A status update is in order. We settled on a design that meets everyone's kernel needs. Those patches have been accepted into linux- next and they're on their way into 4.14.
https://lkml.kernel.org/r/%3C20170815220319.GA63342@beast%3E I've submitted Artful backports to the kernel team: https://lists.ubuntu.com/archives/kernel-team/2017-August/086691.html I've reached out to the libseccomp maintainer to discuss some design aspects that needed to be sorted out and now I've proposed a PR for libseccomp: https://github.com/seccomp/libseccomp/pull/92 I'll have a little more work to do on libseccomp-golang once the libseccomp PR is reviewed. Then I can start the SRUs. The snap-seccomp /snap-confine changes are straightforward and small so they shouldn't be a problem. Everything is finally coming together but there have been a lot of moving pieces (and people) involved in landing all the changes. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1567597 Title: implement 'complain mode' in seccomp for developer mode with snaps Status in Snappy: In Progress Status in libseccomp package in Ubuntu: Confirmed Status in linux package in Ubuntu: In Progress Bug description: A requirement for snappy is that a snap may be placed in developer mode which will put the security sandbox in complain mode such that violations against policy are logged, but permitted. In this manner learning tools can be written to parse the logs, etc and make developing on snappy easier. Unfortunately with seccomp only SCMP_ACT_KILL logs to dmesg and while we can set complain mode to permit all calls, they are not logged at this time. I've discussed this with upstream and we are working together on the approach. This may require a kernel patch and an update to libseccomp, to filing this bug for now as a placeholder and we'll add other tasks as necessary. UPDATE: ubuntu-core-launcher now supports the '@complain' directive that is a synonym for '@unrestricted' so people can at least turn on developer mode and not be blocked by seccomp. Proper complain mode for seccomp needs to still be implemented (this bug). To manage notifications about this bug go to: https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
