[Bug 1567597] Re: [FFe] implement 'complain mode' in seccomp for developer mode with snaps

2017-10-04 Thread Tyler Hicks 
** Description changed:

  A requirement for snappy is that a snap may be placed in developer mode
  which will put the security sandbox in complain mode such that
  violations against policy are logged, but permitted. In this manner
  learning tools can be written to parse the logs, etc and make developing
  on snappy easier.
  
  Unfortunately with seccomp only SCMP_ACT_KILL logs to dmesg and while we
  can set complain mode to permit all calls, they are not logged at this
  time. I've discussed this with upstream and we are working together on
  the approach. This may require a kernel patch and an update to
  libseccomp, to filing this bug for now as a placeholder and we'll add
  other tasks as necessary.
  
  UPDATE: ubuntu-core-launcher now supports the '@complain' directive that
  is a synonym for '@unrestricted' so people can at least turn on
  developer mode and not be blocked by seccomp. Proper complain mode for
  seccomp needs to still be implemented (this bug).
  
  [Impact]
  
  Snapd needs a way to log seccomp actions without blocking any syscalls
  in order to have a more useful complain mode. Such functionality has
  been acked upstream and patches are on their way into the Linux 4.14
  kernel (backported to 4.12.0-13.14 in artful).
  
  The corresponding libseccomp changes are still undergoing review
  (https://github.com/seccomp/libseccomp/pull/92). The pull request adds a
  number of new symbols and probably isn't appropriate to backport until
  upstream has acked the pull request. However, only a small part of that
  larger pull request is needed by snapd and that change can be safely
  backported since the only added symbol, the SCMP_ACT_LOG macro, must
  match the SECCOMP_RET_LOG macro that has already been approved and
  merged in the upstream Linux kernel.
  
  [Test Case]
  
  A large number of tests are ran as part of the libseccomp build.
  However, the "live" tests which test libseccomp with actual kernel
  enforcement are not ran at that time. They can be manually exercised to
  help catch any regressions. Note that on Artful, there's an existing
  test failure (20-live-basic_die%%002-1):
  
  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
+ $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)
  ...
  Test 20-live-basic_die%%002-1 result:   FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  
  
  Now we can build and run a small test program to test the SCMP_ACT_LOG
  action in the way that snapd wants to use it for developer mode:
  
  $ sudo apt install -y libseccomp-dev
  $ gcc -o lp1567597-test lp1567597-test.c -lseccomp
  $ ./lp1567597-test
  
  The exit code should be 0 and you should have an entry in the system log
  that looks like this:
  
  audit: type=1326 audit(1505859630.994:69): auid=1000 uid=1000 gid=1000
  ses=2 pid=18451 comm="lp1567597-test" exe="/home/tyhicks/lp1567597-test"
  sig=0 arch=c03e syscall=2 compat=0 ip=0x7f547352c5c0 code=0x7ffc
  
  [Regression Potential]
  
  Relatively small since the core logic is in the kernel and we're only
  exposing the new action through libseccomp. The changes include smarts
  to query the kernel to see if the action is available in the kernel.
  Calling applications will not be able to use the action on older kernels
  that don't support it.

** Summary changed:

- [FFe] implement 'complain mode' in seccomp for developer mode with snaps
+ implement 'complain mode' in seccomp for developer mode with snaps

** Also affects: linux (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: libseccomp (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: libseccomp (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: libseccomp (Ubuntu Xenial)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: libseccomp (Ubuntu Zesty)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: libseccomp (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: libseccomp (Ubuntu Zesty)
   Status: New => In Progress

** Changed in: linux (Ubuntu Xenial)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: linux (Ubuntu Zesty)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: linux (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: linux (Ubuntu Zesty)
   Status: New => In Progress

** Description changed:

  A requirement for snappy is that a snap may be placed in developer mode
  which will put the security sandbox in complain mode such that
  violations against policy are logged, but permitted.

[Bug 1567597] Re: [FFe] implement 'complain mode' in seccomp for developer mode with snaps

2017-09-22 Thread Launchpad Bug Tracker 
This bug was fixed in the package libseccomp - 2.3.1-2.1ubuntu2

---
libseccomp (2.3.1-2.1ubuntu2) artful; urgency=medium

  * add-log-action.patch: Minimal backport to support the SECCOMP_RET_LOG
action that will be released in Linux kernel version 4.14. (LP: #1567597)

 -- Tyler Hicks   Tue, 19 Sep 2017 21:37:38 +

** Changed in: libseccomp (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1567597

Title:
  [FFe] implement 'complain mode' in seccomp for developer mode with
  snaps

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1567597] Re: [FFe] implement 'complain mode' in seccomp for developer mode with snaps

2017-09-21 Thread Tyler Hicks 
Thanks! I've uploaded the libseccomp package to artful-proposed.

** Changed in: libseccomp (Ubuntu)
   Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1567597

Title:
  [FFe] implement 'complain mode' in seccomp for developer mode with
  snaps

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1567597] Re: [FFe] implement 'complain mode' in seccomp for developer mode with snaps

2017-09-21 Thread Stéphane Graber 
Looks good to me. Delta on libseccomp is small and self contained and
aligns with what has been included in the upstream kernel.

FFe granted

** Changed in: libseccomp (Ubuntu)
   Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1567597

Title:
  [FFe] implement 'complain mode' in seccomp for developer mode with
  snaps

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1567597] Re: [FFe] implement 'complain mode' in seccomp for developer mode with snaps

2017-09-20 Thread Tyler Hicks 
I had previously attached a slightly old version of the lp1567597-test.c
program that contained a mistake. I'm now attaching the corrected
version after fetching it from my testing VM.

** Attachment removed: "lp1567597-test.c"
   
https://bugs.launchpad.net/snappy/+bug/1567597/+attachment/4953120/+files/lp1567597-test.c

** Attachment added: "lp1567597-test.c"
   
https://bugs.launchpad.net/snappy/+bug/1567597/+attachment/4954002/+files/lp1567597-test.c

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1567597

Title:
  [FFe] implement 'complain mode' in seccomp for developer mode with
  snaps

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1567597] Re: [FFe] implement 'complain mode' in seccomp for developer mode with snaps

2017-09-20 Thread Tyler Hicks 
** Changed in: libseccomp (Ubuntu)
   Status: In Progress => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1567597

Title:
  [FFe] implement 'complain mode' in seccomp for developer mode with
  snaps

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1567597] Re: [FFe] implement 'complain mode' in seccomp for developer mode with snaps

2017-09-19 Thread Tyler Hicks 
Debdiff to consider for Artful FFe. (I don't need sponsorship)

** Patch added: "libseccomp_2.3.1-2.1ubuntu2.debdiff"
   
https://bugs.launchpad.net/snappy/+bug/1567597/+attachment/4953121/+files/libseccomp_2.3.1-2.1ubuntu2.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1567597

Title:
  [FFe] implement 'complain mode' in seccomp for developer mode with
  snaps

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1567597] Re: [FFe] implement 'complain mode' in seccomp for developer mode with snaps

2017-09-19 Thread Tyler Hicks 
Clean Artful amd64 build log.

** Attachment added: "libseccomp_2.3.1-2.1ubuntu2_amd64.build"
   
https://bugs.launchpad.net/snappy/+bug/1567597/+attachment/4953122/+files/libseccomp_2.3.1-2.1ubuntu2_amd64.build

** Changed in: libseccomp (Ubuntu)
   Status: Confirmed => In Progress

** Changed in: snappy
   Status: In Progress => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1567597

Title:
  [FFe] implement 'complain mode' in seccomp for developer mode with
  snaps

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs