snapd

  1. Bug #1825052
  2. Comment #5

Comment 5 for bug 1825052

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: seccomp argument filtering not working on Fedora with 2.38 and Debian with 2.37.4

Ok, as it happens, upstream golang-seccomp 0.9.0 has a bug where it will incorrectly OR. The following commit is in upstream master but not a new release of golang-seccomp:

https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e

In the upstream library, when added with a single API call,
multiple syscall argument rules should be matched with AND
logic - if all of them match, the rule matches.

At present, the Golang bindings apply OR logic to this case.
This commit resolves this and reverts to the behavior of the
main library.

Signed-off-by: Matthew Heon <email address hidden>

Ubuntu uses a git snapshot: https://github.com/mvo5/libseccomp-golang/commits/master which has this fix. Any distro that doesn't use snapd's vendored golang-seccomp is not correctly mediating arg filtered rules, which explains why Ubuntu has proper ANDing while Debian and Fedora do not.