subject:"\[Kernel\-packages\] \[Bug 1721676\] Re\: implement errno action logging in seccomp for strict mode with snaps"

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2019-10-29 Thread Zygmunt Krynicki

This has been fixed and is available in snapd for multiple releases now.
I'm marking it as fix released.

** Changed in: snappy
   Status: In Progress => Fix Released

** Project changed: snappy => snapd

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in snapd:
  Fix Released
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Zesty:
  Fix Released
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-1):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  

  

  Running the seccomp kernel selftests is also a great to exercise
  seccomp and the kernel patch set proposed for the SRU includes
  additional seccomp selftests. To build, enter into the root of the
  kernel source tree and build the seccomp test binary:

  $ make -C tools/testing/selftests TARGETS=seccomp

  Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or
  even copy it to a test machine and run it there. On Xenial, 54/54
  tests should pass and 58/58 should pass on Zesty.

  

  Now we can run a single test to verify that SECCOMP_RET_ERRNO is
  logged when the application opts into it. First, verify that "errno"
  is listed in the actions_logged sysctl:

  $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log

  Now, build and run the test program:

  $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
  $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted

  It should have generated a message like this in /var/log/syslog:

  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e
  syscall=39 compat=0 ip=0x7fb91829c499 code=0x5

  Disable errno logging in the sysctl:

  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log

  Rerun the test program and ensure that nothing was logged this time.

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others interested in improved seccomp logging. I authored the patches
  and feel comfortable/confident with my backported versions. They do
  not change the behavior of seccomp logging by default but offer ways
  applications to opt into more logging and, on the flipside, ways for
  the administrator to quite any additional logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/1721676/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-12-15 Thread Tyler Hicks

The snapd pull request is located here:
https://github.com/snapcore/snapd/pull/3998/

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Zesty:
  Fix Released
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-1):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  

  

  Running the seccomp kernel selftests is also a great to exercise
  seccomp and the kernel patch set proposed for the SRU includes
  additional seccomp selftests. To build, enter into the root of the
  kernel source tree and build the seccomp test binary:

  $ make -C tools/testing/selftests TARGETS=seccomp

  Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or
  even copy it to a test machine and run it there. On Xenial, 54/54
  tests should pass and 58/58 should pass on Zesty.

  

  Now we can run a single test to verify that SECCOMP_RET_ERRNO is
  logged when the application opts into it. First, verify that "errno"
  is listed in the actions_logged sysctl:

  $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log

  Now, build and run the test program:

  $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
  $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted

  It should have generated a message like this in /var/log/syslog:

  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e
  syscall=39 compat=0 ip=0x7fb91829c499 code=0x5

  Disable errno logging in the sysctl:

  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log

  Rerun the test program and ensure that nothing was logged this time.

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others interested in improved seccomp logging. I authored the patches
  and feel comfortable/confident with my backported versions. They do
  not change the behavior of seccomp logging by default but offer ways
  applications to opt into more logging and, on the flipside, ways for
  the administrator to quite any additional logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1721676/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-30 Thread Launchpad Bug Tracker

This bug was fixed in the package linux - 4.4.0-98.121

---
linux (4.4.0-98.121) xenial; urgency=low

  * linux: 4.4.0-98.121 -proposed tracker (LP: #1722299)

  * Controller lockup detected on ProLiant DL380 Gen9 with P440 Controller
(LP: #1720359)
- scsi: hpsa: limit transfer length to 1MB

  * [Dell Docking IE][0bda:8153] Realtek USB Ethernet leads to system hang
(LP: #1720977)
- r8152: fix the list rx_done may be used without initialization

  * Add installer support for Broadcom BCM573xx network drivers. (LP: #1720466)
- d-i: Add bnxt_en to nic-modules.

