[SRU] seccomp filters backport for Mako
Bug #1509489 reported by
Kyle Fazzari
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-mako (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Vivid |
Fix Committed
|
Undecided
|
Kyle Fazzari | ||
Wily |
Won't Fix
|
Undecided
|
Kyle Fazzari | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* The snappy confinement model utilizes both apparmor and seccomp filters, and while the former is supported by the phone kernel, the latter is not. Snappy cannot be used on the mako, krillin, or vegetahd without seccomp filters being backported.
[Test Case]
* Run the tests located here:
They will fail without this change.
[Regression Potential]
* Potential AppArmor regression regarding its use of no_new_privs, since it was previously a fake implementation to facilitate the v3 backport.
[Other Info]
* Backport is from mainline.
* Backport only includes seccomp filters introduced in v3.5 (e.g. does not include syscall or tsync).
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
summary: |
- No support for seccomp filters + [SRU] seccomp filters backport for Mako |
Changed in linux-mako (Ubuntu Wily): | |
assignee: | nobody → Kyle Fazzari (kyrofa) |
status: | New → Fix Committed |
Changed in linux-mako (Ubuntu Vivid): | |
assignee: | nobody → Kyle Fazzari (kyrofa) |
status: | New → Fix Committed |
To post a comment you must log in.
This bug was fixed in the package linux-mako - 3.4.0-7.40
---------------
linux-mako (3.4.0-7.40) xenial; urgency=low
[ Kyle Fazzari ]
* SAUCE: Enable SECCOMP_FILTER on mako.
- LP: #1509489
* SAUCE: Remove fake no_new_privs.
- LP: #1509489
* SAUCE: Make sure userspace sees an ENOSYS for no tracer.
- LP: #1509489
* SAUCE: Add seccomp selftests.
- LP: #1509489
[ Upstream Kernel Changes ]
* Add PR_{GET, SET}_NO_ NEW_PRIVS to prevent execve from granting privs SET}_NO_ NEW_PRIVS SECCOMP_ LD_W c,linux/ filter. h: share compat_sock_fprog SECCOMP_ FILTER filter SECCOMP_ FILTER SECCOMP_ FILTER
- LP: #1509489
* Fix execve behavior apparmor for PR_{GET,
- LP: #1509489
* sk_run_filter: add BPF_S_ANC_
- LP: #1509489
* net/compat.
- LP: #1509489
* seccomp: kill the seccomp_t typedef
- LP: #1509489
* asm/syscall.h: add syscall_get_arch
- LP: #1509489
* arch/x86: add syscall_get_arch to syscall.h
- LP: #1509489
* seccomp: add system call filtering using BPF
- LP: #1509489
* seccomp: remove duplicated failure logging
- LP: #1509489
* seccomp: add SECCOMP_RET_ERRNO
- LP: #1509489
* signal, x86: add SIGSYS info and make it synchronous.
- LP: #1509489
* seccomp: Add SECCOMP_RET_TRAP
- LP: #1509489
* ptrace,seccomp: Add PTRACE_SECCOMP support
- LP: #1509489
* x86: Enable HAVE_ARCH_
- LP: #1509489
* Documentation: prctl/seccomp_
- LP: #1509489
* seccomp: use a static inline for a function stub
- LP: #1509489
* seccomp: ignore secure_computing return values
- LP: #1509489
* seccomp: fix build warnings when there is no CONFIG_
- LP: #1509489
* samples/seccomp: fix dependencies on arch macros
- LP: #1509489
* ARM: 7373/1: add support for the generic syscall.h interface
- LP: #1509489
* ARM: 7374/1: add TRACEHOOK support
- LP: #1509489
* ARM: 7456/1: ptrace: provide separate functions for tracing syscall
{entry,exit}
- LP: #1509489
* ARM: 7577/1: arch/add syscall_get_arch
- LP: #1509489
* ARM: 7578/1: arch/move secure_computing into trace
- LP: #1509489
* ARM: 7579/1: arch/allow a scno of -1 to not cause a SIGILL
- LP: #1509489
* ARM: 7580/1: arch/select HAVE_ARCH_
- LP: #1509489
-- Tim Gardner <email address hidden> Wed, 28 Oct 2015 09:44:02 -0600