seccomp launcher

Jamie Strandboge jamie at canonical.com
Tue Mar 31 15:29:11 UTC 2015 

CC'ing snappy-devel@ so people know what is going on.

On 03/24/2015 12:24 PM, Jamie Strandboge wrote:
> On 03/24/2015 04:55 AM, Michael Vogt wrote:
>> On Fri, Mar 20, 2015 at 10:18:10AM -0500, Jamie Strandboge wrote:
>>> On 03/20/2015 10:15 AM, Jamie Strandboge wrote:

...

>> The launcher side should be in reasonable shape now, the next step is
>> the generator.
>>
> Thanks so much for this!
> 
> Note to Tyler:
> 12:10 < mvo> jdstrand: I added the ignore-unknown-syscalls now
> 
> Michael and I discussed that different architectures may use different syscalls
> for similar things (eg, /bin/true was different between architectures). I
> thought that we didn't want to get into the business of architecture-dependent
> filter templates and filter groups so advised Michael to simply ignore any
> unknown syscalls that are in the template/groups which should help his testsuite
> too. I figure if needed, we can refine this going forward.
> 

FYI, I went through all the archs that our buildds support and defined the basic
seccomp policy. It isn't finalized and still needs to be thoroughly tested.
Creating a new ubuntu-core-security package that will supersede
apparmor-easyprof-ubuntu-snappy. See this here:
https://code.launchpad.net/~jdstrand/+junk/ubuntu-core-security

Importantly, not only does it add seccomp policy and replace
apparmor-easyprof-ubuntu-snappy, it updates 'policy-vendor' to be 'ubuntu-core'
instead of 'ubuntu-snappy' and changes the 'policy-version' to be based in
/etc/lsb-release. This means we can remove the need for the .framework file in
/usr/share/click/frameworks. It will have compatibility symlinks to not break
existing apps in the store.

I also looked at Michael's branch:
https://code.launchpad.net/~mvo/ubuntu-core-launcher/trunk

Attached is a patch that:
  * fallback to seccomp_rule_add() if seccomp_rule_add_exact() fails
  * call prctl(PR_SET_NO_NEW_PRIVS, 1)

I have not done a code review. Perhaps that is something Tyler would like to go
over.

With the launcher and ubuntu-core-security pieces coming together, in the next
couple days I plan to:
 * upload ubuntu-core-security
 * seed ubuntu-core-security-* binaries for snappy (where?)
 * adjust click-apparmor to dynamically determine what to do based on
   lsb-release
 * adjust snappy to ideally dynamically detect but may just change the hardcoded
   value for new snaps
 * adjust the review tools to obsolete 'ubuntu-snappy' as the policy-vendor
 * followup with sergiusens on making /var/lib/snappy writable (he said he'd do
   it)

Once all of that is in place, the only thing left is the glue tool for seccomp
(ie, seccomp's aa-easyprof equivalent). Since Michael is on holiday starting
tomorrow, if I can find the time, I'll start looking at that.

-- 
Jamie Strandboge                 http://www.ubuntu.com/
-------------- next part --------------
diff -Nru ubuntu-core-launcher-0.1~ppa5/debian/changelog ubuntu-core-launcher-0.1~ppa6/debian/changelog
--- ubuntu-core-launcher-0.1~ppa5/debian/changelog	2015-03-30 17:24:56.000000000 -0500
+++ ubuntu-core-launcher-0.1~ppa6/debian/changelog	2015-03-31 08:05:33.000000000 -0500
@@ -1,3 +1,10 @@
+ubuntu-core-launcher (0.1~ppa6) vivid; urgency=medium
+
+  * fallback to seccomp_rule_add() if seccomp_rule_add_exact() fails
+  * call prctl(PR_SET_NO_NEW_PRIVS, 1)
+
+ -- Jamie Strandboge <jamie at ubuntu.com>  Tue, 31 Mar 2015 08:02:52 -0500
+
 ubuntu-core-launcher (0.1~ppa5) vivid; urgency=low
 
   * ignore syscalls unavailable on the given kenerl/arch
diff -Nru ubuntu-core-launcher-0.1~ppa5/src/seccomp.c ubuntu-core-launcher-0.1~ppa6/src/seccomp.c
--- ubuntu-core-launcher-0.1~ppa5/src/seccomp.c	2015-03-30 17:24:56.000000000 -0500
+++ ubuntu-core-launcher-0.1~ppa6/src/seccomp.c	2015-03-31 08:12:07.000000000 -0500
@@ -4,6 +4,7 @@
 #include <string.h>
 #include <ctype.h>
 #include <stdlib.h>
+#include <sys/prctl.h>
 
 #include <seccomp.h>
 
@@ -64,15 +65,24 @@
       // syscall not available on this arch/kernel
       if (syscall_nr == __NR_SCMP_ERROR)
          continue;
-      
+
       // a normal line with a syscall
       rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, syscall_nr, 0);
       if (rc != 0) {
-         fprintf(stderr, "seccomp_rule_add_exact failed with %i for '%s'\n", rc, buf);
-         goto out;
+         rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscall_nr, 0);
+	 if (rc != 0) {
+             fprintf(stderr, "seccomp_rule_add failed with %i for '%s'\n", rc, buf);
+             goto out;
+	 }
       }
    }
 
+   // Make sure we can't elevate later
+   if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+      perror("prctl(NO_NEW_PRIVS)");
+      goto out;
+   }
+
    // load it into the kernel
    rc = seccomp_load(ctx);
    if (rc != 0) {
@@ -80,7 +90,7 @@
       goto out;
    }
 
-   
+
  out:
    if (f != NULL) {
       fclose(f);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150331/5e81a260/attachment.pgp>

More information about the snappy-devel mailing list