implement 'complain mode' in seccomp for developer mode with snaps

What's the benefit of a complain mode for seccomp in snappyland? AppArmor denials can usually be addressed by changing ./configure flags or hardcoded paths or something, but there's not much to be done for "this application uses syscalls we forbid" except eliding the syscalls from the source, right?

Allowing it to run without trouble feels like it provides a false sense of progress or control when none is intended.

Thanks

Is there a bug about is in upstream libseccomp or kernel bugzilla?

No, there's not an upstream kernel bug. The kernel bugzilla isn't used much and something like this typically plays out on the mailing list.

It may be useful to create a libseccomp issue but I'm not ready to do that until I have a better idea about the kernel changes that are needed.

Does it make sense to move this back from "in-progress" to "triaged"?

No, it is actually in-progress now:

http://lkml.iu.edu/hypermail/linux/kernel/1701.0/00452.html
http://lkml.iu.edu/hypermail/linux/kernel/1701.0/00472.html
https://github.com/seccomp/libseccomp/pull/64

Vacation time and a sprint last week have kept me from working on a second revision of the patches but that should happen this week.

\o/ Thank you Tyler!

A status update is in order. We settled on a design that meets everyone's kernel needs. Those patches have been accepted into linux-next and they're on their way into 4.14.

  https://lkml.kernel.org/r/%3C20170815220319.GA63342@beast%3E

I've submitted Artful backports to the kernel team:

  https://lists.ubuntu.com/archives/kernel-team/2017-August/086691.html

I've reached out to the libseccomp maintainer to discuss some design aspects that needed to be sorted out and now I've proposed a PR for libseccomp:

  https://github.com/seccomp/libseccomp/pull/92

I'll have a little more work to do on libseccomp-golang once the libseccomp PR is reviewed. Then I can start the SRUs. The snap-seccomp/snap-confine changes are straightforward and small so they shouldn't be a problem.

Everything is finally coming together but there have been a lot of moving pieces (and people) involved in landing all the changes.

Thanks for the update, Tyler. I know this has been a long road, but the cumulative effect of everyone's hard work on this particular front will be huge. I'm very much looking forward to this.

The kernel patches were committed to the Ubuntu Artful kernel git repo: https://lists.ubuntu.com/archives/kernel-team/2017-August/086714.html

Hey Tyler, thank you for the update, this looks very promising indeed.

I'd like to ask about two aspects:

- detection, how can we detect that this feature is available? Shall
we just compile a program and see if it loads on snapd startup?
- golang, we use golang bindings to libseccomp and we will need to
adjust them to expose the new APIs (presumably). Is this something you
plan to handle as well?

Thanks
ZK

On Mon, Aug 28, 2017 at 3:15 PM, Tyler Hicks <email address hidden> wrote:
> The kernel patches were committed to the Ubuntu Artful kernel git repo:
> https://lists.ubuntu.com/archives/kernel-team/2017-August/086714.html
>
> ** Changed in: linux (Ubuntu)
> Status: In Progress => Fix Committed
>
> --
> You received this bug notification because you are a member of Snappy
> Developers, which is subscribed to Snappy.
> Matching subscriptions: xxx-bugs-on-snapd
> https://bugs.launchpad.net/bugs/1567597
>
> Title:
> implement 'complain mode' in seccomp for developer mode with snaps
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/snappy/+bug/1567597/+subscriptions

@zyga those are both good questions.

- Detection functionality is included in kernel patches. There's a new seccomp(2) operation to check if the log action is available and an added test to ensure that there's a certain combination of valid/invalid seccomp(2) arguments that can be used to detect if the log filter flag is available. Both of these checks will be embedded into libseccomp and the checks will be carried out when the calling code specifies actions and filter flags.

- Making the necessary libseccomp-golang changes is something that I plan to do. I need to hear back from the libseccomp PR first and then will proceed to make the libseccomp-golang changes that match the libseccomp changes.