  * snapcraft.yaml: add dpkg-dev to the build deps (LP: #1718886)
- snapcraft.yaml: add dpkg-dev to the build deps

  * Support setting I2C_TIMEOUT via ioctl for i2c-designware (LP: #1718578)
- i2c: designware: Use transfer timeout from ioctl I2C_TIMEOUT

  * 5U84 - ses driver isn't binding right - cannot blink lights on 1 of the 2
5u84 (LP: #1693369)
- scsi_transport_sas: add function to get SAS endpoint address
- ses: fix discovery of SATA devices in SAS enclosures
- scsi: sas: provide stub implementation for scsi_is_sas_rphy
- scsi: ses: Fix SAS device detection in enclosure

  * multipath -ll is not showing the disks which are actually multipath
(LP: #1718397)
- fs: aio: fix the increment of aio-nr and counting against aio-max-nr

  * Support Dell Wireless DW5819/5818 WWAN devices (LP: #1721455)
- SAUCE: USB: serial: qcserial: add Dell DW5818, DW5819

  * CVE-2017-10911
- xen-blkback: don't leak stack data via response ring

  * implement 'complain mode' in seccomp for developer mode with snaps
(LP: #1567597)
- seccomp: Provide matching filter for introspection
- seccomp: Sysctl to display available actions
- seccomp: Operation for checking if an action is available
- seccomp: Sysctl to configure actions that are allowed to be logged
- seccomp: Selftest for detection of filter flag support
- seccomp: Action to log before allowing

  * implement errno action logging in seccomp for strict mode with snaps
(LP: #1721676)
- seccomp: Provide matching filter for introspection
- seccomp: Sysctl to display available actions
- seccomp: Operation for checking if an action is available
- seccomp: Sysctl to configure actions that are allowed to be logged
- seccomp: Selftest for detection of filter flag support
- seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW

  * [Xenial] update OpenNSL kernel modules to 6.5.10 (LP: #1721511)
- SAUCE: update OpenNSL kernel modules to 6.5.10

  * Xenial update to 4.4.90 stable release (LP: #1721550)
- cifs: release auth_key.response for reconnect.
- mac80211: flush hw_roc_start work before cancelling the ROC
- KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
- tracing: Fix trace_pipe behavior for instance traces
- tracing: Erase irqsoff trace with empty write
- md/raid5: fix a race condition in stripe batch
- md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse
  nlmsg properly
- crypto: talitos - Don't provide setkey for non hmac hashing algs.
- crypto: talitos - fix sha224
- KEYS: fix writing past end of user-supplied buffer in keyring_read()
- KEYS: prevent creating a different user's keyrings
- KEYS: prevent KEYCTL_READ on negative key
- powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
- Fix SMB3.1.1 guest authentication to Samba
- SMB: Validate negotiate (to protect against downgrade) even if signing off
- SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
- vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
- nl80211: check for the required netlink attributes presence
- bsg-lib: don't free job in bsg_prepare_job
- seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
- arm64: Make sure SPsel is always set
- arm64: fault: Route pte translation faults via do_translation_fault
- KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
- kvm: nVMX: Don't allow L2 to access the hardware CR8
- PCI: Fix race condition with driver_override
- btrfs: fix NULL pointer dereference from free_reloc_roots()
- btrfs: propagate error to btrfs_cmp_data_prepare caller
- btrfs: prevent to set invalid default subvolid
- x86/fpu: Don't let userspace set bogus xcomp_bv
- gfs2: Fix debugfs glocks dump
- timer/sysclt: Restrict timer migration sysctl values to 0 and 1
- KVM: VMX: do not change SN bit in vmx_update_pi_irte()
- KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
- cxl: Fix driver use count
- dmaengine: mmp-pdma: add number of requestors
- ARM: pxa: add the number of DMA requestor lines
- ARM: pxa: fix the number of DMA requestor lines
- KVM: VMX: use

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-30 Thread Launchpad Bug Tracker

This bug was fixed in the package linux - 4.10.0-38.42

---
linux (4.10.0-38.42) zesty; urgency=low

  * linux: 4.10.0-38.42 -proposed tracker (LP: #1722330)

  * Controller lockup detected on ProLiant DL380 Gen9 with P440 Controller
(LP: #1720359)
- scsi: hpsa: limit transfer length to 1MB

  * [Dell Docking IE][0bda:8153] Realtek USB Ethernet leads to system hang
(LP: #1720977)
- r8152: fix the list rx_done may be used without initialization

  * Touchpad not detected in Lenovo X1 Yoga / Yoga 720-15IKB (LP: #1700657)
- mfd: intel-lpss: Add missing PCI ID for Intel Sunrise Point LPSS devices

  * Add installer support for Broadcom BCM573xx network drivers. (LP: #1720466)
- d-i: Add bnxt_en to nic-modules.

  * CVE-2017-1000252
- KVM: VMX: Do not BUG() on out-of-bounds guest IRQ

  * CVE-2017-10663
- f2fs: sanity check checkpoint segno and blkoff

  * xfstest sanity checks on seek operations fails (LP: #1696049)
- xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff()

  * [P9, Power NV][ WSP][Ubuntu 16.04.03] : perf hw breakpoint command results
in call traces and system goes for reboot. (LP: #1706033)
- powerpc/64s: Handle data breakpoints in Radix mode

  * 5U84 - ses driver isn't binding right - cannot blink lights on 1 of the 2
5u84 (LP: #1693369)
- scsi: ses: do not add a device to an enclosure if enclosure_add_links()
  fails.

  * Vlun resize request could fail with cxlflash driver (LP: #1713575)
- scsi: cxlflash: Fix vlun resize failure in the shrink path

  * More migrations with constant load (LP: #1713576)
- sched/fair: Prefer sibiling only if local group is under-utilized

  * New PMU fixes for marked events. (LP: #1716491)
- powerpc/perf: POWER9 PMU stops after idle workaround

  * CVE-2017-14340
- xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present

  * [Zesty][Yakkety] rtl8192e bug fixes (LP: #1698470)
- staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory.
- staging: rtl8192e: fix 2 byte alignment of register BSSIDR.
- staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD.
- staging: rtl8192e: GetTs Fix invalid TID 7 warning.

  * Stranded with ENODEV after mdadm --readonly (LP: #1706243)
- md: MD_CLOSING needs to be cleared after called md_set_readonly or
  do_md_stop

  * multipath -ll is not showing the disks which are actually multipath
(LP: #1718397)
- fs: aio: fix the increment of aio-nr and counting against aio-max-nr

  * ETPS/2 Elantech Touchpad inconsistently detected (Gigabyte P57W laptop)
(LP: #1594214)
- Input: i8042 - add Gigabyte P57 to the keyboard reset table

  * CVE-2017-10911
- xen-blkback: don't leak stack data via response ring

  * CVE-2017-11176
- mqueue: fix a use-after-free in sys_mq_notify()

  * implement 'complain mode' in seccomp for developer mode with snaps
(LP: #1567597)
- Revert "UBUNTU: SAUCE: seccomp: log actions even when audit is disabled"
- seccomp: Provide matching filter for introspection
- seccomp: Sysctl to display available actions
- seccomp: Operation for checking if an action is available
- seccomp: Sysctl to configure actions that are allowed to be logged
- seccomp: Selftest for detection of filter flag support
- seccomp: Action to log before allowing

  * implement errno action logging in seccomp for strict mode with snaps
(LP: #1721676)
- Revert "UBUNTU: SAUCE: seccomp: log actions even when audit is disabled"
- seccomp: Provide matching filter for introspection
- seccomp: Sysctl to display available actions
- seccomp: Operation for checking if an action is available
- seccomp: Sysctl to configure actions that are allowed to be logged
- seccomp: Selftest for detection of filter flag support
- seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW

  * Backport recent bbr bugfixes to 4.10 kernel (LP: #1708604)
- tcp_bbr: cut pacing rate only if filled pipe
- tcp_bbr: introduce bbr_bw_to_pacing_rate() helper
- tcp_bbr: introduce bbr_init_pacing_rate_from_rtt() helper
- tcp_bbr: remove sk_pacing_rate=0 transient during init
- tcp_bbr: init pacing rate on first RTT sample

  * [SRU][Zesty] Fix lscpu segfault on ARM64 with SMBIOS v2.0 (LP: #1716483)
- arm64: kernel: restrict /dev/mem read() calls to linear region

 -- Kleber Sacilotto de Souza   Tue, 10 Oct
2017 13:49:34 +0200

** Changed in: linux (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-1000252

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10663

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10911

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11176

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14340

-- 
You

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-18 Thread Tyler Hicks

I tested the linux kernel SRU in Xenial and Zesty using the following
linux package versions:

 - xenial: linux-image-4.4.0-98-generic 4.4.0-98.121
 - zesty: linux-image-4.10.0-38-generic 4.10.0-38.42

The linux kernel SRU testing was successful and followed what's
documented in the [Test Case] section of this bug description.

** Tags removed: verification-needed-xenial verification-needed-zesty
** Tags added: verification-done-xenial verification-done-zesty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Zesty:
  Fix Committed
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-1):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  

  

  Running the seccomp kernel selftests is also a great to exercise
  seccomp and the kernel patch set proposed for the SRU includes
  additional seccomp selftests. To build, enter into the root of the
  kernel source tree and build the seccomp test binary:

  $ make -C tools/testing/selftests TARGETS=seccomp

  Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or
  even copy it to a test machine and run it there. On Xenial, 54/54
  tests should pass and 58/58 should pass on Zesty.

  

  Now we can run a single test to verify that SECCOMP_RET_ERRNO is
  logged when the application opts into it. First, verify that "errno"
  is listed in the actions_logged sysctl:

  $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log

  Now, build and run the test program:

  $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
  $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted

  It should have generated a message like this in /var/log/syslog:

  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e
  syscall=39 compat=0 ip=0x7fb91829c499 code=0x5

  Disable errno logging in the sysctl:

  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log

  Rerun the test program and ensure that nothing was logged this time.

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others interested in improved seccomp logging. I authored the patches
  and feel comfortable/confident with my backported versions. They do
  not change the behavior of seccomp logging by default but offer ways
  applications to opt into more logging and, on the flipside, ways for
  the administrator to quite any additional logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1721676/+subscriptions

-- 
Mailing list:

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-18 Thread Kleber Sacilotto de Souza

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'. If the problem still exists,
change the tag 'verification-needed-xenial' to 'verification-failed-
xenial'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-xenial

** Tags added: verification-needed-zesty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Zesty:
  Fix Committed
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-1):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  

  

  Running the seccomp kernel selftests is also a great to exercise
  seccomp and the kernel patch set proposed for the SRU includes
  additional seccomp selftests. To build, enter into the root of the
  kernel source tree and build the seccomp test binary:

  $ make -C tools/testing/selftests TARGETS=seccomp

  Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or
  even copy it to a test machine and run it there. On Xenial, 54/54
  tests should pass and 58/58 should pass on Zesty.

  

  Now we can run a single test to verify that SECCOMP_RET_ERRNO is
  logged when the application opts into it. First, verify that "errno"
  is listed in the actions_logged sysctl:

  $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log

  Now, build and run the test program:

  $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
  $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted

  It should have generated a message like this in /var/log/syslog:

  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e
  syscall=39 compat=0 ip=0x7fb91829c499 code=0x5

  Disable errno logging in the sysctl:

  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log

  Rerun the test program and ensure that nothing was logged this time.

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others interested in improved seccomp logging. I authored the patches
  and feel comfortable/confident with my backported versions. They do
  not change the behavior of seccomp logging by default but offer ways
  applications to opt into more

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-18 Thread Kleber Sacilotto de Souza

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
zesty' to 'verification-done-zesty'. If the problem still exists, change
the tag 'verification-needed-zesty' to 'verification-failed-zesty'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Zesty:
  Fix Committed
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-1):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  

  

  Running the seccomp kernel selftests is also a great to exercise
  seccomp and the kernel patch set proposed for the SRU includes
  additional seccomp selftests. To build, enter into the root of the
  kernel source tree and build the seccomp test binary:

  $ make -C tools/testing/selftests TARGETS=seccomp

  Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or
  even copy it to a test machine and run it there. On Xenial, 54/54
  tests should pass and 58/58 should pass on Zesty.

  

  Now we can run a single test to verify that SECCOMP_RET_ERRNO is
  logged when the application opts into it. First, verify that "errno"
  is listed in the actions_logged sysctl:

  $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log

  Now, build and run the test program:

  $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
  $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted

  It should have generated a message like this in /var/log/syslog:

  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e
  syscall=39 compat=0 ip=0x7fb91829c499 code=0x5

  Disable errno logging in the sysctl:

  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log

  Rerun the test program and ensure that nothing was logged this time.

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others interested in improved seccomp logging. I authored the patches
  and feel comfortable/confident with my backported versions. They do
  not change the behavior of seccomp logging by default but offer ways
  applications to opt into more logging and, on the flipside, ways for
  the administrator to quite any additional

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-11 Thread Tyler Hicks

Here's the kernel test case that I mentioned in the bug description.

** Attachment added: "lp1721676-kernel-test.c"
   
https://bugs.launchpad.net/snappy/+bug/1721676/+attachment/4967859/+files/lp1721676-kernel-test.c

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Zesty:
  Fix Committed
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-1):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  

  

  Running the seccomp kernel selftests is also a great to exercise
  seccomp and the kernel patch set proposed for the SRU includes
  additional seccomp selftests. To build, enter into the root of the
  kernel source tree and build the seccomp test binary:

  $ make -C tools/testing/selftests TARGETS=seccomp

  Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or
  even copy it to a test machine and run it there. On Xenial, 54/54
  tests should pass and 58/58 should pass on Zesty.

  

  Now we can run a single test to verify that SECCOMP_RET_ERRNO is
  logged when the application opts into it. First, verify that "errno"
  is listed in the actions_logged sysctl:

  $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log

  Now, build and run the test program:

  $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
  $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted

  It should have generated a message like this in /var/log/syslog:

  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e
  syscall=39 compat=0 ip=0x7fb91829c499 code=0x5

  Disable errno logging in the sysctl:

  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log

  Rerun the test program and ensure that nothing was logged this time.

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others interested in improved seccomp logging. I authored the patches
  and feel comfortable/confident with my backported versions. They do
  not change the behavior of seccomp logging by default but offer ways
  applications to opt into more logging and, on the flipside, ways for
  the administrator to quite any additional logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1721676/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-06 Thread Thadeu Lima de Souza Cascardo

** Changed in: linux (Ubuntu Zesty)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Zesty:
  Fix Committed
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-1):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  

  

  Running the seccomp kernel selftests is also a great to exercise
  seccomp and the kernel patch set proposed for the SRU includes
  additional seccomp selftests. To build, enter into the root of the
  kernel source tree and build the seccomp test binary:

  $ make -C tools/testing/selftests TARGETS=seccomp

  Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or
  even copy it to a test machine and run it there. On Xenial, 54/54
  tests should pass and 58/58 should pass on Zesty.

  

  Now we can run a single test to verify that SECCOMP_RET_ERRNO is
  logged when the application opts into it. First, verify that "errno"
  is listed in the actions_logged sysctl:

  $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log

  Now, build and run the test program:

  $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
  $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted

  It should have generated a message like this in /var/log/syslog:

  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e
  syscall=39 compat=0 ip=0x7fb91829c499 code=0x5

  Disable errno logging in the sysctl:

  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log

  Rerun the test program and ensure that nothing was logged this time.

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others interested in improved seccomp logging. I authored the patches
  and feel comfortable/confident with my backported versions. They do
  not change the behavior of seccomp logging by default but offer ways
  applications to opt into more logging and, on the flipside, ways for
  the administrator to quite any additional logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1721676/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-06 Thread Thadeu Lima de Souza Cascardo

** Changed in: linux (Ubuntu Xenial)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Zesty:
  Fix Committed
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-1):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  

  

  Running the seccomp kernel selftests is also a great to exercise
  seccomp and the kernel patch set proposed for the SRU includes
  additional seccomp selftests. To build, enter into the root of the
  kernel source tree and build the seccomp test binary:

  $ make -C tools/testing/selftests TARGETS=seccomp

  Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or
  even copy it to a test machine and run it there. On Xenial, 54/54
  tests should pass and 58/58 should pass on Zesty.

  

  Now we can run a single test to verify that SECCOMP_RET_ERRNO is
  logged when the application opts into it. First, verify that "errno"
  is listed in the actions_logged sysctl:

  $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log

  Now, build and run the test program:

  $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
  $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted

  It should have generated a message like this in /var/log/syslog:

  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e
  syscall=39 compat=0 ip=0x7fb91829c499 code=0x5

  Disable errno logging in the sysctl:

  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log

  Rerun the test program and ensure that nothing was logged this time.

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others interested in improved seccomp logging. I authored the patches
  and feel comfortable/confident with my backported versions. They do
  not change the behavior of seccomp logging by default but offer ways
  applications to opt into more logging and, on the flipside, ways for
  the administrator to quite any additional logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1721676/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-05 Thread Tyler Hicks

The Xenial and Zesty kernel patch sets have been sent to the kernel
team:

https://lists.ubuntu.com/archives/kernel-team/2017-October/087448.html
https://lists.ubuntu.com/archives/kernel-team/2017-October/087456.html

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  In Progress
Status in linux source package in Zesty:
  In Progress
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-1):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  

  

  Running the seccomp kernel selftests is also a great to exercise
  seccomp and the kernel patch set proposed for the SRU includes
  additional seccomp selftests. To build, enter into the root of the
  kernel source tree and build the seccomp test binary:

  $ make -C tools/testing/selftests TARGETS=seccomp

  Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or
  even copy it to a test machine and run it there. On Xenial, 54/54
  tests should pass and 58/58 should pass on Zesty.

  

  Now we can run a single test to verify that SECCOMP_RET_ERRNO is
  logged when the application opts into it. First, verify that "errno"
  is listed in the actions_logged sysctl:

  $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log

  Now, build and run the test program:

  $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
  $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted

  It should have generated a message like this in /var/log/syslog:

  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e
  syscall=39 compat=0 ip=0x7fb91829c499 code=0x5

  Disable errno logging in the sysctl:

  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log

  Rerun the test program and ensure that nothing was logged this time.

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others interested in improved seccomp logging. I authored the patches
  and feel comfortable/confident with my backported versions. They do
  not change the behavior of seccomp logging by default but offer ways
  applications to opt into more logging and, on the flipside, ways for
  the administrator to quite any additional logging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1721676/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-05 Thread Tyler Hicks

** Description changed:

  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to parse
  the logs, etc and make developing on snappy easier.
  
  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when blocking
  illegal system calls.
  
  [Impact]
  
  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.
  
  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.
  
