CC'ing snappy-devel@ so people know what is going on. On 03/24/2015 12:24 PM, Jamie Strandboge wrote: > On 03/24/2015 04:55 AM, Michael Vogt wrote: >> On Fri, Mar 20, 2015 at 10:18:10AM -0500, Jamie Strandboge wrote: >>> On 03/20/2015 10:15 AM, Jamie Strandboge wrote:
... >> The launcher side should be in reasonable shape now, the next step is >> the generator. >> > Thanks so much for this! > > Note to Tyler: > 12:10 < mvo> jdstrand: I added the ignore-unknown-syscalls now > > Michael and I discussed that different architectures may use different > syscalls > for similar things (eg, /bin/true was different between architectures). I > thought that we didn't want to get into the business of architecture-dependent > filter templates and filter groups so advised Michael to simply ignore any > unknown syscalls that are in the template/groups which should help his > testsuite > too. I figure if needed, we can refine this going forward. > FYI, I went through all the archs that our buildds support and defined the basic seccomp policy. It isn't finalized and still needs to be thoroughly tested. Creating a new ubuntu-core-security package that will supersede apparmor-easyprof-ubuntu-snappy. See this here: https://code.launchpad.net/~jdstrand/+junk/ubuntu-core-security Importantly, not only does it add seccomp policy and replace apparmor-easyprof-ubuntu-snappy, it updates 'policy-vendor' to be 'ubuntu-core' instead of 'ubuntu-snappy' and changes the 'policy-version' to be based in /etc/lsb-release. This means we can remove the need for the .framework file in /usr/share/click/frameworks. It will have compatibility symlinks to not break existing apps in the store. I also looked at Michael's branch: https://code.launchpad.net/~mvo/ubuntu-core-launcher/trunk Attached is a patch that: * fallback to seccomp_rule_add() if seccomp_rule_add_exact() fails * call prctl(PR_SET_NO_NEW_PRIVS, 1) I have not done a code review. Perhaps that is something Tyler would like to go over. With the launcher and ubuntu-core-security pieces coming together, in the next couple days I plan to: * upload ubuntu-core-security * seed ubuntu-core-security-* binaries for snappy (where?) * adjust click-apparmor to dynamically determine what to do based on lsb-release * adjust snappy to ideally dynamically detect but may just change the hardcoded value for new snaps * adjust the review tools to obsolete 'ubuntu-snappy' as the policy-vendor * followup with sergiusens on making /var/lib/snappy writable (he said he'd do it) Once all of that is in place, the only thing left is the glue tool for seccomp (ie, seccomp's aa-easyprof equivalent). Since Michael is on holiday starting tomorrow, if I can find the time, I'll start looking at that. -- Jamie Strandboge http://www.ubuntu.com/
diff -Nru ubuntu-core-launcher-0.1~ppa5/debian/changelog ubuntu-core-launcher-0.1~ppa6/debian/changelog --- ubuntu-core-launcher-0.1~ppa5/debian/changelog 2015-03-30 17:24:56.000000000 -0500 +++ ubuntu-core-launcher-0.1~ppa6/debian/changelog 2015-03-31 08:05:33.000000000 -0500 @@ -1,3 +1,10 @@ +ubuntu-core-launcher (0.1~ppa6) vivid; urgency=medium + + * fallback to seccomp_rule_add() if seccomp_rule_add_exact() fails + * call prctl(PR_SET_NO_NEW_PRIVS, 1) + + -- Jamie Strandboge <[email protected]> Tue, 31 Mar 2015 08:02:52 -0500 + ubuntu-core-launcher (0.1~ppa5) vivid; urgency=low * ignore syscalls unavailable on the given kenerl/arch diff -Nru ubuntu-core-launcher-0.1~ppa5/src/seccomp.c ubuntu-core-launcher-0.1~ppa6/src/seccomp.c --- ubuntu-core-launcher-0.1~ppa5/src/seccomp.c 2015-03-30 17:24:56.000000000 -0500 +++ ubuntu-core-launcher-0.1~ppa6/src/seccomp.c 2015-03-31 08:12:07.000000000 -0500 @@ -4,6 +4,7 @@ #include <string.h> #include <ctype.h> #include <stdlib.h> +#include <sys/prctl.h> #include <seccomp.h> @@ -64,15 +65,24 @@ // syscall not available on this arch/kernel if (syscall_nr == __NR_SCMP_ERROR) continue; - + // a normal line with a syscall rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, syscall_nr, 0); if (rc != 0) { - fprintf(stderr, "seccomp_rule_add_exact failed with %i for '%s'\n", rc, buf); - goto out; + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscall_nr, 0); + if (rc != 0) { + fprintf(stderr, "seccomp_rule_add failed with %i for '%s'\n", rc, buf); + goto out; + } } } + // Make sure we can't elevate later + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("prctl(NO_NEW_PRIVS)"); + goto out; + } + // load it into the kernel rc = seccomp_load(ctx); if (rc != 0) { @@ -80,7 +90,7 @@ goto out; } - + out: if (f != NULL) { fclose(f);
signature.asc
Description: OpenPGP digital signature
-- snappy-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snappy-devel
