1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
summary: Check basic seccomp rules
details: |
This test verifies that:
.
- absence of a syscall is denied
- use of a bare syscall (ie, no arguments) is allowed
- use of a syscall with arg filtering is allowed with matching arguments
- use of a syscall with arg filtering is denied with unmatching arguments
- explicit denial of a syscall with matching arguments is denied
.
We choose the setpriority syscall for these tests since it is available on
all architectures and can be easily used to test all of the above. As part of
its testing, this test will modify the snap's seccomp filter and recompile
it. On strict mode systems, it will also adjust the apparmor profile to allow
'capability nice' so it doesn't interfere with anything.
# IMPORTANT: disabling a system here is an explicit statement that snapd
# doesn't care that the system has broken seccomp mediation. This is unlikely
# what you want. If adding, please add why and any references to supporting
# context. See:
# https://forum.snapcraft.io/t/disabling-seccomp-sandbox-where-a-buggy-golang-seccomp-is-used/11054
#
#systems: [...]
environment:
SRC: /var/lib/snapd/seccomp/bpf/snap.test-snapd-setpriority.test-snapd-setpriority.src
BIN: /var/lib/snapd/seccomp/bpf/snap.test-snapd-setpriority.test-snapd-setpriority.bin2
AAP: /var/lib/snapd/apparmor/profiles/snap.test-snapd-setpriority.test-snapd-setpriority
prepare: |
echo "Install a helper snap with default confinement"
snap install test-snapd-setpriority
echo "Copy $SRC aside for safekeeping"
cp "$SRC" "$SRC".orig
if snap debug sandbox-features --required apparmor:kernel:caps ; then
echo "Copy $AAP aside for safekeeping"
cp "$AAP" "$AAP".orig
sed 's/^}/capability sys_nice,\n}\n/g' "$AAP".orig > "$AAP"
# ensure the right apparmor_parser is used
APPARMOR_PARSER="apparmor_parser"
if snap debug sandbox-features --required apparmor:parser:snapd-internal; then
APPARMOR_PARSER="/snap/snapd/current/usr/lib/snapd/apparmor_parser --config-file /snap/snapd/current/usr/lib/snapd/apparmor/parser.conf -b /snap/snapd/current/usr/lib/snapd/apparmor.d --policy-features /snap/snapd/current/usr/lib/snapd/apparmor.d/abi/4.0"
fi
$APPARMOR_PARSER -K -r "$AAP"
fi
restore: |
if [ -e "$SRC".orig ]; then
mv -f "$SRC".orig "$SRC"
snapd.tool exec snap-seccomp compile "$SRC" "$BIN"
fi
if [ -f "$AAP".orig ]; then
mv -f "$AAP".orig "$AAP"
# ensure the right apparmor_parser is used
APPARMOR_PARSER="apparmor_parser"
if snap debug sandbox-features --required apparmor:parser:snapd-internal; then
APPARMOR_PARSER="/snap/snapd/current/usr/lib/snapd/apparmor_parser --config-file /snap/snapd/current/usr/lib/snapd/apparmor/parser.conf -b /snap/snapd/current/usr/lib/snapd/apparmor.d --policy-features /snap/snapd/current/usr/lib/snapd/apparmor.d/abi/4.0"
fi
$APPARMOR_PARSER -K -r "$AAP"
fi
execute: |
# other tests ensure seccomp is available so we can skip any systems that
# don't have it
if ! snap debug sandbox-features --required seccomp:bpf-argument-filtering ; then
exit 0
fi
echo "Remove any setpriority rules from the filter"
sed 's/^\(setpriority.*\)/#SPREAD: \1/g' "$SRC".orig > "$SRC"
snapd.tool exec snap-seccomp compile "$SRC" "$BIN"
echo "and check that positive nice fails"
test-snapd-setpriority 10 | MATCH 'Operation not permitted \(EPERM\)'
echo "and check that negative nice fails"
test-snapd-setpriority -10 | MATCH 'Operation not permitted \(EPERM\)'
echo "Use bare setpriority rule"
sed 's/^\(setpriority.*\)/#SPREAD: \1\nsetpriority/g' "$SRC".orig > "$SRC"
snapd.tool exec snap-seccomp compile "$SRC" "$BIN"
echo "and check that positive nice succeeds"
test-snapd-setpriority 10 | MATCH 'Successfully used setpriority\(PRIO_PROCESS, 0, 10\)'
echo "and check that negative nice succeeds"
test-snapd-setpriority -10 | MATCH 'Successfully used setpriority\(PRIO_PROCESS, 0, -10\)'
echo "Use arg filtered setpriority rule"
sed 's/^\(setpriority.*\)/#SPREAD: \1\nsetpriority PRIO_PROCESS 0 <=19/g' "$SRC".orig > "$SRC"
snapd.tool exec snap-seccomp compile "$SRC" "$BIN"
echo "and check that positive nice succeeds"
test-snapd-setpriority 10 | MATCH 'Successfully used setpriority\(PRIO_PROCESS, 0, 10\)'
echo "and check that negative nice fails"
test-snapd-setpriority -10 | MATCH 'Operation not permitted \(EPERM\)'
# TODO: filtering on setpriority is a bit confusing as it is not part
# of the "negative args" filter added in ec7c9f27c97 so the fact that
# negative args are denied is a bit magic
echo "Explicitly deny arg filtered setpriority rule takes precedence to (allow) arg filtered setpriority rule"
sed 's/^\(setpriority.*\)/#SPREAD: \1\nsetpriority PRIO_PROCESS 0 <=19/g' "$SRC".orig > "$SRC"
echo '~setpriority PRIO_PROCESS 0 >10' >> "$SRC"
snapd.tool exec snap-seccomp compile "$SRC" "$BIN"
echo "and check that positive non-explicitly denied nice succeeds"
test-snapd-setpriority 10 | MATCH 'Successfully used setpriority\(PRIO_PROCESS, 0, 10\)'
echo "and check that explicitly denied parameters fail with the explicit denial error code"
test-snapd-setpriority 11 | MATCH 'Insufficient privileges \(EACCES\)'
echo "and check that negative nice still fails with implicit denial"
test-snapd-setpriority -10 | MATCH 'Operation not permitted \(EPERM\)'
|
