Public bug reported:
A requirement for snappy is that security sandbox violations against
policy are logged. In this manner learning tools can be written to parse
the logs, etc and make developing on snappy easier.
The current default seccomp action, in strict mode. is to kill the
snap's thread that violated the policy but this is unfriendly to the
developer and to the user. The desired action is to block the illegal
system call and return an error with errno set to EPERM. However,
seccomp does not emit log events when it takes that action. Seccomp
should be updated to emit log events when taking the SECCOMP_RET_ERRNO
action and then snappy can switch to the using that action when blocking
illegal system calls.
[Impact]
Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
have a more friendly strict mode. Such functionality has been merged
upstream into 4.14-rc2.
No libseccomp changes are needed at this time since snap-confine loads
the BPF filter directly into the kernel without using libseccomp.
[Test Case]
Running the libseccomp "live" tests will exercise the kernel's seccomp
enforcement and help to help catch any regressions. Note that on Artful,
there's an existing test failure (20-live-basic_die%%002-00001):
$ sudo apt build-dep -y libseccomp
$ sudo apt install -y cython
$ apt source libseccomp
$ cd libseccomp-*
$ autoreconf -ivf && ./configure --enable-python && make check-build
$ (cd tests && ./regression -T live)
All tests should pass on zesty (12 tests) and xenial (10 tests). On artful,
you'll see one pre-existing failure:
...
Test 20-live-basic_die%%002-00001 result: FAILURE 20-live-basic_die TRAP rc=159
...
Regression Test Summary
tests run: 12
tests skipped: 0
tests passed: 11
tests failed: 1
tests errored: 0
============================================================
[Regression Potential]
The kernel patches received a lot of review between Kees and some others
interested in improved seccomp logging. I authored the patches and feel
comfortable/confident with my backported versions. They do not change
the behavior of seccomp logging by default but offer ways applications
to opt into more logging and, on the flipside, ways for the
administrator to quite any additional logging.
** Affects: snappy
Importance: Medium
Assignee: Tyler Hicks (tyhicks)
Status: In Progress
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Tyler Hicks (tyhicks)
Status: Fix Released
** Affects: linux (Ubuntu Xenial)
Importance: Undecided
Assignee: Tyler Hicks (tyhicks)
Status: In Progress
** Affects: linux (Ubuntu Zesty)
Importance: Undecided
Assignee: Tyler Hicks (tyhicks)
Status: In Progress
** Affects: linux (Ubuntu Artful)
Importance: Undecided
Assignee: Tyler Hicks (tyhicks)
Status: Fix Released
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Zesty)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Status: New => In Progress
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: linux (Ubuntu Zesty)
Status: New => In Progress
** Changed in: linux (Ubuntu Zesty)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: linux (Ubuntu Artful)
Status: New => Fix Released
** Changed in: linux (Ubuntu Artful)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676
Title:
implement errno action logging in seccomp for strict mode with snaps
Status in Snappy:
In Progress
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
In Progress
Status in linux source package in Zesty:
In Progress
Status in linux source package in Artful:
Fix Released
Bug description:
A requirement for snappy is that security sandbox violations against
policy are logged. In this manner learning tools can be written to
parse the logs, etc and make developing on snappy easier.
The current default seccomp action, in strict mode. is to kill the
snap's thread that violated the policy but this is unfriendly to the
developer and to the user. The desired action is to block the illegal
system call and return an error with errno set to EPERM. However,
seccomp does not emit log events when it takes that action. Seccomp
should be updated to emit log events when taking the SECCOMP_RET_ERRNO
action and then snappy can switch to the using that action when
blocking illegal system calls.
[Impact]
Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
have a more friendly strict mode. Such functionality has been merged
upstream into 4.14-rc2.
No libseccomp changes are needed at this time since snap-confine loads
the BPF filter directly into the kernel without using libseccomp.
[Test Case]
Running the libseccomp "live" tests will exercise the kernel's seccomp
enforcement and help to help catch any regressions. Note that on
Artful, there's an existing test failure (20-live-
basic_die%%002-00001):
$ sudo apt build-dep -y libseccomp
$ sudo apt install -y cython
$ apt source libseccomp
$ cd libseccomp-*
$ autoreconf -ivf && ./configure --enable-python && make check-build
$ (cd tests && ./regression -T live)
All tests should pass on zesty (12 tests) and xenial (10 tests). On artful,
you'll see one pre-existing failure:
...
Test 20-live-basic_die%%002-00001 result: FAILURE 20-live-basic_die TRAP
rc=159
...
Regression Test Summary
tests run: 12
tests skipped: 0
tests passed: 11
tests failed: 1
tests errored: 0
============================================================
[Regression Potential]
The kernel patches received a lot of review between Kees and some
others interested in improved seccomp logging. I authored the patches
and feel comfortable/confident with my backported versions. They do
not change the behavior of seccomp logging by default but offer ways
applications to opt into more logging and, on the flipside, ways for
the administrator to quite any additional logging.
To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1721676/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
