I'm not done looking at this, but I have confirmed this is a bug in libseccomp so retargeting there. What is happening is that snap-confine is getting a denial on geteuid (syscall 107) even though this syscall is included in the filter. This indicates a problem in the filter setup in libseccomp and not snap-confine itself and this patch appears to fix the issue: eece06525d58d08fe6bb20e5f635eb02fd8d6eee
However, that patch needs the following to be applied: 9ca83f455562fe8a972823d0e101cc71a8063547 206da04b8b2366d9efb963569bb89fe82ed2d1ba 61fee77783fd458739eb6104f13d53bddfa389ac While with the above 4 patches applied the snap-confine testsuite passes, the libseccomp internal testsuite has many failures. I'm now investigating if it is better to continue cherrypicking patches or to pull back 2.2.3 from xenial. ** Package changed: snap-confine (Ubuntu) => libseccomp (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libseccomp in Ubuntu. https://bugs.launchpad.net/bugs/1653487 Title: seccomp argument filtering not working on trusty(?) Status in libseccomp package in Ubuntu: In Progress Bug description: The snapd build on trusty for amd64 fails with the following error: """ make[2]: Entering directory `/tmp/snapd-2.20.1~14.04/cmd/snap-confine/tests' ... PASS: test_restrictions_working FAIL: test_restrictions_working_args """ (see https://launchpad.net/ubuntu/+source/snapd/2.20.1~14.04/+build/11759913) The same build works for i386 and armhf. I can reproduce this in a trusty chroot, upon further investigation it looks like the version of libseccomp (2.1.1) in trusty-proposed is the culprit. When I upgrade: """ Upgrade: libseccomp2:amd64 (2.1.1-1ubuntu1~trusty1, 2.2.3-2ubuntu1~ubuntu14.04.1), libseccomp-dev:amd64 (2.1.1-1ubuntu1~trusty1, 2.2.3-2ubuntu1~ubuntu14.04.1) """" all tests run fine. It looks like an issue with seccomp argument filtering (bpf) on 64 bit systems. This https://github.com/seccomp/libseccomp/releases/tag/v2.2.1 might include the missing fix, however I have not looked in detail what patch exactly we may need. Fwiw, we don't see this in spread because we build the package in the spread tests with `DEB_BUILD_OPTIONS='nocheck testkeys' dpkg- buildpackage` and we do not run the integration tests of snap-confine in anything else beside the package build (until https://github.com/snapcore/snapd/pull/2433/files is merged). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libseccomp/+bug/1653487/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