This bug was fixed in the package linux - 4.12.0-13.14

---------------
linux (4.12.0-13.14) artful; urgency=low

  * linux: 4.12.0-13.14 -proposed tracker (LP: #1714687)

  * vhost guest network randomly drops under stress (kvm) (LP: #1711251)
    - Revert "vhost: cache used event for better performance"

  * EDAC sbridge: Failed to register device with error -22. (LP: #1714112)
    - [Config] CONFIG_EDAC_GHES=n

  * Artful update to v4.12.10 stable release (LP: #1714525)
    - sparc64: remove unnecessary log message
    - bonding: require speed/duplex only for 802.3ad, alb and tlb
    - bonding: ratelimit failed speed/duplex update warning
    - af_key: do not use GFP_KERNEL in atomic contexts
    - dccp: purge write queue in dccp_destroy_sock()
    - dccp: defer ccid_hc_tx_delete() at dismantle time
    - ipv4: fix NULL dereference in free_fib_info_rcu()
    - net_sched/sfq: update hierarchical backlog when drop packet
    - net_sched: remove warning from qdisc_hash_add
    - bpf: fix bpf_trace_printk on 32 bit archs
    - net: igmp: Use ingress interface rather than vrf device
    - openvswitch: fix skb_panic due to the incorrect actions attrlen
    - ptr_ring: use kmalloc_array()
    - ipv4: better IP_MAX_MTU enforcement
    - nfp: fix infinite loop on umapping cleanup
    - tun: handle register_netdevice() failures properly
    - sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
    - tipc: fix use-after-free
    - ipv6: reset fn->rr_ptr when replacing route
    - ipv6: repair fib6 tree in failure case
    - tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
    - net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled
    - irda: do not leak initialized list.dev to userspace
    - net: sched: fix NULL pointer dereference when action calls some targets
    - net_sched: fix order of queue length updates in qdisc_replace()
    - bpf, verifier: add additional patterns to evaluate_reg_imm_alu
    - bpf: fix mixed signed/unsigned derived min/max value bounds
    - bpf/verifier: fix min/max handling in BPF_SUB
    - Input: trackpoint - add new trackpoint firmware ID
    - Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310
    - Input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad
    - KVM: s390: sthyi: fix sthyi inline assembly
    - KVM: s390: sthyi: fix specification exception detection
    - KVM: x86: simplify handling of PKRU
    - KVM, pkeys: do not use PKRU value in vcpu->arch.guest_fpu.state
    - KVM: x86: block guest protection keys unless the host has them enabled
    - ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets
    - ALSA: core: Fix unexpected error at replacing user TLV
    - ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
    - ALSA: firewire: fix NULL pointer dereference when releasing uninitialized
      data of iso-resource
    - ALSA: firewire-motu: destroy stream data surely at failure of card
      initialization
    - ARCv2: SLC: Make sure busy bit is set properly for region ops
    - ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses
    - ARCv2: PAE40: set MSB even if !CONFIG_ARC_HAS_...

SCMP_ACT_LOG test for libseccomp.

Debdiff to consider for Artful FFe. (I don't need sponsorship)

Clean Artful amd64 build log.

I had previously attached a slightly old version of the lp1567597-test.c program that contained a mistake. I'm now attaching the corrected version after fetching it from my testing VM.

Looks good to me. Delta on libseccomp is small and self contained and aligns with what has been included in the upstream kernel.

FFe granted

Thanks! I've uploaded the libseccomp package to artful-proposed.

This bug was fixed in the package libseccomp - 2.3.1-2.1ubuntu2

---------------
libseccomp (2.3.1-2.1ubuntu2) artful; urgency=medium

  * add-log-action.patch: Minimal backport to support the SECCOMP_RET_LOG
    action that will be released in Linux kernel version 4.14. (LP: #1567597)

 -- Tyler Hicks <email address hidden> Tue, 19 Sep 2017 21:37:38 +0000

The Xenial and Zesty kernel patch sets have been sent to the kernel team:

https://lists.ubuntu.com/archives/kernel-team/2017-October/087448.html
https://lists.ubuntu.com/archives/kernel-team/2017-October/087456.html

I've uploaded a libseccomp SRU to zesty-proposed. The Xenial SRU is going to be trickier. It may require bring Zesty's libseccomp back to Xenial due to the current version of libseccomp in Xenial not fully supporting the seccomp(2) system call. That system call is needed to verify kernel support of the SECCOMP_RET_LOG action that's needed for devmode.

Here's the kernel test case that I mentioned in the bug description.