  [Test Case]
  
  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on Artful,
  there's an existing test failure (20-live-basic_die%%002-1):
  
  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)
  
  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  
  
+ 
+ 
+ Running the seccomp kernel selftests is also a great to exercise seccomp
+ and the kernel patch set proposed for the SRU includes additional
+ seccomp selftests. To build, enter into the root of the kernel source
+ tree and build the seccomp test binary:
+ 
+ $ make -C tools/testing/selftests TARGETS=seccomp
+ 
+ Now you can execute tools/testing/selftests/seccomp/seccomp_bpf or even
+ copy it to a test machine and run it there. On Xenial, 54/54 tests
+ should pass and 58/58 should pass on Zesty.
+ 
+ 
+ 
  Now we can run a single test to verify that SECCOMP_RET_ERRNO is logged
  when the application opts into it. First, verify that "errno" is listed
  in the actions_logged sysctl:
  
- $ cat /proc/sys/kernel/seccomp/actions_logged 
+ $ cat /proc/sys/kernel/seccomp/actions_logged
  kill trap errno trace log
  
  Now, build and run the test program:
  
- $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c 
- $ ./lp1721676-kernel-test 
+ $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c
+ $ ./lp1721676-kernel-test
  SUCCESS: getpid() failed as expected: Operation not permitted
  
  It should have generated a message like this in /var/log/syslog:
  
  kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
  auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
  exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e syscall=39
  compat=0 ip=0x7fb91829c499 code=0x5
  
  Disable errno logging in the sysctl:
  
  $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
  kill trap trace log
  
  Rerun the test program and ensure that nothing was logged this time.
  
  [Regression Potential]
  
  The kernel patches received a lot of review between Kees and some others
  interested in improved seccomp logging. I authored the patches and feel
  comfortable/confident with my backported versions. They do not change
  the behavior of seccomp logging by default but offer ways applications
  to opt into more logging and, on the flipside, ways for the
  administrator to quite any additional logging.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  In Progress
Status in linux source package in Zesty:
  In Progress
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-05 Thread Tyler Hicks

** Description changed:

  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to parse
  the logs, etc and make developing on snappy easier.
  
  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when blocking
  illegal system calls.
  
  [Impact]
  
  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.
  
  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.
  
  [Test Case]
  
  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on Artful,
  there's an existing test failure (20-live-basic_die%%002-1):
  
  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)
  
  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
-  tests run: 12
-  tests skipped: 0
-  tests passed: 11
-  tests failed: 1
-  tests errored: 0
+  tests run: 12
+  tests skipped: 0
+  tests passed: 11
+  tests failed: 1
+  tests errored: 0
  
+ 
+ Now we can run a single test to verify that SECCOMP_RET_ERRNO is logged
+ when the application opts into it. First, verify that "errno" is listed
+ in the actions_logged sysctl:
+ 
+ $ cat /proc/sys/kernel/seccomp/actions_logged 
+ kill trap errno trace log
+ 
+ Now, build and run the test program:
+ 
+ $ gcc -o lp1721676-kernel-test lp1721676-kernel-test.c 
+ $ ./lp1721676-kernel-test 
+ SUCCESS: getpid() failed as expected: Operation not permitted
+ 
+ It should have generated a message like this in /var/log/syslog:
+ 
+ kernel: [79338.804966] audit: type=1326 audit(1507259221.875:27):
+ auid=1000 uid=1000 gid=1000 ses=5 pid=3091 comm="lp1721676-kerne"
+ exe="/home/tyhicks/lp1721676-kernel-test" sig=0 arch=c03e syscall=39
+ compat=0 ip=0x7fb91829c499 code=0x5
+ 
+ Disable errno logging in the sysctl:
+ 
+ $ echo kill trap trace log | sudo tee /proc/sys/kernel/seccomp/actions_logged
+ kill trap trace log
+ 
+ Rerun the test program and ensure that nothing was logged this time.
  
  [Regression Potential]
  
  The kernel patches received a lot of review between Kees and some others
  interested in improved seccomp logging. I authored the patches and feel
  comfortable/confident with my backported versions. They do not change
  the behavior of seccomp logging by default but offer ways applications
  to opt into more logging and, on the flipside, ways for the
  administrator to quite any additional logging.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  In Progress
Status in linux source package in Zesty:
  In Progress
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

2017-10-05 Thread Tyler Hicks

The kernel patches for this feature have already been released in an
Artful kernel (4.12.0-13.14).

