113078 – Failed to install seccomp syscall filter

Bug 113078 - Failed to install seccomp syscall filter

Summary: Failed to install seccomp syscall filter

Status:	RESOLVED WONTFIX

Alias:	None

Product:	LibreOffice Online
Classification:	Unclassified
Component:	LibreOffice (show other bugs)
Version: (earliest affected)	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-12 19:16 UTC by Gerrit Großkopf
Modified:	2017-10-19 10:22 UTC (History)
CC List:	5 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gerrit Großkopf 2017-10-12 19:16:58 UTC

Good evening, i have collabora online development edition installed on my Strato server running Ubuntu 16.04, i can't use Docker, because the V-Server does not allow more virtualisation inside itself, therefore i have the current CODE installed from the Repository but it crashes whenever i start it.

i use the Command "/usr/local/bin/loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:lo_template_path=/opt/collaboraoffice5.3 --o:child_root_path=/opt/lool/child-roots --o:file_server_root_path=/usr/share/loolwsd" as it's the standard command in the systemd file.

it then takes a while and gives back this error-message:

kit-15554-15542 19:04:27.498351 [ loolkit ] ERR  Failed to install seccomp syscall filter| common/Seccomp.cpp:199
kit-15554-15542 19:04:27.498438 [ loolkit ] ERR  LibreOfficeKit security lockdown failed. Exiting.| kit/Kit.cpp:1763
wsd-15538-15538 19:04:30.512945 [ loolwsd ] FTL  Failed to fork child processes.| wsd/LOOLWSD.cpp:2487
Failed to fork child processes.
wsd-15538-15538 19:04:30.514118 [ loolwsd ] FTL  Failed to fork child processes.| wsd/LOOLWSD.cpp:2634
Failed to fork child processes.
wsd-15538-15538 19:04:30.516051 [ loolwsd ] WRN  Waking up dead poll thread [admin], started: false, finished: false| ./net/Socket.hpp:507
wsd-15538-15538 19:04:30.516077 [ loolwsd ] WRN  Waking up dead poll thread [admin], started: false, finished: false| ./net/Socket.hpp:507
wsd-15538-15538 19:04:30.516423 [ loolwsd ] WRN  Waking up dead poll thread [delay_poll], started: false, finished: false| ./net/Socket.hpp:507
wsd-15538-15538 19:04:30.516442 [ loolwsd ] WRN  Waking up dead poll thread [delay_poll], started: false, finished: false| ./net/Socket.hpp:507
<shutdown>-15538 19:04:30.517643 [ loolwsd ] WRN  Waking up dead poll thread [accept_poll], started: false, finished: false| ./net/Socket.hpp:507
<shutdown>-15538 19:04:30.517684 [ loolwsd ] WRN  Waking up dead poll thread [accept_poll], started: false, finished: false| ./net/Socket.hpp:507
<shutdown>-15538 19:04:30.517692 [ loolwsd ] WRN  Waking up dead poll thread [websrv_poll], started: false, finished: false| ./net/Socket.hpp:507
<shutdown>-15538 19:04:30.517700 [ loolwsd ] WRN  Waking up dead poll thread [websrv_poll], started: false, finished: false| ./net/Socket.hpp:507
<shutdown>-15538 19:04:30.517706 [ loolwsd ] WRN  Waking up dead poll thread [accept_poll], started: false, finished: false| ./net/Socket.hpp:507
<shutdown>-15538 19:04:30.517712 [ loolwsd ] WRN  Waking up dead poll thread [accept_poll], started: false, finished: false| ./net/Socket.hpp:507
<shutdown>-15538 19:04:30.517886 [ loolwsd ] WRN  Waking up dead poll thread [websrv_poll], started: false, finished: false| ./net/Socket.hpp:507
<shutdown>-15538 19:04:30.517907 [ loolwsd ] WRN  Waking up dead poll thread [websrv_poll], started: false, finished: false| ./net/Socket.hpp:507
frk-15542-15542 19:04:30.529288 [ forkit ] FTL  Pipe closed.| common/IoUtil.cpp:309

It might be because of the special circumstances, but i hope that i could find a Solution to this.

Comment 1 Xisco Faulí 2017-10-17 11:39:16 UTC Comment hidden (obsolete)

Hello Gerrit,
Thanks for reporting this issue.
Since this is not an issue in LibreOffice's software, I'd recommend you to send an email to the dev mailing list [1] instead, the right place for this kind of  problems.
Closing as RESOLVED NOTABUG

Comment 2 Aron Budea 2017-10-17 11:48:47 UTC

I'm not familiar with this kind of setup, can you think of specifics that might be different from a standard Ubuntu install on a computer or in a VM? (where the seccomp filter works fine)

Comment 3 Aron Budea 2017-10-17 12:14:53 UTC

Oh, and the issue is likely in LO Online (or some setup step/requirement), so let's reopen the ticket.

Eg.:
kit-15554-15542 19:04:27.498351 [ loolkit ] ERR  Failed to install seccomp syscall filter| common/Seccomp.cpp:199

common/Seccomp.cpp:199 is the following line in master:
LOG_ERR("Failed to install seccomp syscall filter");
https://opengrok.libreoffice.org/xref/online/common/Seccomp.cpp#205

Comment 4 Gerrit Großkopf 2017-10-17 20:30:14 UTC

I have no idea, i'll ask the strato support if they have an idea :/

Comment 5 Gerrit Großkopf 2017-10-19 10:03:42 UTC

I got an reply, and now it's all clear, the Strato VServer does not allow for the installation of the Seccomp kernel module due to it being virtualized with Virtuozzo, so i don't think it is possible to disable Seccomp right? That makes it impossible for my usecase :( seems like i have to go back to onlyoffice with it's crappy implementation of odt right?

Comment 6 Michael Meeks 2017-10-19 10:22:01 UTC

Well - having the seccomp filters is a layer in the security onion that it is possible to turn off: in some cases - if you trust your documents, keep your underlying LibreOffice up-to-date its not a problem.

Just configure with --disable-seccomp =)