From nobody Wed Jun 10 08:30:07 2026
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZzVj4ZrKz6hMGV
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Wed, 10 Jun 2026 08:30:21 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gZzVh2dsRz3WVQ
	for <freebsd-current@freebsd.org>; Wed, 10 Jun 2026 08:30:20 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=fail reason="No valid SPF, No valid DKIM" header.from=gmail.com (policy=none);
	spf=softfail (mx1.freebsd.org: 2001:470:d5e7:1::1 is neither permitted nor denied by domain of kostikbel@gmail.com) smtp.mailfrom=kostikbel@gmail.com
Received: from tom.home (kib@localhost [127.0.0.1] (may be forged))
	by kib.kiev.ua (8.18.1/8.18.1) with ESMTP id 65A8U7TU091437;
	Wed, 10 Jun 2026 11:30:10 +0300 (EEST)
	(envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 65A8U7TU091437
Received: (from kostik@localhost)
	by tom.home (8.18.1/8.18.1/Submit) id 65A8U7S6091436;
	Wed, 10 Jun 2026 11:30:07 +0300 (EEST)
	(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f
Date: Wed, 10 Jun 2026 11:30:07 +0300
From: Konstantin Belousov <kostikbel@gmail.com>
To: Oleg Nauman <oleg.nauman@gmail.com>
Cc: FreeBSD Current <freebsd-current@freebsd.org>
Subject: Re: "CAP system call not allowed" for linux apllications
Message-ID: <aikgj3A7b7KEkGzV@kib.kiev.ua>
References: <CAC5YPTuCsHK46PA=Bhzjs=jSNRXe_eKAMy+uuZH0R6Wejzxg7w@mail.gmail.com>
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@FreeBSD.org
List-Id: <freebsd-current.FreeBSD.org>
List-Post: <mailto:freebsd-current@FreeBSD.org>
List-Help: <mailto:freebsd-current+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-current+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAC5YPTuCsHK46PA=Bhzjs=jSNRXe_eKAMy+uuZH0R6Wejzxg7w@mail.gmail.com>
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
	DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM,
	NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=4.0.2
X-Spam-Checker-Version: SpamAssassin 4.0.2 (2025-08-27) on tom.home
X-Spamd-Result: default: False [-0.19 / 15.00];
	NEURAL_SPAM_MEDIUM(1.00)[0.999];
	NEURAL_HAM_SHORT(-0.81)[-0.807];
	NEURAL_HAM_LONG(-0.38)[-0.380];
	DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none];
	MIME_GOOD(-0.10)[text/plain];
	TO_DN_ALL(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	ARC_NA(0.00)[];
	FREEMAIL_TO(0.00)[gmail.com];
	FREEMAIL_FROM(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+];
	MISSING_XM_UA(0.00)[];
	ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US];
	TAGGED_RCPT(0.00)[];
	R_SPF_SOFTFAIL(0.00)[~all:c];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org];
	RCVD_COUNT_TWO(0.00)[2];
	R_DKIM_NA(0.00)[];
	HAS_XAW(0.00)[]
X-Spamd-Bar: /
X-Rspamd-Queue-Id: 4gZzVh2dsRz3WVQ

On Wed, Jun 10, 2026 at 09:19:14AM +0300, Oleg Nauman wrote:
>  I have updated my CURRENT amd64 to c3d8aca1d43e and discovered that
> linux applications fail to run .
> It seems the failure reason is capsicum that blocks execution of linux
> syscalls, for example from ktrace/kdump output:
> 
>  CALL  linux_socket(0x1,0x80001,0)
>  CAP   system call not allowed: linux_clock_gettime
>  CAP   system call not allowed: linux_socket
>  RET   linux_socket 8
>  CALL linux_clock_gettime 0
>  CALL  linux_connect(0x8,0x7fffffffb450,0x14)
>  CALL  linux_clock_gettime(CLOCK_MONOTONIC,0x825829310)
>  CAP   system call not allowed: linux_connect
>  CAP   system call not allowed: linux_clock_gettime
>  NAMI  ""
>  RET   linux_connect -1 errno -88 Socket operation on non-socket
>  RET   linux_clock_gettime 0
>  CALL  close(0x8)
>  CALL  linux_poll(0x8280054d0,0x2,0x6221)
>  CAP   system call not allowed: linux_poll
>  CAP   system call not allowed: close
>  RET   close 0
>  RET   linux_poll 1
>  CALL  linux_clock_gettime(CLOCK_MONOTONIC,0x825829300)
>  CAP   system call not allowed: linux_clock_gettime
>  CALL  linux_write(0x2,0x7fffffff92d0,0x2c)
>  CAP   system call not allowed: linux_write
>  RET   linux_clock_gettime 0
>  GIO   fd 2 wrote 44 bytes
>        "qt.qpa.xcb: could not connect to display :0
>        "
I cannot reproduce it, for me HEAD just worked.

The trace above is also strange, if you look, the syscalls report
successful results, it looks like the 'CAP' records intervene out
of thin air.