Merge lp://qastaging/~jdstrand/snap-confine/ubuntu-core-launcher.nnp-off into lp://qastaging/~snappy-dev/snap-confine/trunk
Proposed by
Jamie Strandboge
Status: | Merged |
---|---|
Merged at revision: | 99 |
Proposed branch: | lp://qastaging/~jdstrand/snap-confine/ubuntu-core-launcher.nnp-off |
Merge into: | lp://qastaging/~snappy-dev/snap-confine/trunk |
Diff against target: |
181 lines (+79/-15) 5 files modified
debian/changelog (+10/-0) src/main.c (+27/-14) src/seccomp.c (+35/-1) tests/test_create_user_data (+4/-0) tests/test_restrictions_working (+3/-0) |
To merge this branch: | bzr merge lp://qastaging/~jdstrand/snap-confine/ubuntu-core-launcher.nnp-off |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Tyler Hicks (community) | Abstain | ||
Seth Arnold | Needs Fixing | ||
Jamie Strandboge (community) | Approve | ||
Review via email: mp+289683@code.qastaging.launchpad.net |
Description of the change
Don't set NO_NEW_PRIVS. This requires changing privilege dropping since CAP_SYS_ADMIN is needed with seccomp_load(). This means temporarily dropping until seccomp_load(), then raising before and permanently dropping after the filter is applied. As a result, setuid/setgid is required in all policy (but is still mediated by AppArmor).
To post a comment you must log in.
One point I want to mention is that I could have dropped privs permanently after seccomp_load() in seccomp.c but instead dropped temporarily there and permanently after seccomp_ load_filters( ) in main.c. I did this because I felt the code was easier to follow which I thought outweighed being permanently dropped for the file close and seccomp_release().