seccomp-armv7l.bpf: No such file or directory

[diegoflorez]

I'm trying to use rua on raspberry-pi 4, but I keep getting this error when I try to install any aur package using rua install package-name command. /home/user/.config/rua/.system/wrap.sh: line 11: /home/user/.config/rua/.system/seccomp-armv7l.bpf: No such file or directory Although if I go to ~/.config/rua/pkg/package-name/ and run makepkg -si the package is correctly installed as indicated in [AUR wiki page](https://wiki.archlinux.org/index.php/Arch_User_Repository)

Does anyone have any idea why this may be happening and how to fix it?

[vn971]

@diegoflorez hi, thanks for raising the issue! So this day has come, rua was tried to be run on an arm device.:) The problem observed is because currently, seccomp bpf filters were generated once for i686 and x86_64 architectures. I've mentioned that some time ago here: https://github.com/vn971/rua/issues/91#issuecomment-559064460

Now, however, it would be nice to auto-generate the seccomp pbf filters for other platforms automatically.. I'll take a look at it somewhat later (probably next week).

[diegoflorez]

Great job with rua, by the way. And Thanks! :wink:

[zegelin]

Running into this issue too while trying to use RUA on a Raspberry Pi 4.

I ran seccomp-gen and copied the resulting file to .config/rua/.system/seccomp-armv7l.bpf, but it appears that the entire .system directory gets nuked on every run.

Is there any way to use this BPF file?

[vn971]

@zegelin yeah, I believe you also wrote a comment on AUR yesterday evening, right?

Anyway, I agree with everything that you wrote basically. Do you have time/energy to write a PR? I see two choices:

1) create the seccomp file in AUR, for not out-of-the-box architectures. And don't nuke (as you said:) the system directory. Theoretically it leaves some possibility to get few "garbage" files there, but I guess that's all right in a way. (This approach will also require touching up README.md)

2) the other approach is to integrate libseccomp into rua itself, link against it same as that programin C does.

I kinda like the 1-st approach because the file is really static and never changes I think, but I'm open to opinions.

[zegelin]

@zegelin yeah, I believe you also wrote a comment on AUR yesterday evening, right?

Nah, not me. I discovered this project today.

Anyway, I agree with everything that you wrote basically. Do you have time/energy to write a PR? I see two choices:

<snip>

I kinda like the 1-st approach because the file is really static and never changes I think, but I'm open to opinions.

I'm not very familiar with Rust. But I might have a crack at it. I think the first approach is easier to implement, at least compared to trying to integrate seccomp-gen/libseccomp into the build process.

Have you considered keeping these files external to the binary and installing them with a package? i.e, is there any reason/benefit for embedding these files into the binary and extracting them at runtime vs having a package install them as read-only somewhere under /usr/share//usr/local/share? That way, anyone can add additional seccomp files where necessary. The directory under /usr/share could even be considered a "template" that's copied if .system needs to be fresh each time.

[vn971]

i.e, is there any reason/benefit for embedding these files into the binary and extracting them at runtime

One advantage I had in mind is that I can tell people to cargo install --force rua and the tool will then "work". (It won't have shell completions, but otherwise everything would be fine.)

While there's a good point to just not wiping this .system directory each time, I think it'd be also nice to get armv7l and other architectures covered in the same MR. "Fix the issue for everyone, not just for yourself". I feel I need to attempt doing that, will do.

[bbx0]

I tried running rua on a rpi4 as well. It seems to work fine after creating the seccomp files and adding them to rua_paths.rs.

Would it be okay to turn https://github.com/bbx0/rua/commit/085ae63e5c2e8ab8fedc1cdc59a82984966224dd and https://github.com/bbx0/rua/commit/e45b27b3f427146f150ce69897a50f3c9145e41c into a pull request for ARM support? It simply extends the existing implementation for aarch64 and armv7l.

Notes fo armv7: rua uses uname --machine internally which returns armv7l but pacman-conf Architecture returns armv7h, so the PKGBUILD still needs to be arch=('x86_64' 'i686' 'aarch64' 'armv7h').

[vn971]

Hi @diegoflorez @zegelin, based on @bbx0'x excellent pull request RUA now got support for other architectures (all architectures where Rust and libseccomp would run). Please raise an issue if it's not working for you!

The latest release already has these changes