** Description changed:

  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to parse
  the logs, etc and make developing on snappy easier.
  
  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when blocking
  illegal system calls.
+ 
+ [Impact]
+ 
+ Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
+ have a more friendly strict mode. Such functionality has been merged
+ upstream into 4.14-rc2.
+ 
+ No libseccomp changes are needed at this time since snap-confine loads
+ the BPF filter directly into the kernel without using libseccomp.
+ 
+ [Test Case]
+ 
+ Running the libseccomp "live" tests will exercise the kernel's seccomp
+ enforcement and help to help catch any regressions. Note that on Artful,
+ there's an existing test failure (20-live-basic_die%%002-1):
+ 
+ $ sudo apt build-dep -y libseccomp
+ $ sudo apt install -y cython
+ $ apt source libseccomp
+ $ cd libseccomp-*
+ $ autoreconf -ivf && ./configure --enable-python && make check-build
+ $ (cd tests && ./regression -T live)
+ 
+ All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
+ ...
+ Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
+ ...
+ Regression Test Summary
+  tests run: 12
+  tests skipped: 0
+  tests passed: 11
+  tests failed: 1
+  tests errored: 0
+ 
+ 
+ [Regression Potential]
+ 
+ The kernel patches received a lot of review between Kees and some others
+ interested in improved seccomp logging. I authored the patches and feel
+ comfortable/confident with my backported versions. They do not change
+ the behavior of seccomp logging by default but offer ways applications
+ to opt into more logging and, on the flipside, ways for the
+ administrator to quite any additional logging.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1721676

Title:
  implement errno action logging in seccomp for strict mode with snaps

Status in Snappy:
  In Progress
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  In Progress
Status in linux source package in Zesty:
  In Progress
Status in linux source package in Artful:
  Fix Released

Bug description:
  A requirement for snappy is that security sandbox violations against
  policy are logged. In this manner learning tools can be written to
  parse the logs, etc and make developing on snappy easier.

  The current default seccomp action, in strict mode. is to kill the
  snap's thread that violated the policy but this is unfriendly to the
  developer and to the user. The desired action is to block the illegal
  system call and return an error with errno set to EPERM. However,
  seccomp does not emit log events when it takes that action. Seccomp
  should be updated to emit log events when taking the SECCOMP_RET_ERRNO
  action and then snappy can switch to the using that action when
  blocking illegal system calls.

  [Impact]

  Snapd needs a way to log SECCOMP_RET_ERRNO seccomp actions in order to
  have a more friendly strict mode. Such functionality has been merged
  upstream into 4.14-rc2.

  No libseccomp changes are needed at this time since snap-confine loads
  the BPF filter directly into the kernel without using libseccomp.

  [Test Case]

  Running the libseccomp "live" tests will exercise the kernel's seccomp
  enforcement and help to help catch any regressions. Note that on
  Artful, there's an existing test failure (20-live-
  basic_die%%002-1):

  $ sudo apt build-dep -y libseccomp
  $ sudo apt install -y cython
  $ apt source libseccomp
  $ cd libseccomp-*
  $ autoreconf -ivf && ./configure --enable-python && make check-build
  $ (cd tests && ./regression -T live)

  All tests should pass on zesty (12 tests) and xenial (10 tests). On artful, 
you'll see one pre-existing failure:
  ...
  Test 20-live-basic_die%%002-1 result: FAILURE 20-live-basic_die TRAP 
rc=159
  ...
  Regression Test Summary
   tests run: 12
   tests skipped: 0
   tests passed: 11
   tests failed: 1
   tests errored: 0
  

  [Regression Potential]

  The kernel patches received a lot of review between Kees and some
  others

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

[Kernel-packages] [Bug 1721676] Re: implement errno action logging in seccomp for strict mode with snaps

14 matches

Site Navigation

Mail list logo

Footer information