kernel-packages team mailing list archive

Thread
Date

[Bug 1509489] Re: [SRU] seccomp filters backport for Mako

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Tim Gardner <tim.gardner@xxxxxxxxxxxxx>
Date: Thu, 29 Oct 2015 19:16:46 -0000
Reply-to: Bug 1509489 <1509489@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: linux-mako (Ubuntu Xenial)
   Importance: Undecided
       Status: Fix Released

** Also affects: linux-mako (Ubuntu Wily)
   Importance: Undecided
       Status: New

** Also affects: linux-mako (Ubuntu Vivid)
   Importance: Undecided
       Status: New

** Changed in: linux-mako (Ubuntu Wily)
       Status: New => Fix Committed

** Changed in: linux-mako (Ubuntu Wily)
     Assignee: (unassigned) => Kyle Fazzari (kyrofa)

** Changed in: linux-mako (Ubuntu Vivid)
       Status: New => Fix Committed

** Changed in: linux-mako (Ubuntu Vivid)
     Assignee: (unassigned) => Kyle Fazzari (kyrofa)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-mako in Ubuntu.
https://bugs.launchpad.net/bugs/1509489

Title:
  [SRU] seccomp filters backport for Mako

Status in linux-mako package in Ubuntu:
  Fix Released
Status in linux-mako source package in Vivid:
  Fix Committed
Status in linux-mako source package in Wily:
  Fix Committed
Status in linux-mako source package in Xenial:
  Fix Released

Bug description:
  [Impact]

   * The snappy confinement model utilizes both apparmor and seccomp
  filters, and while the former is supported by the phone kernel, the
  latter is not. Snappy cannot be used on the mako, krillin, or vegetahd
  without seccomp filters being backported.

  [Test Case]

   * Run the tests located here:

         http://kernel.ubuntu.com/git/kyrofa/ubuntu-
  vivid.git/tree/tools/testing/selftests/seccomp?h=backport_seccomp_filters&id=555777b2449cb4a69604998e8550001231a0f6af

     They will fail without this change.

  [Regression Potential]

   * Potential AppArmor regression regarding its use of no_new_privs,
  since it was previously a fake implementation to facilitate the v3
  backport.

  [Other Info]

   * Backport is from mainline.
   * Backport only includes seccomp filters introduced in v3.5 (e.g. does not include syscall or tsync).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-mako/+bug/1509489/+subscriptions

References

[Bug 1509489] [NEW] No support for seccomp filters
From: Kyle Fazzari, 2015-10-23