✘Bad system call

Gary E. Miller gem at rellim.com
Sun Oct 26 03:20:11 UTC 2025 

Yo All!

My ntpd is broken.  Seems to be seccomp related:

I start ntpd this  way:

~ # ntpd -gnN

[...]

2025-10-25T20:05:04 ntpd[2035]: INIT: sandbox: seccomp enabled.
2025-10-25T20:05:04 ntpd[2035]: NTSs: loaded certificate (chain) from /etc/letsencrypt/live/kong.rellim.com/fullchain.pem
2025-10-25T20:05:04 ntpd[2035]: NTSs: loaded private key from /etc/letsencrypt/live/kong.rellim.com/privkey.pem
2025-10-25T20:05:04 ntpd[2035]: NTSs: Private Key OK
Bad system call            ntpd -gnN

When I disable building with seccomp, all works fine.

How does one debug this?

When I run ntpd this way:

~ # strace ntpd -gnN

[...]

write(4, "2025-10-25T20:06:56 ntpd[2064]: "..., 53) = 53
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f26b0e3cb50, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f26b0de8a20}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
mmap(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f26b0521000
madvise(0x7f26b0521000, 4096, MADV_GUARD_INSTALL) = -1 EINVAL (Invalid argument)
mprotect(0x7f26b0521000, 4096, PROT_NONE) = 0
rt_sigprocmask(SIG_BLOCK, ~[], ~[KILL STOP RTMIN RT_1], 8) = 0
clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f26b0d21990, parent_tid=0x7f26b0d21990, exit_signal=0, stack=0x7f26b0521000, stack_size=0x7fff80, tls=0x7f26b0d216c0} <unfinished ...>) = ?
+++ killed by SIGSYS +++
Bad system call            strace ntpd -gnN

Looks like clone3() is already an allowed system call.

Ideas?

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20251025/b1bd809b/attachment.bin>

More information about the devel mailing list