kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #143123
[Bug 1509489] Re: [SRU] seccomp filters backport for Mako
This bug was fixed in the package linux-mako - 3.4.0-7.40
---------------
linux-mako (3.4.0-7.40) xenial; urgency=low
[ Kyle Fazzari ]
* SAUCE: Enable SECCOMP_FILTER on mako.
- LP: #1509489
* SAUCE: Remove fake no_new_privs.
- LP: #1509489
* SAUCE: Make sure userspace sees an ENOSYS for no tracer.
- LP: #1509489
* SAUCE: Add seccomp selftests.
- LP: #1509489
[ Upstream Kernel Changes ]
* Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
- LP: #1509489
* Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS
- LP: #1509489
* sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W
- LP: #1509489
* net/compat.c,linux/filter.h: share compat_sock_fprog
- LP: #1509489
* seccomp: kill the seccomp_t typedef
- LP: #1509489
* asm/syscall.h: add syscall_get_arch
- LP: #1509489
* arch/x86: add syscall_get_arch to syscall.h
- LP: #1509489
* seccomp: add system call filtering using BPF
- LP: #1509489
* seccomp: remove duplicated failure logging
- LP: #1509489
* seccomp: add SECCOMP_RET_ERRNO
- LP: #1509489
* signal, x86: add SIGSYS info and make it synchronous.
- LP: #1509489
* seccomp: Add SECCOMP_RET_TRAP
- LP: #1509489
* ptrace,seccomp: Add PTRACE_SECCOMP support
- LP: #1509489
* x86: Enable HAVE_ARCH_SECCOMP_FILTER
- LP: #1509489
* Documentation: prctl/seccomp_filter
- LP: #1509489
* seccomp: use a static inline for a function stub
- LP: #1509489
* seccomp: ignore secure_computing return values
- LP: #1509489
* seccomp: fix build warnings when there is no CONFIG_SECCOMP_FILTER
- LP: #1509489
* samples/seccomp: fix dependencies on arch macros
- LP: #1509489
* ARM: 7373/1: add support for the generic syscall.h interface
- LP: #1509489
* ARM: 7374/1: add TRACEHOOK support
- LP: #1509489
* ARM: 7456/1: ptrace: provide separate functions for tracing syscall
{entry,exit}
- LP: #1509489
* ARM: 7577/1: arch/add syscall_get_arch
- LP: #1509489
* ARM: 7578/1: arch/move secure_computing into trace
- LP: #1509489
* ARM: 7579/1: arch/allow a scno of -1 to not cause a SIGILL
- LP: #1509489
* ARM: 7580/1: arch/select HAVE_ARCH_SECCOMP_FILTER
- LP: #1509489
-- Tim Gardner <tim.gardner@xxxxxxxxxxxxx> Wed, 28 Oct 2015 09:44:02
-0600
** Changed in: linux-mako (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-mako in Ubuntu.
https://bugs.launchpad.net/bugs/1509489
Title:
[SRU] seccomp filters backport for Mako
Status in linux-mako package in Ubuntu:
Fix Released
Bug description:
[Impact]
* The snappy confinement model utilizes both apparmor and seccomp
filters, and while the former is supported by the phone kernel, the
latter is not. Snappy cannot be used on the mako, krillin, or vegetahd
without seccomp filters being backported.
[Test Case]
* Run the tests located here:
http://kernel.ubuntu.com/git/kyrofa/ubuntu-
vivid.git/tree/tools/testing/selftests/seccomp?h=backport_seccomp_filters&id=555777b2449cb4a69604998e8550001231a0f6af
They will fail without this change.
[Regression Potential]
* Potential AppArmor regression regarding its use of no_new_privs,
since it was previously a fake implementation to facilitate the v3
backport.
[Other Info]
* Backport is from mainline.
* Backport only includes seccomp filters introduced in v3.5 (e.g. does not include syscall or tsync).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-mako/+bug/1509489/+subscriptions
References
