[PATCH 0/8][Artful] Improved seccomp logging
Tyler Hicks
tyhicks at canonical.com
Fri Aug 25 23:08:23 UTC 2017
This is a backport of a patch set that improves seccomp logging controls for
applications and for adminstrators. Snappy needs these patches in order to
provide proper logging of syscalls that are not allowed while running in
developer mode. Snappy also needs these patches in order to move away from the
default action of killing snaps when they bump into the sandbox walls and,
instead, return an errno that is properly logged.
The patches have been acked by seccomp maintainer Kees Cook and they've been
pulled into James Morris' security tree where they've been incorporated into
linux-next:
https://lkml.kernel.org/r/%3C20170815220319.GA63342@beast%3E
For the Artful 4.13 kernel, simply follow this sequence to apply the patches
from linux-next:
revert: cad05e0c59836c61f1a7a8d78cea65e231eaf952
cherry-pick: deb4de8b31bc5bf21efb6ac31150a01a631cd647
cherry-pick: 8e5f1ad116df6b0de65eac458d5e7c318d1c05af
cherry-pick: d612b1fd8010d0d67b5287fe146b8b55bcbb8655
cherry-pick: 0ddec0fc8900201c0897b87b762b7c420436662f
cherry-pick: 2b7ea5b5b5799f2878ed454bb48032bed6d101d3
cherry-pick: e66a39977985b1e69e17c4042cb290768eca9b02
cherry-pick: 59f5cf44a38284eb9e76270c786fb6cc62ef8ac4 (LP: #1567597)
For the Artful 4.12 kernel, please apply the patches that will followup this
intro email. A few of the patches required a minor backporting.
I've successfully ran the seccomp kernel selftests (including the ones added by
this patch set) using the patched 4.12 and 4.13 Artful kernels. I've also
manually tested the backports to both kernels using a test program that
excercises the new log filter flag and log action.
Thanks!
Tyler
More information about the kernel-team
mailing list