[SRU][Mako] seccomp filters backport

Kyle Fazzari kyle.fazzari at canonical.com
Tue Oct 27 19:22:35 UTC 2015


This email contains the justification for the backport of seccomp
filters to Mako. Following this email will be two others containing
identical backports: one for wily, and one for vivid.

BugLink: http://bugs.launchpad.net/bugs/1509489

[Impact]

* The snappy confinement model utilizes both apparmor and seccomp
filters, and while the former is supported by the phone kernel, the
latter is not. Snappy cannot be used on the mako, krillin, or vegetahd
without seccomp filters being backported.

[Test Case]

* Run the tests located here:

http://kernel.ubuntu.com/git/kyrofa/ubuntu-vivid.git/tree/tools/testing/selftests/seccomp?h=backport_seccomp_filters&id=555777b2449cb4a69604998e8550001231a0f6af

They will fail without this change.

[Regression Potential]

* Potential AppArmor regression regarding its use of no_new_privs, since
it was previously a fake implementation to facilitate the v3 backport.

[Other Info]

* Backport is from mainline.
* Backport only includes seccomp filters introduced in v3.5 (e.g. does
not include syscall or tsync).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20151027/7dc71c73/attachment.sig>


More information about the kernel-team mailing list