how to enable seccomp kernel feature

Post Reply
sang0627
Posts: 42
Joined: Fri Mar 15, 2019 4:02 pm
languages_spoken: english
ODROIDs: odroid-c2
Has thanked: 5 times
Been thanked: 6 times
Contact:

how to enable seccomp kernel feature

Post by sang0627 »

I'd like to use snap for installing new packages,
but an error which seems related to seccomp occurs
when I run snap-installed application.
so, I tried to download odroid kernel and enable CONFIG_SECCOMP=Y
in the kernel configuration. But I cannot find such entry in the kernel config menu.
How could I enable it?
Is it ok just putting CONFIG_SECCOMP=Y in .config just before building the kernel?

user@odroid:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.3 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.3 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and- ... acy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
user@odroid:~$ snap list
Name Version Rev Tracking Publisher Notes
core 16-2.42.1 8042 stable canonical✓ core
core18 20191030 1268 stable canonical✓ base
hello-world 6.4 29 stable canonical✓ devmode
user@odroid:~$ snap run hello-world
cannot apply seccomp profile: Invalid argument
user@odroid:~$ hello-world
cannot apply seccomp profile: Invalid argument
user@odroid:~$
user@odroid:~$ git clone --depth 1 https://github.com/hardkernel/linux.git -b odroidc2-3.16.y
user@odroid:~$ cd linux
user@odroid:~$ grep -i seccomp .config
user@odroid:~$
user@odroid:~$ make odroidc2_defconfig
user@odroid:~$ make menuconfig

User avatar
tobetter
Posts: 5878
Joined: Mon Feb 25, 2013 10:55 am
languages_spoken: Korean, English
ODROIDs: Many
Location: Paju, South Korea
Has thanked: 248 times
Been thanked: 717 times
Contact:

Re: how to enable seccomp kernel feature

Post by tobetter »

I've looked through the file arch/arm64/Kconfig in the mainline kernel to find out SECCOMP and the change has been merged into the tree since Linux kernel v3.18.0-rc2 which is later than the kernel version of ODROID-C2. Therefore, the SECCOMP feature cannot be enabled unless if you do not switch to the mainline kernel.
These users thanked the author tobetter for the post:
sang0627 (Wed Nov 20, 2019 5:31 pm)

sang0627
Posts: 42
Joined: Fri Mar 15, 2019 4:02 pm
languages_spoken: english
ODROIDs: odroid-c2
Has thanked: 5 times
Been thanked: 6 times
Contact:

Re: how to enable seccomp kernel feature

Post by sang0627 »

@tobetter, I'm afraid of pulling too much work by changing to the mainline kernel as you mentioned.
I appreciate your kind comments.

User avatar
tobetter
Posts: 5878
Joined: Mon Feb 25, 2013 10:55 am
languages_spoken: Korean, English
ODROIDs: Many
Location: Paju, South Korea
Has thanked: 248 times
Been thanked: 717 times
Contact:

Re: how to enable seccomp kernel feature

Post by tobetter »

If you are fine to run headless Debian Buster, you could use my Netboot installer that will install the mainline kernel, the default version of Linux kernel with the installer for ODROID-C2 in my repository is 5.0.0 and SECCOMP is enabled.
http://ppa.linuxfactory.or.kr/installer ... etinst.img

Code: Select all

Linux debian 5.0.0-odroid-upstream-arm64 #1 SMP PREEMPT Sun, 17 Mar 2019 15:56:58 +0000 aarch64
 _   _               _ _                        _ 
| | | | __ _ _ __ __| | | _____ _ __ _ __   ___| |
| |_| |/ _` | '__/ _` | |/ / _ \ '__| '_ \ / _ \ |
|  _  | (_| | | | (_| |   <  __/ |  | | | |  __/ |
|_| |_|\__,_|_|  \__,_|_|\_\___|_|  |_| |_|\___|_|
                                                  
  ___  ____  ____   ___ ___ ____         ____ ____  
 / _ \|  _ \|  _ \ / _ \_ _|  _ \       / ___|___ \ 
| | | | | | | |_) | | | | || | | |_____| |     __) |
| |_| | |_| |  _ <| |_| | || |_| |_____| |___ / __/ 
 \___/|____/|_| \_\\___/___|____/       \____|_____|
                                                    

