Hey all. As I go through snapping different pieces of software, I encounter the same issues. One of those issues are the software in question making syscalls that are denied by the set of interfaces that don't require a manual review. As far as I can tell, there are three ways around this:
1) Customize the YAML asking for the syscalls necessary, and live with the manual reviews for every upload. 2) Maintain a fork with the syscall removed. 3) Push changes upstream to allow for disabling the syscall at compile- or run-time. Often times the syscalls being made aren't strictly required (e.g. MySQL trying to control its thread priorities with `setpriority()`), which typically leads to my starting with (2) and moving to (3). Every time I do (3) however, I get the same question: "Why does Snappy use SECCOMP_RET_KILL instead of SECCOMP_RET_ERRNO?[1]" My only response is "I don't know." I'd like to stop saying that, thus this email :) . To make sure we're on the same page, Snappy's ubuntu-core-launcher uses libseccomp to load the filters, which it initializes with SCMP_ACT_KILL[2], which means that when a non-whitelisted syscall is made the caller is immediately killed with no chance to recover. Contrast this to SCMP_ACT_ERRNO which would allow for such syscalls to fail gracefully and be handled by the caller. For example, the code in MySQL would have handled this with no changes by printing a warning about being unable to change the priority-- perfect. But since Snappy uses SCMP_ACT_KILL it requires a code change to never attempt the call in the first place. This makes packaging snaps harder than it seems it needs to be, so I feel like there must be a good reason for it. Thanks for the information! [1]: https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt [2]: http://man7.org/linux/man-pages/man3/seccomp_init.3.html -- Kyle Fazzari (kyrofa) Software Engineer Canonical Ltd. k...@canonical.com
signature.asc
Description: OpenPGP digital signature
-- snappy-devel mailing list snappy-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/snappy-devel
