I'm not done looking at this, but I have confirmed this is a bug in libseccomp so retargeting there. What is happening is that snap-confine is getting a denial on geteuid (syscall 107) even though this syscall is included in the filter. This indicates a problem in the filter setup in libseccomp and not snap-confine itself and this patch appears to fix the issue: eece06525d58d08fe6bb20e5f635eb02fd8d6eee
However, that patch needs the following to be applied: 9ca83f455562fe8a972823d0e101cc71a8063547 206da04b8b2366d9efb963569bb89fe82ed2d1ba 61fee77783fd458739eb6104f13d53bddfa389ac While with the above 4 patches applied the snap-confine testsuite passes, the libseccomp internal testsuite has many failures. I'm now investigating if it is better to continue cherrypicking patches or to pull back 2.2.3 from xenial. ** Package changed: snap-confine (Ubuntu) => libseccomp (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1653487 Title: seccomp argument filtering not working on trusty(?) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1653487/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