Welcome to Debian GNU/Linux 10 (buster)
Thursday, 14 February 2019, 05:12:20 AM
Up time:     0 days, 00:00:25
Free memory: 1898416 / 2020076 kB
IP:          192.168.10.136

[!] Please visit 'https://launchpad.net/odroid-image' to report a bug

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
tobetter@debian:~$ uname -a
Linux debian 5.0.0-odroid-upstream-arm64 #1 SMP PREEMPT Sun, 17 Mar 2019 15:56:58 +0000 aarch64 GNU/Linux
tobetter@debian:~$ zcat /proc/config.gz | grep SECCOMP
CONFIG_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
EDIT: I was able to update the upstream kernel as well.

Code: Select all

tobetter@debian:~$ uname -a
Linux debian 5.4.0-rc8-odroid-upstream-arm64 #1 SMP PREEMPT Tue, 19 Nov 2019 06:32:57 +0000 aarch64 GNU/Linux

sang0627
Posts: 42
Joined: Fri Mar 15, 2019 4:02 pm
languages_spoken: english
ODROIDs: odroid-c2
Has thanked: 5 times
Been thanked: 6 times
Contact:

Re: how to enable seccomp kernel feature

Post by sang0627 »

@tobetter, thank you so much, but I have another odroid board, odroid-n2, which might run kernel 4.x.
flashing ubuntu to odroid-n2 seems promising less work. :)

EDIT: I downloaded your odroid-c2 image with many thanks for later use. Thank you!

User avatar
tobetter
Posts: 5878
Joined: Mon Feb 25, 2013 10:55 am
languages_spoken: Korean, English
ODROIDs: Many
Location: Paju, South Korea
Has thanked: 248 times
Been thanked: 717 times
Contact:

Re: how to enable seccomp kernel feature

Post by tobetter »

sang0627 wrote:
Wed Nov 20, 2019 6:20 pm
@tobetter, thank you so much, but I have another odroid board, odroid-n2, which might run kernel 4.x.
flashing ubuntu to odroid-n2 seems promising less work. :)

EDIT: I downloaded your odroid-c2 image with many thanks for later use. Thank you!
Good to know you have ODROID-N2. :)

gemini_geek
Posts: 3
Joined: Wed Sep 09, 2020 4:45 am
languages_spoken: english
ODROIDs: c2
Has thanked: 1 time
Been thanked: 0
Contact:

Re: how to enable seccomp kernel feature

Post by gemini_geek »

hi,

@tobetter i can see ubuntu 20 images in your netboot repository , i tried to install them on c2 its not working ? can you provide a procedure to install i am new to odroid

thanks
Dee

User avatar
tobetter
Posts: 5878
Joined: Mon Feb 25, 2013 10:55 am
languages_spoken: Korean, English
ODROIDs: Many
Location: Paju, South Korea
Has thanked: 248 times
Been thanked: 717 times
Contact:

Re: how to enable seccomp kernel feature

Post by tobetter »

gemini_geek wrote:
Wed Sep 09, 2020 4:50 am
hi,

@tobetter i can see ubuntu 20 images in your netboot repository , i tried to install them on c2 its not working ? can you provide a procedure to install i am new to odroid

thanks
Dee
Hmmm...since there is no demand to support Netboot Installer and mainline kernel, I've not tested my repository for ODROID-C2 for some time although my build farm generate the packages for C2.

What error do you have when you tried?

gemini_geek
Posts: 3
Joined: Wed Sep 09, 2020 4:45 am
languages_spoken: english
ODROIDs: c2
Has thanked: 1 time
Been thanked: 0
Contact:

Re: how to enable seccomp kernel feature

Post by gemini_geek »

hi,

No display coming for focal & bionic , got buster to run but i cant install chromium-browser

gemini_geek
Posts: 3
Joined: Wed Sep 09, 2020 4:45 am
languages_spoken: english
ODROIDs: c2
Has thanked: 1 time
Been thanked: 0
Contact:

Re: how to enable seccomp kernel feature

Post by gemini_geek »

my main issue is i want to install chromium-browser headless to use with puppeteer , when i installed chromium-browser on ubuntu 20 (odroid c2 ) i get 'seccomp config error'

Post Reply

Return to “Ubuntu”

Who is online

Users browsing this forum: No registered users and 3 guests