** Tags added: cscc
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode' in seccomp for developer mode with snaps
Status in snapd:
This has been fixed now. Marking it as such.
** Project changed: snappy => snapd
** Changed in: snapd
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
This is fixed in xenial 2.3.1-2.1ubuntu2~16.04.1
** Changed in: libseccomp (Ubuntu Xenial)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
I've successfully performed the testing described in the [libseccomp
Test Case] section of this bug description using libseccomp
2.3.1-2.1ubuntu2~16.04.1 from xenial-proposed.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
This bug was fixed in the package linux - 4.4.0-98.121
---
linux (4.4.0-98.121) xenial; urgency=low
* linux: 4.4.0-98.121 -proposed tracker (LP: #1722299)
* Controller lockup detected on ProLiant DL380 Gen9 with P440 Controller
(LP: #1720359)
- scsi: hpsa: limit transfer
This bug was fixed in the package linux - 4.4.0-98.121
---
linux (4.4.0-98.121) xenial; urgency=low
* linux: 4.4.0-98.121 -proposed tracker (LP: #1722299)
* Controller lockup detected on ProLiant DL380 Gen9 with P440 Controller
(LP: #1720359)
- scsi: hpsa: limit transfer
This bug was fixed in the package linux - 4.10.0-38.42
---
linux (4.10.0-38.42) zesty; urgency=low
* linux: 4.10.0-38.42 -proposed tracker (LP: #1722330)
* Controller lockup detected on ProLiant DL380 Gen9 with P440 Controller
(LP: #1720359)
- scsi: hpsa: limit transfer
This bug was fixed in the package linux - 4.10.0-38.42
---
linux (4.10.0-38.42) zesty; urgency=low
* linux: 4.10.0-38.42 -proposed tracker (LP: #1722330)
* Controller lockup detected on ProLiant DL380 Gen9 with P440 Controller
(LP: #1720359)
- scsi: hpsa: limit transfer
This bug was fixed in the package libseccomp - 2.3.1-2.1ubuntu2~17.04.1
---
libseccomp (2.3.1-2.1ubuntu2~17.04.1) zesty; urgency=medium
* Backport artful's libseccomp to zesty (LP: #1567597)
- Add support for the SECCOMP_RET_LOG action
libseccomp (2.3.1-2.1ubuntu2) artful;
I tested the linux kernel SRU in Xenial and Zesty using the following
linux package versions:
- xenial: linux-image-4.4.0-98-generic 4.4.0-98.121
- zesty: linux-image-4.10.0-38-generic 4.10.0-38.42
The linux kernel SRU testing was successful and followed what's
documented in the [Linux Kernel
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'. If the problem still exists,
change the tag
Hi - I tested the libseccomp SRU in Zesty using the following libseccomp
package version:
- libseccomp2 2.3.1-2.1ubuntu2~17.04.1
I tested it with the following kernels:
- linux-image-4.10.0-37-generic 4.10.0-37.41
+ does not contain seccomp logging patches
- linux-image-4.10.0-38-generic
Hello Jamie, or anyone else affected,
Accepted libseccomp into zesty-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/libseccomp/2.3.1-2.1ubuntu2~17.04.1
in a few hours, and then in the -proposed repository.
Please help us by testing this new package.
Here's the kernel test case that I mentioned in the bug description.
** Attachment added: "lp1567597-kernel-test.c"
https://bugs.launchpad.net/snappy/+bug/1567597/+attachment/4967858/+files/lp1567597-kernel-test.c
--
You received this bug notification because you are a member of Ubuntu
** Changed in: linux (Ubuntu Zesty)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode'
** Changed in: linux (Ubuntu Xenial)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain
The Xenial and Zesty kernel patch sets have been sent to the kernel
team:
https://lists.ubuntu.com/archives/kernel-team/2017-October/087448.html
https://lists.ubuntu.com/archives/kernel-team/2017-October/087456.html
I've uploaded a libseccomp SRU to zesty-proposed. The Xenial SRU is
going to be
** Description changed:
A requirement for snappy is that a snap may be placed in developer mode
which will put the security sandbox in complain mode such that
violations against policy are logged, but permitted. In this manner
learning tools can be written to parse the logs, etc and make
** Description changed:
A requirement for snappy is that a snap may be placed in developer mode
which will put the security sandbox in complain mode such that
violations against policy are logged, but permitted. In this manner
learning tools can be written to parse the logs, etc and make
** Changed in: snappy
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode' in seccomp for
** Description changed:
A requirement for snappy is that a snap may be placed in developer mode
which will put the security sandbox in complain mode such that
violations against policy are logged, but permitted. In this manner
learning tools can be written to parse the logs, etc and make
SCMP_ACT_LOG test for libseccomp.
** Description changed:
A requirement for snappy is that a snap may be placed in developer mode
which will put the security sandbox in complain mode such that
violations against policy are logged, but permitted. In this manner
learning tools can be
This bug was fixed in the package linux - 4.12.0-13.14
---
linux (4.12.0-13.14) artful; urgency=low
* linux: 4.12.0-13.14 -proposed tracker (LP: #1714687)
* vhost guest network randomly drops under stress (kvm) (LP: #1711251)
- Revert "vhost: cache used event for better
@zyga those are both good questions.
- Detection functionality is included in kernel patches. There's a new
seccomp(2) operation to check if the log action is available and an
added test to ensure that there's a certain combination of valid/invalid
seccomp(2) arguments that can be used to detect
Hey Tyler, thank you for the update, this looks very promising indeed.
I'd like to ask about two aspects:
- detection, how can we detect that this feature is available? Shall
we just compile a program and see if it loads on snapd startup?
- golang, we use golang bindings to libseccomp and we
The kernel patches were committed to the Ubuntu Artful kernel git repo:
https://lists.ubuntu.com/archives/kernel-team/2017-August/086714.html
** Changed in: linux (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch
Thanks for the update, Tyler. I know this has been a long road, but the
cumulative effect of everyone's hard work on this particular front will
be huge. I'm very much looking forward to this.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
A status update is in order. We settled on a design that meets
everyone's kernel needs. Those patches have been accepted into linux-
next and they're on their way into 4.14.
https://lkml.kernel.org/r/%3C20170815220319.GA63342@beast%3E
I've submitted Artful backports to the kernel team:
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: New => In Progress
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: libseccomp (Ubuntu)
Assignee: (unassigned) => Tyler
\o/ Thank you Tyler!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode' in seccomp for developer mode with snaps
Status in
No, it is actually in-progress now:
http://lkml.iu.edu/hypermail/linux/kernel/1701.0/00452.html
http://lkml.iu.edu/hypermail/linux/kernel/1701.0/00472.html
https://github.com/seccomp/libseccomp/pull/64
Vacation time and a sprint last week have kept me from working on a
second revision of the
Does it make sense to move this back from "in-progress" to "triaged"?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode' in
No, there's not an upstream kernel bug. The kernel bugzilla isn't used
much and something like this typically plays out on the mailing list.
It may be useful to create a libseccomp issue but I'm not ready to do
that until I have a better idea about the kernel changes that are
needed.
** Changed
Is there a bug about is in upstream libseccomp or kernel bugzilla?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode' in seccomp
** Changed in: libseccomp (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode' in seccomp
** Changed in: snappy
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode' in seccomp for
What's the benefit of a complain mode for seccomp in snappyland?
AppArmor denials can usually be addressed by changing ./configure flags
or hardcoded paths or something, but there's not much to be done for
"this application uses syscalls we forbid" except eliding the syscalls
from the source,
37 matches
Mail list logo
