You are not logged in.

#1 2024-09-14 16:06:49

mr-andersson
Member
Registered: 2020-08-06
Posts: 7

[SOLVED] pacman 7 - landlock is not supported by the kernel!

Hello,

After updating pacman to 7.0.0.r3.g7736133-1 I get an error message when trying to update.

# pacman -Sy
:: Synchronizing package databases...
core                                                              117.7 KiB  1471 KiB/s 00:00 [#######################################################] 100%
extra                                                               7.4 MiB  11.3 MiB/s 00:01 [#######################################################] 100%
error: restricting filesystem access failed because landlock is not supported by the kernel!

After downgrading to previous version pacman-6.1.0-3 this error goes away.

What is landlock and why is it not supported by my kernel?

--
Br / David

Last edited by mr-andersson (2024-09-14 17:46:05)

Offline

#2 2024-09-14 16:58:21

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 23,082

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

What is your kernel? Pacman 7 added a sandbox for the downloaduser, read the current news item, or pass --disable-sandbox or configure the DisableSandbox option if you really need to use a kernel without landlock.

See https://gitlab.archlinux.org/pacman/pac … type=heads as well

Last edited by V1del (2024-09-14 16:59:54)

Offline

#3 2024-09-14 17:36:18

mr-andersson
Member
Registered: 2020-08-06
Posts: 7

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

Ah, I'm running arch in a container under Proxmox. That's why it was missing landlock in my kernel.

Running pacman with --disable-sandbox mitigated the issue. Thanks!



The work around solution, while not having recompile your kernel with landlock support.

If you want to continue to run pacman without the above switch each time, you can just uncomment line 39: DisableSandbox in /etc/pacman.conf like so

DisableSandbox

Last edited by mr-andersson (2024-09-22 14:03:10)

Offline

#4 2024-09-15 20:38:07

xerxes_
Member
Registered: 2018-04-29
Posts: 768

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

Where are packages temporarily downloaded in this sandbox? I hope it is not /tmp dir or RAM, because I have to many packages.

Offline

#5 2024-09-16 12:48:40

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,902

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

In the same location as before (/var/cache/pacman/pkg by default) ?

From what I understand of the MRs that added this, the sandbox uses a dedicated user to restrict downloads to the designated areas.

Until pacman 7 downloads where done with root rights so could potentially overwrite stuff anywhere on the system.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#6 2024-09-21 13:09:20

aminvakil
Member
From: Tehran
Registered: 2019-08-01
Posts: 30
Website

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

Yeah, I've faced the same problem and I am here, in proxmox containers where you are running everything with root user it's safe to disable this option either way.

Offline

#7 2024-10-26 16:42:55

archdub
Member
From: Dublin, Ireland
Registered: 2018-03-04
Posts: 63

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

I got the same message as the OP because I am running kernel 6.1 from AUR. 
I have the setting: 
DownloadUser = alpm 
If I do:
ls -l /var/cache/pacman/pkg 
I was expecting recently downloaded packages to be owned by alpm  but that is not the case, all are owned by root.
Any ideas?

Offline

#8 2024-10-26 17:07:17

Scimmia
Fellow
Registered: 2012-09-01
Posts: 12,055

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

If you don't have landlock V3, the download sandbox will not work and the DownloadUser will not be used at all.

Offline

#9 2024-10-26 22:08:08

archdub
Member
From: Dublin, Ireland
Registered: 2018-03-04
Posts: 63

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

Scimmia wrote:

If you don't have landlock V3, the download sandbox will not work and the DownloadUser will not be used at all.

Thanks, I think I will have to read up on landlock.
Running the command below it seems that landlock is on in the kernel I am using.
zcat /proc/config.gz | grep -i landlock
CONFIG_SECURITY_LANDLOCK=y
CONFIG_LSM="landlock,lockdown,yama,integrity,bpf"

However according to the landlock man page, LANDLOCK_ACCESS_FS_TRUNCATE is only available with landlock ABI v3 in linux version 6.2 even if the 6.1 kernel has a bunch of other landlock features. Perhaps DownloadUser uses the only  feature not present in 6.1 (LANDLOCK_ACCESS_FS_TRUNCATE).
https://man.archlinux.org/man/landlock.7

I commented out "DownloadUser = alpm" in /etc/pacman.conf even if most likely doing so is redundant in my case.

Thanks again for your help. I think I will stop here.

Last edited by archdub (2024-10-26 22:10:23)

Offline

#10 2024-10-27 07:47:31

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,471
Website

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

Scimmia wrote:

If you don't have landlock V3, the download sandbox will not work and the DownloadUser will not be used at all.

Are you sure?

Offline

#11 2024-10-27 08:15:21

archdub
Member
From: Dublin, Ireland
Registered: 2018-03-04
Posts: 63

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

Allan wrote:
Scimmia wrote:

If you don't have landlock V3, the download sandbox will not work and the DownloadUser will not be used at all.

Are you sure?

That is a question that I asked myself earlier.
Quite clearly the feature does not work with the 6.1 kernel, that is the kernel that I am using, also came across a post in the Manjaro forum in which someone said that he had the problem with 6.1 and when upgraded to 6.6 the problem disappeared.
I took a 30 seconds look at the gitlab review where this feature in pacman v. 7 is discussed. It was not immediately obvious to me that LANDLOCK_ACCESS_FS_TRUNCATE is used or needed to implement the new feature. It would take me much longer to understand how it works.

As an aside, in hindsight the news item could have mentioned old kernels from the AUR. I read the news item even before it was published in the dev-public mailing list but because it mentioned only local repos it did not occur to me that I would have a problem with an AUR kernel. This was a lesson learned for me, my PC having AUR packages is a local repo even if it is not what I normally understood by the term!

Note: I have already changed this post several times to correct errors!

Last edited by archdub (2024-10-27 08:54:33)

Offline

#12 Yesterday 08:02:23

souhaiebtar
Member
Registered: Yesterday
Posts: 1

Re: [SOLVED] pacman 7 - landlock is not supported by the kernel!

mr-andersson wrote:

Ah, I'm running arch in a container under Proxmox. That's why it was missing landlock in my kernel.

Running pacman with --disable-sandbox mitigated the issue. Thanks!



The work around solution, while not having recompile your kernel with landlock support.

If you want to continue to run pacman without the above switch each time, you can just uncomment line 39: DisableSandbox in /etc/pacman.conf like so

https://i.imgur.com/ZFlT3o0.png

what terminal is this ? (sorry smile

Offline

Board footer

Powered by FluxBB