snapd

snapd 2.25+201705082317.git.3ff5a56~ubuntu16.04.1 breaks seccomp handling

Bug #1689536 reported by Oliver Grawert
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Fix Released
High
Jamie Strandboge

Bug Description

trying to configure wifi-ap via "sudo wifi-ap.setup-wizard" on a very recent edge core snap makes seccomp block the "socket" syscall... (the command just hangs silently then)

syslog: http://paste.ubuntu.com/24542320/
wifi-ap seccomp profile: http://paste.ubuntu.com/24542345/

this is with core 1876 (edge) on a pi3 which uses:
ogra@pi3:~$ snap version
snap 2.25+201705082317.git.3ff5a56~ubuntu16.04.1
snapd 2.25+201705082317.git.3ff5a56~ubuntu16.04.1
series 16
kernel 4.4.0-1051-raspi2

rolling back to core 1805 (beta) with:
ogra@pi3:~$ snap version
snap 2.25
snapd 2.25
series 16
kernel 4.4.0-1051-raspi2

makes everything work fine ...
the profile has a FIXME pointing to bug #1446748 ... apparently something related to argument filtering landed recently in snapd, could that cause this issue ?

Oliver Grawert (ogra)
summary: - snapd 2.25+201705082317.git.3ff5a56~ubuntu16.04.1 breaks secomp
+ snapd 2.25+201705082317.git.3ff5a56~ubuntu16.04.1 breaks seccomp
handling
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Is wifi-ap using a netlink socket? Can you strace it?

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

/me puts his 0.99 coin on seccomp killing us on netlink.

# socket AF_NETLINK - -

The profile no longer allows netlink (where it previosuly did) so I bet this is the case.

Jamie Strandboge (jdstrand)
Changed in snapd:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The rule that is missing is:

socket AF_NETLINK - NETLINK_ROUTE

This is in several interfaces: network-bind, network-observe, network-control, but the command only plugs 'network'. I'm investigating what the command is doing to understand if the above rule should be added to 'network' or to discuss other options.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

It looks on ARM, these go calls require NETLINK_ROUTE:

- net.Interfaces()
- net.InterfaceAddrs()

Curiously, NETLINK_ROUTE is not needed for these on x86. Technically, these two calls are in the domain of 'network-observe', 'network-bind' and 'network-control' and not 'network'.

For series 16 I think we should add this to 'network' to not break existing applications on ARM that only plugs 'network', in part because both network and network-bind are autoconnected and there is therefore no appreciable difference security-wise wrt install time interface connections.

For series 18 (or whenever we start having different policy), we can consider removing NETLINK_ROUTE from the 'network' policy since that is more correct.

Changed in snapd:
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

https://github.com/snapcore/snapd/pull/3285

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Thank you for debugging this. Interesting insight. I would love to know why it is arch specific but I guess that requires a deep dive into the kernel.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

For posterity, it looks like x86 4.10 kernel doesn't need it, but x86 4.4 kernel does along with armhf.

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

I'm marking this as fix released since the PR linked above landed and was released along with 2.27.2 (or earlier).

Changed in snapd:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.