Hello Jamie, or anyone else affected,

Accepted libseccomp into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libseccomp/2.3.1-2.1ubuntu2~17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hi - I tested the libseccomp SRU in Zesty using the following libseccomp package version:

 - libseccomp2 2.3.1-2.1ubuntu2~17.04.1

I tested it with the following kernels:

 - linux-image-4.10.0-37-generic 4.10.0-37.41
   + does not contain seccomp logging patches
 - linux-image-4.10.0-38-generic 4.10.0-38.42
   + contains seccomp logging patches
   + installed from zesty-proposed

The libseccomp SRU testing was successful and followed what's documented in the [libseccomp Test Case] section of this bug description.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

I tested the linux kernel SRU in Xenial and Zesty using the following linux package versions:

 - xenial: linux-image-4.4.0-98-generic 4.4.0-98.121
 - zesty: linux-image-4.10.0-38-generic 4.10.0-38.42

The linux kernel SRU testing was successful and followed what's documented in the [Linux Kernel Test Case] section of this bug description. The accompanying libseccomp SRU has not been accepted into xenial-proposed yet so I was unable to test lp1567597-test.c (although I could test with lp1567597-kernel-test.c), as documented in the [libseccomp Test Case] section but that's not a problem as the lp1567597-kernel-test.c program and kernel selftests are sufficient.

This bug was fixed in the package libseccomp - 2.3.1-2.1ubuntu2~17.04.1

---------------
libseccomp (2.3.1-2.1ubuntu2~17.04.1) zesty; urgency=medium

  * Backport artful's libseccomp to zesty (LP: #1567597)
    - Add support for the SECCOMP_RET_LOG action

libseccomp (2.3.1-2.1ubuntu2) artful; urgency=medium

  * add-log-action.patch: Minimal backport to support the SECCOMP_RET_LOG
    action that will be released in Linux kernel version 4.14. (LP: #1567597)

 -- Tyler Hicks <email address hidden> Fri, 06 Oct 2017 18:43:11 +0000

The verification of the Stable Release Update for libseccomp has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package linux - 4.10.0-38.42

---------------
linux (4.10.0-38.42) zesty; urgency=low

  * linux: 4.10.0-38.42 -proposed tracker (LP: #1722330)

  * Controller lockup detected on ProLiant DL380 Gen9 with P440 Controller
    (LP: #1720359)
    - scsi: hpsa: limit transfer length to 1MB

  * [Dell Docking IE][0bda:8153] Realtek USB Ethernet leads to system hang
    (LP: #1720977)
    - r8152: fix the list rx_done may be used without initialization

  * Touchpad not detected in Lenovo X1 Yoga / Yoga 720-15IKB (LP: #1700657)
    - mfd: intel-lpss: Add missing PCI ID for Intel Sunrise Point LPSS devices

  * Add installer support for Broadcom BCM573xx network drivers. (LP: #1720466)
    - d-i: Add bnxt_en to nic-modules.

  * CVE-2017-1000252
    - KVM: VMX: Do not BUG() on out-of-bounds guest IRQ

  * CVE-2017-10663
    - f2fs: sanity check checkpoint segno and blkoff

  * xfstest sanity checks on seek operations fails (LP: #1696049)
    - xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff()

  * [P9, Power NV][ WSP][Ubuntu 16.04.03] : perf hw breakpoint command results
    in call traces and system goes for reboot. (LP: #1706033)
    - powerpc/64s: Handle data breakpoints in Radix mode

  * 5U84 - ses driver isn't binding right - cannot blink lights on 1 of the 2
    5u84 (LP: #1693369)
    - scsi: ses: do not add a device to an enclosure if enclosure_add_links()
      fails.

  * Vlun resize request could fail with cxlflash driver (LP: #1713575)
    - scsi: cxlflash: Fix vlun resize failure in the shrink path

  * More migrations with constant load (LP: #1713576)
    - sched/fair: Prefer sibiling only if local group is under-utilized

  * New PMU fixes for marked events. (LP: #1716491)
    - powerpc/perf: POWER9 PMU stops after idle workaround

  * CVE-2017-14340
    - xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present

  * [Zesty][Yakkety] rtl8192e bug fixes (LP: #1698470)
    - staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory.
    - staging: rtl8192e: fix 2 byte alignment of register BSSIDR.
    - staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD.
    - staging: rtl8192e: GetTs Fix invalid TID 7 warning.

