Snappy

Outdated docs on "Ubuntu security tips" for seccomp

Bug #1874156 reported by Jose Alvarado on 2020-04-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Snappy	Fix Released	Low	Graham Morrison

Bug Description

The Ubuntu security tips doc has outdated information:

"The same process as above holds for seccomp except the seccomp policy is in /var/lib/snapd/seccomp/profiles/snap.<name>.<command> and there is no command to load the policy (you simply have to relaunch the command or snap run --shell). The seccomp policy language is considerably simpler and is essentially a list of allowed syscalls."

As covered in https://github.com/snapcore/snapd/wiki/snap-confine-Overview, Seccomp profiles are now located in /var/lib/snapd/seccomp/bpf/.

Furthermore, it's wrong to say that the seccomp profile doesn't need to be explicitly loaded. The profile source (the *.src file in the profile directory) needs to be recompiled into the profile binary (*.bin in the profile directory) as detailed in this Snapcraft forum post: https://forum.snapcraft.io/t/seccomp-profile-not-compiling/16792.

Tags:

Ian Johnson (anonymouse67) on 2020-04-23

Changed in snappy:
assignee:	nobody → Jamie Strandboge (jdstrand)
status:	New → Confirmed
importance:	Undecided → Low

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-06-23:

This should be covered by the new https://forum.snapcraft.io/t/debugging-snaps/18420 doc and the revamped https://forum.snapcraft.io/t/security-policy-and-sandboxing/554 which refers to it. Thanks Graham!

Changed in snappy:
assignee:	Jamie Strandboge (jdstrand) → Graham Morrison (morrisong)
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.