APPLIED: [SRU][Mako] seccomp filters backport

Tim Gardner tim.gardner at canonical.com
Thu Oct 29 20:08:44 UTC 2015


On 10/27/2015 01:22 PM, Kyle Fazzari wrote:
> This email contains the justification for the backport of seccomp
> filters to Mako. Following this email will be two others containing
> identical backports: one for wily, and one for vivid.
>
> BugLink: http://bugs.launchpad.net/bugs/1509489
>
> [Impact]
>
> * The snappy confinement model utilizes both apparmor and seccomp
> filters, and while the former is supported by the phone kernel, the
> latter is not. Snappy cannot be used on the mako, krillin, or vegetahd
> without seccomp filters being backported.
>
> [Test Case]
>
> * Run the tests located here:
>
> http://kernel.ubuntu.com/git/kyrofa/ubuntu-vivid.git/tree/tools/testing/selftests/seccomp?h=backport_seccomp_filters&id=555777b2449cb4a69604998e8550001231a0f6af
>
> They will fail without this change.
>
> [Regression Potential]
>
> * Potential AppArmor regression regarding its use of no_new_privs, since
> it was previously a fake implementation to facilitate the v3 backport.
>
> [Other Info]
>
> * Backport is from mainline.
> * Backport only includes seccomp filters introduced in v3.5 (e.g. does
> not include syscall or tsync).
>
>
>

Uploaded Vivid/Wily to 
https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa 
awaiting AA review.

rtg
-- 
Tim Gardner tim.gardner at canonical.com




More information about the kernel-team mailing list