BIND server is broken with seccomp enabled

[peti]

I recently tried to update a kvm-virtualized server I run with NixOS to release-17.03. The result was that the named server is completely broken. It freezes at startup, regardless of what configuration I run it with, and then it cannot be terminated except with SIGKILL. The systemd journal and dmesg contain no helpful output. I used strace on the process and got these last lines:

prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=35, filter=0x87dfa0}) = 0
getpid()                                = ?

I re-compiled BIND with seccomp disabled, and then everything worked fine, so I'm pretty sure that's the cause of this problem.

That issue feels rather serious.

Cc: @fpletz
Possibly related: #23431

[fpletz]

Thanks! I wasn't hitting this because I was using bind in another environment.

[dudebout]

@fpletz just a heads up, BIND is dropping seccomp support: https://gitlab.isc.org/isc-projects/bind9/issues/93