** Also affects: libseccomp (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- support 'complain mode' for developer mode with snaps
+ implement 'complain mode' in seccomp for developer mode with snaps
** Description changed:
A requirement for snappy is that a snap may be placed in developer mode
which will put the security sandbox in complain mode such that
violations against policy are logged, but permitted. In this manner
learning tools can be written to parse the logs, etc and make developing
on snappy easier.
Unfortunately with seccomp only SCMP_ACT_KILL logs to dmesg and while we
can set complain mode to permit all calls, they are not logged at this
time. I've discussed this with upstream and we are working together on
the approach. This may require a kernel patch and an update to
libseccomp, to filing this bug for now as a placeholder and we'll add
other tasks as necessary.
+
+ UPDATE: ubuntu-core-launcher now supports the '@complain' directive that
+ is a synonym for '@unrestricted' so people can at least turn on
+ developer mode and not be blocked by seccomp. Proper complain mode for
+ seccomp needs to still be implemented (this bug).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1567597
Title:
implement 'complain mode' in seccomp for developer mode with snaps
To manage notifications about this bug go to:
https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
