sdwdate loop - Conclusion: Tor already reports circuit established. - seccomp issue

w0lf · January 28, 2022, 10:29pm

my VM was working fine but after running upgrade-nonroot sdwdate is stuck in a loop:

__ Conclusion: Tor already reports circuit established.
__ ### END: ### Exiting with exit_code '0' indicating 'success'.
2022-01-28 22:29:04 - sdwdate - INFO - PREPARATION RESULT: SUCCESS.
2022-01-28 22:29:04 - sdwdate - INFO -

Anyone else with this problem?

ERROR: Time Synchronization Result:
systemcheck gave up waiting.

Time synchronization status: pending
sdwdate reports: nothing yet.
whonix_firewall status: first run after boot

Possible issues:

sdwdate will need a few more moments for fetching the time.

sdwdate time sources might be dysfunctional.

Patrick · January 29, 2022, 2:59pm

No such reports.

The log is too short to tell anything.

w0lf · January 29, 2022, 8:23pm

Here’s more logs: https://pastebin.com/raw/QjdSybNR

After this part it spawn a new process ID and keep looping the same logs forever

2022-01-29 20:12:10 - sdwdate - INFO - PREPARATION RESULT: SUCCESS.
2022-01-29 20:12:10 - sdwdate - INFO -

systemcheck logs: https://pastebin.com/raw/8LZmh9Zk

w0lf · January 30, 2022, 1:19pm

I built a brand new UTM VM from 16.0.3.8-developers-only and the sdwdate issue is also present there.

I’m not sure how to debug this issue, I tried to run the python file directly and it seems to work fine except at the end it cannot set the date, but that’s probably because I’m running it wrong.

logs: https://pastebin.com/raw/4pEz9ncX

Patrick · January 30, 2022, 3:30pm

https://www.whonix.org/wiki/Troubleshooting#Daemon_Log_View required for sdwdate.

Patrick · January 30, 2022, 3:30pm

Quite possibly another seccomp issue, see this post: Whonix on Mac M1 (ARM) - User Support (still unsupported at time of writing) - #162 by Patrick

w0lf · January 30, 2022, 4:02pm

I did configure -rtc base=utc in QEMU parameters, but nothing changed.
Surely this issue affect all the aarch64 builds, right? So people just didn’t realize it yet. Or can it be related to my setup?

Daemon log view: https://pastebin.com/raw/vLWTPJ50

SECCOMP audit log:

Jan 30 15:50:36 host audit[3328]: SECCOMP auid=4294967295 uid=102 gid=108 ses=4294967295 subj==/usr/bin/sdwdate (enforce) pid=3328 comm="sdwdate" exe="/usr/bin/python3.9" sig=31 arch=c00000b7 syscall=35 compat=0 ip=0xf37077846c74 code=0x80000000

Does it means there’s a whitelist missing in the SECCOMP ?
syscall=35 name according to systemd/syscalls-arm64.txt at main · systemd/systemd · GitHub is unlinkat

w0lf · January 30, 2022, 4:06pm

oh I managed to fix it!
Basically I just added unlinkat to the SECCOMP whitelist and then it worked:

user@host:~$ cat /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf 
## This file has been auto-generated by: /var/lib/dpkg/info/sdwdate.postinst
## Changes will be lost when sdwdate is upgraded.
## See file /lib/systemd/system/sdwdate.service for comments.
## Architecture: aarch64

[Service]
SystemCallFilter=faccessat readlinkat newfstatat mkdirat dup3 ppoll pselect6 unlinkat

user@host:~$ systemctl status sdwdate
● sdwdate.service - Secure Distributed Web Date
     Loaded: loaded (/lib/systemd/system/sdwdate.service; enabled; vendor preset: enabled)
    Drop-In: /lib/systemd/system/sdwdate.service.d
             └─20_arch_syscall_whitelist.conf
     Active: active (running) since Sun 2022-01-30 16:03:07 UTC; 2min 6s ago
       Docs: https://www.whonix.org/wiki/sdwdate
   Main PID: 821 (sdwdate)
     Status: "Running sdwdate main loop. iteration: 1 / 10000"
      Tasks: 2 (limit: 2257)
     Memory: 22.4M
        CPU: 988ms
     CGroup: /system.slice/sdwdate.service
             ├─ 821 /usr/bin/python3 -u /usr/bin/sdwdate
             └─1222 sleep 8548.757159774

Is this a proper fix?

