Hey Tyler, thank you for the update, this looks very promising indeed. I'd like to ask about two aspects:
- detection, how can we detect that this feature is available? Shall we just compile a program and see if it loads on snapd startup? - golang, we use golang bindings to libseccomp and we will need to adjust them to expose the new APIs (presumably). Is this something you plan to handle as well? Thanks ZK On Mon, Aug 28, 2017 at 3:15 PM, Tyler Hicks <tyhi...@canonical.com> wrote: > The kernel patches were committed to the Ubuntu Artful kernel git repo: > https://lists.ubuntu.com/archives/kernel-team/2017-August/086714.html > > ** Changed in: linux (Ubuntu) > Status: In Progress => Fix Committed > > -- > You received this bug notification because you are a member of Snappy > Developers, which is subscribed to Snappy. > Matching subscriptions: xxx-bugs-on-snapd > https://bugs.launchpad.net/bugs/1567597 > > Title: > implement 'complain mode' in seccomp for developer mode with snaps > > To manage notifications about this bug go to: > https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1567597 Title: implement 'complain mode' in seccomp for developer mode with snaps Status in Snappy: In Progress Status in libseccomp package in Ubuntu: Confirmed Status in linux package in Ubuntu: Fix Committed Bug description: A requirement for snappy is that a snap may be placed in developer mode which will put the security sandbox in complain mode such that violations against policy are logged, but permitted. In this manner learning tools can be written to parse the logs, etc and make developing on snappy easier. Unfortunately with seccomp only SCMP_ACT_KILL logs to dmesg and while we can set complain mode to permit all calls, they are not logged at this time. I've discussed this with upstream and we are working together on the approach. This may require a kernel patch and an update to libseccomp, to filing this bug for now as a placeholder and we'll add other tasks as necessary. UPDATE: ubuntu-core-launcher now supports the '@complain' directive that is a synonym for '@unrestricted' so people can at least turn on developer mode and not be blocked by seccomp. Proper complain mode for seccomp needs to still be implemented (this bug). To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
