seccomp filters: Why kill?
Jamie Strandboge
jamie at canonical.com
Fri Apr 8 21:50:02 UTC 2016
On Fri, 2016-04-08 at 11:23 -0400, Kyle Fazzari wrote:
>
> On 04/07/2016 02:19 PM, Jamie Strandboge wrote:
> >
> > On Tue, 2016-04-05 at 09:01 -0500, Jamie Strandboge wrote:
> > >
> > > I'm inclined to just queue this up in the next launcher upload.
> > >
> > FYI, this will not be in the next upload as seccomp doesn't currently
> > support
> > logging with ERRNO(EPERM). I've discussed this with upstream and they are
> > considering updating seccomp for this. If that happens, we'll need to add
> > this
> > patch to the list of required patches for snappy kernels, update libseccomp
> > and
> > then adjust the launcher.
> >
> > Note, the lack of seccomp logging also has an impact on developer mode since
> > only KILL is logged. I'm discussing this with upstream as well.
> Ah, darn. To be clear, the logging for ERRNO is missing support in both
> libseccomp and the kernel?
>
libseccomp is missing it and the kernel is missing it in an easy to use way.
There might be something we can utilize with auditctl, which is one of the
things we are exploring.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20160408/973bd46c/attachment.pgp>
More information about the snappy-devel
mailing list