Patrick · January 30, 2022, 4:08pm

Could you please send a pull request?

github.com

Kicksecure/sdwdate/blob/master/lib/systemd/system/sdwdate.service#L75


      
          RestrictAddressFamilies=AF_UNIX AF_INET
          RestrictNamespaces=true
          SystemCallArchitectures=native
          
          
## Base syscall whitelist suitable for x86. Other arch-specific syscalls will be included
          ## in /lib/systemd/system/sdwdate.service.d/20_arch_syscall_whitelist.conf during package
          ## installation. See file:
          ## debian/sdwdate.postinst
          ## https://github.com/Whonix/sdwdate/blob/master/debian/sdwdate.postinst
          ## https://gitlab.com/whonix/sdwdate/blob/master/debian/sdwdate.postinst
          SystemCallFilter=wait4 select futex read stat close openat fstat lseek mmap rt_sigaction getdents64 mprotect ioctl recvfrom munmap brk rt_sigprocmask fcntl getpid write access socket sendto dup2 clone execve getrandom geteuid getgid madvise getuid getegid readlink pipe rt_sigreturn connect pipe2 prlimit64 set_robust_list dup arch_prctl lstat set_tid_address sysinfo sigaltstack rt_sigsuspend shutdown timer_settime mkdir timer_create statfs getcwd setpgid setsockopt uname bind getpgrp getppid getpeername chdir poll getsockname fadvise64 clock_settime kill getsockopt unlink epoll_create1 utimensat mremap prctl sendmsg
          
          
[Install]
          WantedBy=multi-user.target

w0lf · January 30, 2022, 4:13pm

done it, thanks Patrick!

w0lf · January 30, 2022, 4:17pm

wait I sent you pull request for sdwdate.service but that’s only for x86 right? For ARM64 it should be in 20_arch_syscall_whitelist.conf

github.com

Kicksecure/sdwdate/blob/master/debian/sdwdate.postinst#L99


      
          ## This file has been auto-generated by: $0
          ## Changes will be lost when sdwdate is upgraded.
          ## See file /lib/systemd/system/sdwdate.service for comments.
          ## Architecture: ${arch}
          "
          
          
if [[ "${arch}" =~ "arm" ]] || [[ "${arch}" =~ "aarch" ]]; then
             ## ARM-specific syscalls.
             syscall_whitelist="\
          [Service]
          SystemCallFilter=faccessat readlinkat newfstatat mkdirat dup3 ppoll pselect6 unlinkat"
          elif [[ "${arch}" =~ "ppc" ]]; then
             ## PowerPC-specific syscalls.
             syscall_whitelist="\
          [Service]
          SystemCallFilter=_llseek send waitpid recv prctl _newselect newfstatat pselect6 vfork"
          elif [[ "${arch}" =~ "x86" ]]; then
             syscall_whitelist="\
          ## Default. No changes required."
          else
             syscall_whitelist="\

Patrick · January 30, 2022, 4:40pm

Yes, good catch.

Patrick · January 30, 2022, 4:42pm

Another related issue is that I had to ask for this:

Wasn’t included in sdwdate-log-viewer.

sdwdate/usr/bin/sdwdate-log-viewer at master · Kicksecure/sdwdate · GitHub

This obfuscated this being a seccomp issue.

w0lf · January 30, 2022, 4:44pm

ok I closed the pull request #35 and opened #36 to edit the script that will create 20_arch_syscall_whitelist.conf

Patrick · January 30, 2022, 4:48pm