  * Stranded with ENODEV after mdadm --readonly (LP: #1706243)
    - md: MD_CLOSING needs to be cleared after called md_set_readonly or
      do_md_stop

  * multipath -ll is not showing the disks which are actually multipath
    (LP: #1718397)
    - fs: aio: fix the increment of aio-nr and counting against aio-max-nr

  * ETPS/2 Elantech Touchpad inconsistently detected (Gigabyte P57W laptop)
    (LP: #1594214)
    - Input: i8042 - add Gigabyte P57 to the keyboard reset table

  * CVE-2017-10911
    - xen-blkback: don't leak stack data via response ring

  * CVE-2017-11176
    - mqueue: fix a use-after-free in sys_mq_notify()

  * implement 'complain mode' in seccomp for developer mode with snaps
    (LP: #1567597)
    - Revert "UBUNTU: SAUCE: seccomp: log actions even when audit is disabled"
    - seccomp: Provide matching filter for introspection
    - seccomp: Sysctl to display available actions
    - seccomp: Operation for checking if an a...

This bug was fixed in the package linux - 4.4.0-98.121

---------------
linux (4.4.0-98.121) xenial; urgency=low

  * linux: 4.4.0-98.121 -proposed tracker (LP: #1722299)

  * Controller lockup detected on ProLiant DL380 Gen9 with P440 Controller
    (LP: #1720359)
    - scsi: hpsa: limit transfer length to 1MB

  * [Dell Docking IE][0bda:8153] Realtek USB Ethernet leads to system hang
    (LP: #1720977)
    - r8152: fix the list rx_done may be used without initialization

  * Add installer support for Broadcom BCM573xx network drivers. (LP: #1720466)
    - d-i: Add bnxt_en to nic-modules.

  * snapcraft.yaml: add dpkg-dev to the build deps (LP: #1718886)
    - snapcraft.yaml: add dpkg-dev to the build deps

  * Support setting I2C_TIMEOUT via ioctl for i2c-designware (LP: #1718578)
    - i2c: designware: Use transfer timeout from ioctl I2C_TIMEOUT

  * 5U84 - ses driver isn't binding right - cannot blink lights on 1 of the 2
    5u84 (LP: #1693369)
    - scsi_transport_sas: add function to get SAS endpoint address
    - ses: fix discovery of SATA devices in SAS enclosures
    - scsi: sas: provide stub implementation for scsi_is_sas_rphy
    - scsi: ses: Fix SAS device detection in enclosure

  * multipath -ll is not showing the disks which are actually multipath
    (LP: #1718397)
    - fs: aio: fix the increment of aio-nr and counting against aio-max-nr

  * Support Dell Wireless DW5819/5818 WWAN devices (LP: #1721455)
    - SAUCE: USB: serial: qcserial: add Dell DW5818, DW5819

  * CVE-2017-10911
    - xen-blkback: don't leak stack data via response ring

  * implement 'complain mode' in seccomp for developer mode with snaps
    (LP: #1567597)
    - seccomp: Provide matching filter for introspection
    - seccomp: Sysctl to display available actions
    - seccomp: Operation for checking if an action is available
    - seccomp: Sysctl to configure actions that are allowed to be logged
    - seccomp: Selftest for detection of filter flag support
    - seccomp: Action to log before allowing

  * implement errno action logging in seccomp for strict mode with snaps
    (LP: #1721676)
    - seccomp: Provide matching filter for introspection
    - seccomp: Sysctl to display available actions
    - seccomp: Operation for checking if an action is available
    - seccomp: Sysctl to configure actions that are allowed to be logged
    - seccomp: Selftest for detection of filter flag support
    - seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW

  * [Xenial] update OpenNSL kernel modules to 6.5.10 (LP: #1721511)
    - SAUCE: update OpenNSL kernel modules to 6.5.10

  * Xenial update to 4.4.90 stable release (LP: #1721550)
    - cifs: release auth_key.response for reconnect.
    - mac80211: flush hw_roc_start work before cancelling the ROC
    - KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
    - tracing: Fix trace_pipe behavior for instance traces
    - tracing: Erase irqsoff trace with empty write
    - md/raid5: fix a race condition in stripe batch
    - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
    - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse
      nlms...

I've successfully performed the testing described in the [libseccomp Test Case] section of this bug description using libseccomp 2.3.1-2.1ubuntu2~16.04.1 from xenial-proposed.

This is fixed in xenial 2.3.1-2.1ubuntu2~16.04.1

This has been fixed now. Marking it as such.