Cannot authorise quotactl syscall for Q_GETQUOTA
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Fix Released
|
Medium
|
Jamie Strandboge | ||
snapd (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Yakkety |
Fix Released
|
Medium
|
Unassigned |
Bug Description
While debugging a snap I get this security error
```
= Seccomp =
Time: Sep 22 03:54:47
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=12869 comm="transmiss
Syscall: quotactl
```
There is no workaround given, so I've added a security override, but it doesn't do anything.
```
transmission-
command: transmission-init start
stop-command: transmission-init stop
daemon: forking
plugs: [network, network-bind, quotactl]
...
plugs:
quotactl:
command: binary
security-
syscalls: [quotactl]
```
There doesn't seem to be a ready-made interface loaded at install time which would include that syscall, so I can't find a solution for that problem.
description: | updated |
Changed in snappy: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in snappy: | |
status: | Triaged → In Progress |
Changed in snapd (Ubuntu): | |
importance: | Undecided → Medium |
Changed in snapd (Ubuntu Yakkety): | |
importance: | Undecided → Medium |
Changed in snapd (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in snapd (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in snapd (Ubuntu): | |
status: | Triaged → Fix Released |
Changed in snappy: | |
status: | In Progress → Fix Released |
Looking at the transmission source, it is using Q_GETQUOTA and Q_XGETQUOTA. As such, we can adjust mount-observe to use quotactl with Q_GET* seccomp argument filtering.
Setting quotas would be a separate, privileged separate interface since that would affect other snaps (since quotactl is user-specific, not snap-specific).