[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

Fri, 06 Oct 2017 11:31:46 -0700 

** Changed in: linux (Ubuntu Xenial)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Zesty:
  Fix Committed
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-00001):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-00001 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  ============================================================

  ----------------------------

  Running the seccomp kernel selftests is also a great to exercise
  seccomp and the kernel patch set proposed for the SRU includes
  additional seccomp selftests. To build, enter into the root of the
  kernel source tree and build the seccomp test binary:

  $ make -C tools/testing/selftests TARGETS=seccomp

  Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or
  even copy it to a test machine and run it there. On Xenial, 54/54
  tests should pass and 58/58 should pass on Zesty.

  ----------------------------

  Now we can run a single test to verify that SECCOMP_RET_ERRNO is
  logged when the application opts into it. First, verify that "errno"
  is listed in the actions_logged sysctl:

  $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log

  Now, build and run the test program:

  $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
  $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted

  It should have generated a message like this in /var/log/syslog:

  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c000003e
  syscall=39 compat=0 ip=0x7fb91829c499 code=0x50000

  Disable errno logging in the sysctl:

  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log

  Rerun the test program and ensure that nothing was logged this time.

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others interested in improved seccomp logging. I authored the patches
  and feel comfortable/confident with my backported versions. They do
  not change the behavior of seccomp logging by default but offer ways
  applications to opt into more logging and, on the flipside, ways for
  the administrator to quite any additional logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1721676/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to