Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

botamusique: too strict systemd hardening #205702

Closed
Elinvention opened this issue Dec 12, 2022 · 3 comments · Fixed by #205785
Closed

botamusique: too strict systemd hardening #205702

Elinvention opened this issue Dec 12, 2022 · 3 comments · Fixed by #205785
Labels
0.kind: bug

Comments

@Elinvention
Copy link
Contributor

Describe the bug

I couldn't use botamusique because it's default SystemCallFilter is too strict: it prevents yt-dlp from running ffmpeg:

yt_dlp.utils.DownloadError: ERROR: Preprocessing: ffmpeg not found. Please install or provide the path using --ffmpeg-location

Disabling SystemCallFilter solves this issue, although a proper fix should be implemented.

  systemd.services.botamusique = {                                                                                               
    serviceConfig = {                                                                                                            
      SystemCallFilter = lib.mkForce [ ];                                                                                        
    };                                                                                                                           
  };

Steps To Reproduce

Steps to reproduce the behavior:

  1. configure botamusique with minimal config
  2. add a youtube video
  3. bot can't reproduce music

Expected behavior

Bot should reproduce audio from youtube videos via yt-dlp.

Notify maintainers

@mweinelt

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.80-hardened1, NixOS, 22.11 (Raccoon), 22.11.839.9c5e57f38db`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.11.0`
 - channels(root): `"nixos-22.11, nixos-unstable"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
@mweinelt
Copy link
Member

Do you see any audit log entries in your.journal when that happens?

@mweinelt
Copy link
Member

Easily reproduced and likely introduced in a ffmpeg update.

kernel: audit: type=1326 audit(1670855512.408:62): auid=4294967295 uid=65183 gid=65183 ses=4294967295 subj=kernel pid=415184 comm="ffmpeg" exe="/nix/store/alc73dph2v9wsx6w60sadjy9r8iw886f-ffmpeg-4.4.2-bin/bin/ffmpeg" sig=31 arch=c000003e syscall=238 compat=0 ip=0x7f660d1cfd3d code=0x80000000

It's trying to use set_mempolicy (syscall=238) and we should just allow @resources.

mweinelt added a commit to mweinelt/nixpkgs that referenced this issue Dec 12, 2022
@mweinelt
nixos/botamusique: allow syscalls in the @resources group
d6f4f45 
Calls to ffmpeg from botamusique require the `set_mempolicy` syscall.

Fixes: NixOS#205702
@mweinelt mweinelt mentioned this issue Dec 12, 2022
Merged
13 tasks
mweinelt added a commit that referenced this issue Dec 12, 2022
@mweinelt
Merge pull request #205785 from mweinelt/botamusique-@resources
01c02c8 
Fixes #205702
github-actions bot pushed a commit that referenced this issue Dec 12, 2022
@mweinelt @github-actions
nixos/botamusique: allow syscalls in the @resources group
3f85bba 
Calls to ffmpeg from botamusique require the `set_mempolicy` syscall.

Fixes: #205702
(cherry picked from commit d6f4f45)
@mweinelt mweinelt mentioned this issue Dec 12, 2022
Merged
1 task
@Elinvention
Copy link
Contributor Author

Thanks for your quick response and fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

nixos/botamusique: allow syscalls in the @resources group mweinelt/nixpkgs
2 participants
@mweinelt @Elinvention