If we adjust /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.src to have:
#setpriority PRIO_PROCESS 0 <=19
then do, we correctly see it is denied:
$ sudo /usr/libexec/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.src /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.bin && sudo snap run --strace test-snapd-tools.cmd nice -n -10 uptime 2>&1 | grep setpriority
[pid 12348] setpriority(PRIO_PROCESS, 0, -10) = -1 EPERM (Operation not permitted)
then if we add back just the syscall without argument filtering, it succeeds, as expected:
$ sudo /usr/libexec/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.src /var/lib/snapd/seccomp/bpf/snap.test-snapd-tools.cmd.bin && sudo snap run --strace test-snapd-tools.cmd nice -n -10 uptime 2>&1 | grep setpriority
[pid 13127] setpriority(PRIO_PROCESS, 0, -10) = 0
If we try to allow a specific value (eg, '9'), then we can see it correctly allows a nice of '9' but incorrectly also allows both '8' and '10':
In diagnosing another issue, I discovered that on Fedora 28, seccomp works for simple syscalls but not with argument filtering.
On Ubuntu, notice:
$ snap version
snap 2.38+19.04
snapd 2.38+19.04
series 16
ubuntu 19.04
kernel 5.0.0-8-generic
$ sudo snap install test-snapd-tools
$ sudo snap run --strace test-snapd- tools.cmd nice -n -10 uptime 2>&1 | grep setpriority PRIO_PROCESS, 0, -10) = -1 EPERM (Operation not permitted)
[pid 25015] setpriority(
On Fedora 28:
$ snap version fc28.x86_ 64
snap 1337.2.38.1-0.fc28
snapd 1337.2.38.1-0.fc28
series 16
fedora 28
kernel 5.0.7-100.
$ sudo snap install test-snapd-tools
$ sudo snap run --strace test-snapd- tools.cmd nice -n -10 uptime 2>&1 | grep setpriority PRIO_PROCESS, 0, -10) = 0
[pid 11788] setpriority(
If we adjust /var/lib/ snapd/seccomp/ bpf/snap. test-snapd- tools.cmd. src to have:
#setpriority PRIO_PROCESS 0 <=19
then do, we correctly see it is denied: snapd/snap- seccomp compile /var/lib/ snapd/seccomp/ bpf/snap. test-snapd- tools.cmd. src /var/lib/ snapd/seccomp/ bpf/snap. test-snapd- tools.cmd. bin && sudo snap run --strace test-snapd- tools.cmd nice -n -10 uptime 2>&1 | grep setpriority PRIO_PROCESS, 0, -10) = -1 EPERM (Operation not permitted)
$ sudo /usr/libexec/
[pid 12348] setpriority(
then if we add back just the syscall without argument filtering, it succeeds, as expected: snapd/snap- seccomp compile /var/lib/ snapd/seccomp/ bpf/snap. test-snapd- tools.cmd. src /var/lib/ snapd/seccomp/ bpf/snap. test-snapd- tools.cmd. bin && sudo snap run --strace test-snapd- tools.cmd nice -n -10 uptime 2>&1 | grep setpriority PRIO_PROCESS, 0, -10) = 0
$ sudo /usr/libexec/
[pid 13127] setpriority(
If we try to allow a specific value (eg, '9'), then we can see it correctly allows a nice of '9' but incorrectly also allows both '8' and '10':
$ sudo /usr/libexec/ snapd/snap- seccomp compile /var/lib/ snapd/seccomp/ bpf/snap. test-snapd- tools.cmd. src /var/lib/ snapd/seccomp/ bpf/snap. test-snapd- tools.cmd. bin && sudo snap run --strace test-snapd- tools.cmd nice -n 9 uptime 2>&1 | grep setpriority PRIO_PROCESS, 0, 9) = 0
[pid 14272] setpriority(
$ sudo snap run --strace test-snapd- tools.cmd nice -n 8 uptime 2>&1 | grep setpriority PRIO_PROCESS, 0, 8) = 0
[pid 15096] setpriority(
$ sudo snap run --strace test-snapd- tools.cmd nice -n 10 uptime 2>&1 | grep setpriority PRIO_PROCESS, 0, 10) = 0
[pid 15422] setpriority(
It seems that fedora-28 is not using mvo's seccomp-golang. Not sure if this has anything to do with this.