seccomp argument filtering not working properly on any distro that uses upstream golang-seccomp 0.9.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
Low
|
Jamie Strandboge |
Bug Description
In diagnosing another issue, I discovered that on Fedora 28, seccomp works for simple syscalls but not with argument filtering.
On Ubuntu, notice:
$ snap version
snap 2.38+19.04
snapd 2.38+19.04
series 16
ubuntu 19.04
kernel 5.0.0-8-generic
$ sudo snap install test-snapd-tools
$ sudo snap run --strace test-snapd-
[pid 25015] setpriority(
On Fedora 28:
$ snap version
snap 2.38-2.fc28
snapd 2.38-2.fc28
series 16
fedora 28
kernel 5.0.7-100.
$ sudo snap install test-snapd-tools
$ sudo snap run --strace test-snapd-
[pid 11788] setpriority(
If we adjust /var/lib/
#setpriority PRIO_PROCESS 0 <=19
then do, we correctly see it is denied:
$ sudo /usr/libexec/
[pid 12348] setpriority(
then if we add back just the syscall without argument filtering, it succeeds, as expected:
$ sudo /usr/libexec/
[pid 13127] setpriority(
If we try to allow a specific value (eg, '9'), then we can see it correctly allows a nice of '9' but incorrectly also allows both '8' and '10':
$ sudo /usr/libexec/
[pid 14272] setpriority(
$ sudo snap run --strace test-snapd-
[pid 15096] setpriority(
$ sudo snap run --strace test-snapd-
[pid 15422] setpriority(
It seems that fedora-28 is not using mvo's seccomp-golang. Not sure if this has anything to do with this.
The same behavior happens on Debian:
$ SNAP_REEXEC=0 snap version
snap 2.38
snapd 2.38
series 16
debian -
kernel 4.19.0-4-amd64
$ SNAP_REEXEC=0 sudo snap run --strace test-snapd-
[pid 1484] setpriority(
Interestingly, re-enabling reexec it starts to work on sid with 2.38:
$ snap version
snap 2.38
snapd 2.38
series 16
debian -
kernel 4.19.0-4-amd64
$ sudo snap run --strace test-snapd-
[pid 1643] setpriority(
description: | updated |
summary: |
- seccomp argument filtering not working on Fedora + seccomp argument filtering not working on Fedora and Debian |
description: | updated |
summary: |
- seccomp argument filtering not working on Fedora and Debian + seccomp argument filtering not working on Fedora with 2.38 and Debian + with 2.37.4 |
summary: |
- seccomp argument filtering not working on Fedora with 2.38 and Debian - with 2.37.4 + seccomp argument filtering not working on and distro that uses upstream + golang-seccomp 0.9.0 |
This is technically a security bug but not marking it as such because without file mediation the seccomp policy provides no real protection (the security technologies are meant to work together).