No, there's not an upstream kernel bug. The kernel bugzilla isn't used
much and something like this typically plays out on the mailing list.
It may be useful to create a libseccomp issue but I'm not ready to do
that until I have a better idea about the kernel changes that are
needed.
** Changed in: snappy
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: snappy
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libseccomp in Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode' in seccomp for developer mode with snaps
Status in Snappy:
In Progress
Status in libseccomp package in Ubuntu:
Confirmed
Bug description:
A requirement for snappy is that a snap may be placed in developer
mode which will put the security sandbox in complain mode such that
violations against policy are logged, but permitted. In this manner
learning tools can be written to parse the logs, etc and make
developing on snappy easier.
Unfortunately with seccomp only SCMP_ACT_KILL logs to dmesg and while
we can set complain mode to permit all calls, they are not logged at
this time. I've discussed this with upstream and we are working
together on the approach. This may require a kernel patch and an
update to libseccomp, to filing this bug for now as a placeholder and
we'll add other tasks as necessary.
UPDATE: ubuntu-core-launcher now supports the '@complain' directive
that is a synonym for '@unrestricted' so people can at least turn on
developer mode and not be blocked by seccomp. Proper complain mode for
seccomp needs to still be implemented (this bug).
To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
