I looked at this a little more and the pfc (generate with 'SNAP_SECCOMP_DEBUG=1 /usr/libexec/snapd/snap-seccomp compile /var/lib/snapd/seccomp/bpf/snap.hello-world.sh.src /tmp/snap.hello-world.sh.bin > /tmp/snap.hello-world.sh.pfc) on Fedora (libseccomp 2.3.3) is simply wrong for our 'setpriority PRIO_PROCESS 0 <=19' rule (note, on amd64, sepriority is '141' as seen with scmp_sys_resolver) since it isn't ANDing the arguments:
# filter for arch x86 (1073741827)
if ($arch == 1073741827)
...
# filter for syscall "setpriority" (141) [priority: 65529]
if ($syscall == 141)
if ($a0.hi32 == 0)
if ($a0.lo32 == 0)
action ALLOW;
if ($a1.hi32 == 0)
if ($a1.lo32 == 0)
action ALLOW;
if ($a2.hi32 >= 0)
if ($a2.lo32 > 19)
else
action ALLOW;
else
action ALLOW;
Debian unstable (libseccomp 2.3.3) is also wrong:
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
...
# filter for syscall "setpriority" (141) [priority: 65529]
if ($syscall == 141)
if ($a0.hi32 == 0)
if ($a0.lo32 == 0)
action ALLOW;
if ($a1.hi32 == 0)
if ($a1.lo32 == 0)
action ALLOW;
if ($a2.hi32 >= 0)
if ($a2.lo32 > 19)
else
action ALLOW;
else
action ALLOW;
on Ubuntu 16.04 (libseccomp 2.3.1), for example, this rule is:
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
...
# filter for syscall "setpriority" (141) [priority: 65529]
if ($syscall == 141)
if ($a0.hi32 == 0)
if ($a0.lo32 == 0)
if ($a1.hi32 == 0)
if ($a1.lo32 == 0)
if ($a2.hi32 >= 0)
if ($a2.lo32 > 19)
else action ALLOW;
else action ALLOW;
which is correctly ANDing the args (though we should be masking the high bits since a high negative number will be allowed; will fix in a PR). On Ubuntu 18.10 (libseccomp 2.3.3), it is the same as on Ubuntu 16.04:
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
...
# filter for syscall "setpriority" (141) [priority: 65529]
if ($syscall == 141)
if ($a0.hi32 == 0)
if ($a0.lo32 == 0)
if ($a1.hi32 == 0)
if ($a1.lo32 == 0)
if ($a2.hi32 >= 0)
if ($a2.lo32 > 19)
else action ALLOW;
else action ALLOW;
I looked at this a little more and the pfc (generate with 'SNAP_SECCOMP_ DEBUG=1 /usr/libexec/ snapd/snap- seccomp compile /var/lib/ snapd/seccomp/ bpf/snap. hello-world. sh.src /tmp/snap. hello-world. sh.bin > /tmp/snap. hello-world. sh.pfc) on Fedora (libseccomp 2.3.3) is simply wrong for our 'setpriority PRIO_PROCESS 0 <=19' rule (note, on amd64, sepriority is '141' as seen with scmp_sys_resolver) since it isn't ANDing the arguments:
# filter for arch x86 (1073741827)
if ($arch == 1073741827)
...
# filter for syscall "setpriority" (141) [priority: 65529]
if ($syscall == 141)
if ($a0.hi32 == 0)
if ($a0.lo32 == 0)
action ALLOW;
if ($a1.hi32 == 0)
if ($a1.lo32 == 0)
action ALLOW;
if ($a2.hi32 >= 0)
if ($a2.lo32 > 19)
else
action ALLOW;
else
action ALLOW;
Debian unstable (libseccomp 2.3.3) is also wrong:
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
...
# filter for syscall "setpriority" (141) [priority: 65529]
if ($syscall == 141)
if ($a0.hi32 == 0)
if ($a0.lo32 == 0)
action ALLOW;
if ($a1.hi32 == 0)
if ($a1.lo32 == 0)
action ALLOW;
if ($a2.hi32 >= 0)
if ($a2.lo32 > 19)
else
action ALLOW;
else
action ALLOW;
on Ubuntu 16.04 (libseccomp 2.3.1), for example, this rule is:
action ALLOW;
action ALLOW;
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
...
# filter for syscall "setpriority" (141) [priority: 65529]
if ($syscall == 141)
if ($a0.hi32 == 0)
if ($a0.lo32 == 0)
if ($a1.hi32 == 0)
if ($a1.lo32 == 0)
if ($a2.hi32 >= 0)
if ($a2.lo32 > 19)
else
else
which is correctly ANDing the args (though we should be masking the high bits since a high negative number will be allowed; will fix in a PR). On Ubuntu 18.10 (libseccomp 2.3.3), it is the same as on Ubuntu 16.04:
# filter for arch x86_64 (3221225534)
action ALLOW;
action ALLOW;
if ($arch == 3221225534)
...
# filter for syscall "setpriority" (141) [priority: 65529]
if ($syscall == 141)
if ($a0.hi32 == 0)
if ($a0.lo32 == 0)
if ($a1.hi32 == 0)
if ($a1.lo32 == 0)
if ($a2.hi32 >= 0)
if ($a2.lo32 > 19)
else
else