Am 2017-02-19 13:17, schrieb Martin Gräßlin:
But I'm not able to authenticate any more. The seccomp filter gets inherited to forked processes and cannot be disabled any more (the idea is that you cannot escape the sandbox). KScreenlocker forks+exec kcheckpass and that somehow opens a file in write mode for the pam interaction.
Some additional findings. kcheckpass fails by just activating seccomp without any rules at all except allow all. With the help of /var/log/auth.log I figured out that kcheckpass invokes unix_chkpwd which is setuid and once seccomp is installed one isn't allowed to gain more privs by e.g. forking into a setuid binary. So I start to understand the problem ;-)
Cheers Martin
