When disabling AppArmor (boot option "apparmor=0"), seccomp-filter
works as expected. According to [0], commit 259e5e6c was integrated
in the Ubuntu kernel patch without its successor (commit c29bceb3).
However, they are dependant each other:
* commit 259e5e6c:
Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
set and AppArmor is in use. It is fixed in a subsequent patch.
* commit c29bceb3:
Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS
Joseph: is it possible to officially add the subsequent patch (commit
c29bceb3) to the Ubuntu kernel patch?
When disabling AppArmor (boot option "apparmor=0"), seccomp-filter
works as expected. According to [0], commit 259e5e6c was integrated
in the Ubuntu kernel patch without its successor (commit c29bceb3).
However, they are dependant each other:
* commit 259e5e6c:
Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
set and AppArmor is in use. It is fixed in a subsequent patch.
* commit c29bceb3:
Fix execve behavior apparmor for PR_{GET, SET}_NO_ NEW_PRIVS
Joseph: is it possible to officially add the subsequent patch (commit
c29bceb3) to the Ubuntu kernel patch?
[0] https:/ /launchpad. net/ubuntu/ +source/ linux/3. 8.0-19. 29