seccomp filters: Why kill?

Kyle Fazzari kyle.fazzari at canonical.com
Mon Apr 4 12:23:06 UTC 2016 

Hey all.

As I go through snapping different pieces of software, I encounter the
same issues. One of those issues are the software in question making
syscalls that are denied by the set of interfaces that don't require a
manual review. As far as I can tell, there are three ways around this:

1) Customize the YAML asking for the syscalls necessary, and live with
the manual reviews for every upload.

2) Maintain a fork with the syscall removed.

3) Push changes upstream to allow for disabling the syscall at compile-
or run-time.

Often times the syscalls being made aren't strictly required (e.g. MySQL
trying to control its thread priorities with `setpriority()`), which
typically leads to my starting with (2) and moving to (3).

Every time I do (3) however, I get the same question: "Why does Snappy
use SECCOMP_RET_KILL instead of SECCOMP_RET_ERRNO?[1]" My only response
is "I don't know." I'd like to stop saying that, thus this email :) .

To make sure we're on the same page, Snappy's ubuntu-core-launcher uses
libseccomp to load the filters, which it initializes with
SCMP_ACT_KILL[2], which means that when a non-whitelisted syscall is
made the caller is immediately killed with no chance to recover.
Contrast this to SCMP_ACT_ERRNO which would allow for such syscalls to
fail gracefully and be handled by the caller. For example, the code in
MySQL would have handled this with no changes by printing a warning
about being unable to change the priority-- perfect. But since Snappy
uses SCMP_ACT_KILL it requires a code change to never attempt the call
in the first place.

This makes packaging snaps harder than it seems it needs to be, so I
feel like there must be a good reason for it.

Thanks for the information!


[1]: https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
[2]: http://man7.org/linux/man-pages/man3/seccomp_init.3.html

--
Kyle Fazzari (kyrofa)
Software Engineer
Canonical Ltd.
kyle at canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20160404/f2a01744/attachment.pgp>

More information about the snappy-devel mailing list