snapd

Bug #1825052
Comment #0

Comment 0 for bug 1825052

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-04-16: seccomp argument filtering not working on Fedora

In diagnosing another issue, I discovered that on Fedora 28, seccomp works for simple syscalls but not with argument filtering.

On Ubuntu, notice:
$ snap version
snap 2.38+19.04
snapd 2.38+19.04
series 16
ubuntu 19.04
kernel 5.0.0-8-generic

$ sudo snap install test-snapd-tools

$ sudo snap run --strace test-snapd-tools.cmd nice -n -10 uptime 2>&1 | grep setpriority
[pid 25015] setpriority(PRIO_PROCESS, 0, -10) = -1 EPERM (Operation not permitted)

On Fedora 28:

$ snap version
snap 1337.2.38.1-0.fc28
snapd 1337.2.38.1-0.fc28
series 16
fedora 28
kernel 5.0.7-100.fc28.x86_64

$ sudo snap install test-snapd-tools

$ sudo snap run --strace test-snapd-tools.cmd nice -n -10 uptime 2>&1 | grep setpriority
[pid 11788] setpriority(PRIO_PROCESS, 0, -10) = 0

If we adjust /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.src to have:
#setpriority PRIO_PROCESS 0 <=19

then do, we correctly see it is denied:
$ sudo /usr/libexec/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.src /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.bin && sudo snap run --strace test-snapd-tools.cmd nice -n -10 uptime 2>&1 | grep setpriority
[pid 12348] setpriority(PRIO_PROCESS, 0, -10) = -1 EPERM (Operation not permitted)

then if we add back just the syscall without argument filtering, it succeeds, as expected:
$ sudo /usr/libexec/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.src /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.bin && sudo snap run --strace test-snapd-tools.cmd nice -n -10 uptime 2>&1 | grep setpriority
[pid 13127] setpriority(PRIO_PROCESS, 0, -10) = 0

If we try to allow a specific value (eg, '9'), then we can see it correctly allows a nice of '9' but incorrectly also allows both '8' and '10':

$ sudo /usr/libexec/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.src /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.bin && sudo snap run --strace test-snapd-tools.cmd nice -n 9 uptime 2>&1 | grep setpriority
[pid 14272] setpriority(PRIO_PROCESS, 0, 9) = 0

$ sudo snap run --strace test-snapd-tools.cmd nice -n 8 uptime 2>&1 | grep setpriority
[pid 15096] setpriority(PRIO_PROCESS, 0, 8) = 0

$ sudo snap run --strace test-snapd-tools.cmd nice -n 10 uptime 2>&1 | grep setpriority
[pid 15422] setpriority(PRIO_PROCESS, 0, 10) = 0

It seems that fedora-28 is not using mvo's seccomp-golang. Not sure if this has anything to do with this.

In diagnosing another issue, I discovered that on Fedora 28, seccomp works for simple syscalls but not with argument filtering.

On Ubuntu, notice:
$ snap version
snap    2.38+19.04
snapd   2.38+19.04
series  16
ubuntu  19.04
kernel  5.0.0-8-generic

$ sudo snap install test-snapd-tools

$ sudo snap run --strace test-snapd-tools.cmd nice -n -10 uptime 2>&1 | grep setpriority
[pid 25015] setpriority(PRIO_PROCESS, 0, -10) = -1 EPERM (Operation not permitted)

On Fedora 28:

$ snap version
snap    1337.2.38.1-0.fc28
snapd   1337.2.38.1-0.fc28
series  16
fedora  28
kernel  5.0.7-100.fc28.x86_64

$ sudo snap install test-snapd-tools

$ sudo snap run --strace test-snapd-tools.cmd nice -n -10 uptime 2>&1 | grep setpriority
[pid 11788] setpriority(PRIO_PROCESS, 0, -10) = 0

If we adjust /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.src to have:
#setpriority PRIO_PROCESS 0 <=19

If we try to allow a specific value (eg, '9'), then we can see it correctly allows a nice of '9' but incorrectly also allows both '8' and '10':

$ sudo snap run --strace test-snapd-tools.cmd nice -n 8 uptime 2>&1 | grep setpriority
[pid 15096] setpriority(PRIO_PROCESS, 0, 8) = 0

$ sudo snap run --strace test-snapd-tools.cmd nice -n 10 uptime 2>&1 | grep setpriority
[pid 15422] setpriority(PRIO_PROCESS, 0, 10) = 0

It seems that fedora-28 is not using mvo's seccomp-golang. Not sure if this has anything to do with this.