Enable clock_gettime through seccomp, required by 580.

[baldvin-kovacs]

After upgrading to nvidia 580.76.05-6 from nvidia 575.64.05-4, my Incus containers failed to boot up.

Running Incus in debug mode, I could find this log line:

lxc baldvin-test2 20250828094627.156 DEBUG utils - ../src/lxc/utils.c:run_buffer:560 - Script exec /usr/share/lxc/hooks/nvidia produced output: nvidia-container-cli: ldcache error: process /usr/bin/ldconfig terminated with signal 9

Inserting strace into /usr/share/lxc/hooks/nvidia, the strace output had 600MB+ worth of

clock_gettime(CLOCK_MONOTONIC, 0x7fff12e98060) = -1 EPERM (Operation not permitted)

This CL adds clock_gettime to the list of permitted calls, which fixed the issue on my machine.

[greyltc]

this PR fixes https://gitlab.archlinux.org/archlinux/packaging/packages/nvidia-container-toolkit/-/issues/4

[elezar]

I don't really see how the driver upgrade would cause this. From the perspective of ldconfig which is being run to update the ldcache in the container the driver libraries are opague.

@baldvin-kovacs do you know what is triggering the clock_gettime call as part of updating the ldconfig?

[baldvin-kovacs]

I don't really see how the driver upgrade would cause this. From the perspective of ldconfig which is being run to update the ldcache in the container the driver libraries are opague.

@baldvin-kovacs do you know what is triggering the clock_gettime call as part of updating the ldconfig?

Sorry, no clue. I just know that after the upgrade, my incus containers stopped working. I was stracing it, and saw this call rejected. I made this change, and all of a sudden my incus containers were working again :)

So yes, it can be a change in other systems --- can be that this particular call was made earlier too, but the execution environment never rejected it, and now that became more strict. Unfortunately I just upgraded with a pacman -Syu, so not separately the nvidia driver. I did not trace back the issue to a change of the nvidia driver versus a change of the execution environment, sorry...

[elezar]

@baldvin-kovacs would you be able to sign-off your commit as required by the DCO? Otherwise I could create a PR with this change.

[elezar]

@baldvin-kovacs we should be able to verify that it's not specific to the driver by running ldconfig through strace on the host system directly.

[elezar]

@lahwaacz have you been able to narrow down the change in ldconfig that requires this additional syscall?

[lahwaacz]

No, I did not debug this at all.

[elezar]

I created #326 to be able to get this in before the upcoming v1.18.0 release.

[jgehrcke]

Especially given the CLOCK_MONOTONIC argument this is likely used to implement a deadline / timeout criterion, and whatever component tries to do that probably rightfully does so.