Jeff Beck with Terry Bozzio and
Tony Hymas/Jeff Beck's Guitar Shop/album.jpg", O_RDONLY|O_LARGEFILE|O_NOATIME)
= 14
17188 fcntl64(14, F_GETFL) = 0x48000 (flags
O_RDONLY|O_LARGEFILE|O_NOATIME)
17188 futex(0xb7cb69c8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
17188 futex(0xb7cb69c8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
17188 fstat64(14, {st_dev=makedev(9, 1), st_ino=159253366,
st_mode=S_IFREG|0644, st_nlink=1, st_uid=2000, st_gid=2000, st_blksize=4096,
st_blocks=112, st_size=56447, st_atime=1460929067 /*
2016-04-17T23:37:47.747261334+0200 */, st_atime_nsec=747261334,
st_mtime=1460501084 /* 2016-04-13T00:44:44.971829499+0200 */,
st_mtime_nsec=971829499, st_ctime=1460929067 /*
2016-04-17T23:37:47.807259666+0200 */, st_ctime_nsec=807259666}) = 0
17188 mprotect(0xb3323000, 4096, PROT_READ|PROT_WRITE) = 0
17188 read(14,
"\377\330\377\340\0\20JFIF\0\1\1\0\0\1\0\1\0\0\377\333\0C\0\5\3\4\4\4\3\5"...,
4096) = 4096
17188 mprotect(0xb3324000, 16384, PROT_READ|PROT_WRITE) = 0
17188 lstat64("/home/roderich/Music/Jeff Beck with Terry Bozzio and Tony
Hymas/Jeff Beck's Guitar Shop/album.jpg", {st_dev=makedev(9, 1),
st_ino=159253366, st_mode=S_IFREG|0644, st_nlink=1, st_uid=2000, st_gid=2000,
st_blksize=4096, st_blocks=112, st_size=56447, st_atime=1460929067 /*
2016-04-17T23:37:47.747261334+0200 */, st_atime_nsec=747261334,
st_mtime=1460501084 /* 2016-04-13T00:44:44.971829499+0200 */,
st_mtime_nsec=971829499, st_ctime=1460929067 /*
2016-04-17T23:37:47.807259666+0200 */, st_ctime_nsec=807259666}) = 0
17188 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 17
17188 fstat64(17, {st_dev=makedev(9, 1), st_ino=74977878, st_mode=S_IFREG|0644,
st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=2335,
st_atime=1546448825 /* 2019-01-02T18:07:05+0100 */, st_atime_nsec=0,
st_mtime=1546221724 /* 2018-12-31T03:02:04+0100 */, st_mtime_nsec=0,
st_ctime=1546448827 /* 2019-01-02T18:07:07.614374895+0100 */,
st_ctime_nsec=614374895}) = 0
17188 fstat64(17, {st_dev=makedev(9, 1), st_ino=74977878, st_mode=S_IFREG|0644,
st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=2335,
st_atime=1546448825 /* 2019-01-02T18:07:05+0100 */, st_atime_nsec=0,
st_mtime=1546221724 /* 2018-12-31T03:02:04+0100 */, st_mtime_nsec=0,
st_ctime=1546448827 /* 2019-01-02T18:07:07.614374895+0100 */,
st_ctime_nsec=614374895}) = 0
17188 mprotect(0xb3328000, 4096, PROT_READ|PROT_WRITE) = 0
17188 read(17,
"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096) = 2335
17188 _llseek(17, -1476, [859], SEEK_CUR) = 0
17188 read(17,
"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096) = 1476
17188 close(17) = 0
17188 fadvise64_64(14, 0, 0, POSIX_FADV_DONTNEED) = 272
17188 --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP,si_call_addr=0xb7fbdd41, si_syscall=__NR_fadvise64_64, si_arch=AUDIT_ARCH_I386}
The reason is the syscall fadvise64_64 which is not whitelisted in src/libtracker-miners-common/tracker-seccomp.c.
In this case, the syscall seems to be issued by tracker-extract itself, as
several
src/tracker-extract/tracker-extract-*.c call posix_fadvise().
Note that glibc uses fadvise64_64 to implement on i386 (at least when the source is
compiled with -D_FILE_OFFSET_BITS=64
which is the case here).
Adding fadvise64_64 to the whitelist solves the problem for me, see attached patch tracker-miner.patch
Originally filed as Debian bug 918118