kernel-packages team mailing list archive

Thread
Date

[Bug 1202161] Re: seccomp filter: execve(): Operation not permitted

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Cédric VINCENT <cedric.vincent@xxxxxxxxx>
Date: Mon, 12 Aug 2013 13:16:18 -0000
Reply-to: Bug 1202161 <1202161@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

When disabling AppArmor (boot option "apparmor=0"), seccomp-filter
works as expected.  According to [0], commit 259e5e6c was integrated
in the Ubuntu kernel patch without its successor (commit c29bceb3).
However, they are dependant each other:

* commit 259e5e6c:

    Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
    set and AppArmor is in use.  It is fixed in a subsequent patch.

* commit c29bceb3:

    Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS


Joseph: is it possible to officially add the subsequent patch (commit
        c29bceb3) to the Ubuntu kernel patch?

[0] https://launchpad.net/ubuntu/+source/linux/3.8.0-19.29

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1202161

Title:
  seccomp filter: execve(): Operation not permitted

Status in “linux” package in Ubuntu:
  Incomplete

Bug description:
  === System information ===

  $ cat /proc/version_signature
  Ubuntu 3.8.0-19.13-lowlatency 3.8.8

  $ lsb_release -d
  Description: Ubuntu 13.04

  
  === How to reproduce ===

  $ gcc seccomp-filter.c
  $ ./a.out

  
  === Expected output ===

  OK

  
  === Actual output ===

  execve(): Operation not permitted
  status = -1

  
  === Extra information ===

  This testcase works with "vanilla" kernels (tested: v3.8 & v3.10)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1202161/+subscriptions

References

[Bug 1202161] [NEW] seccomp filter: execve(): Operation not permitted
From: Cédric VINCENT, 2013-07-17