Message ID | 1507265029-17765-1-git-send-email-tyhicks@canonical.com |
---|---|
Headers | show |
Series | | expand |
On 06.10.2017 06:43, Tyler Hicks wrote: > This is a backport of a patch set that improves seccomp logging controls for > applications and for adminstrators. Snappy needs these patches in order to > provide proper logging of syscalls that are not allowed while running in > developer mode (LP: #1567597). Snappy also needs these patches in order to move > away from the default action of killing snaps when they bump into the sandbox > walls and, instead, return an errno that is properly logged (LP: #1721676). > > The patches have been acked by seccomp maintainer Kees Cook and they've been > merged into 4.14: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c0a3a64e723324ae6dda53214061a71de63808c3 > > See the test case descriptions in the bugs mentioned above for a list of > successful tests that I've performed (they all pass). > > Thanks! The patches have no BugLink as far as I see. Would have been nice to add them. I assume it is the two bugs mentioned above (which also seem to have SRU justification). We can add those when applying but it is one more thing one can forget. The delta is substantial and I would not trust myself to evaluate its correctness. I have to trust you and Kees, upstream review, the statement of not changing the default behaviour and testing. Based on that: Acked-by: Stefan Bader <stefan.bader@canonical.com> > > Tyler > >
On 06.10.2017 10:28, Stefan Bader wrote: > On 06.10.2017 06:43, Tyler Hicks wrote: >> This is a backport of a patch set that improves seccomp logging controls for >> applications and for adminstrators. Snappy needs these patches in order to >> provide proper logging of syscalls that are not allowed while running in >> developer mode (LP: #1567597). Snappy also needs these patches in order to move >> away from the default action of killing snaps when they bump into the sandbox >> walls and, instead, return an errno that is properly logged (LP: #1721676). >> >> The patches have been acked by seccomp maintainer Kees Cook and they've been >> merged into 4.14: >> >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c0a3a64e723324ae6dda53214061a71de63808c3 >> >> See the test case descriptions in the bugs mentioned above for a list of >> successful tests that I've performed (they all pass). >> >> Thanks! > > The patches have no BugLink as far as I see. Would have been nice to add them. I > assume it is the two bugs mentioned above (which also seem to have SRU > justification). We can add those when applying but it is one more thing one can> forget. Found the two patches with buglinks now. See comment for Zesty set. > > The delta is substantial and I would not trust myself to evaluate its > correctness. I have to trust you and Kees, upstream review, the statement of not > changing the default behaviour and testing. Based on that: > > Acked-by: Stefan Bader <stefan.bader@canonical.com> > >> >> Tyler >> >> > > > >
On 06/10/17 05:43, Tyler Hicks wrote: > This is a backport of a patch set that improves seccomp logging controls for > applications and for adminstrators. Snappy needs these patches in order to > provide proper logging of syscalls that are not allowed while running in > developer mode (LP: #1567597). Snappy also needs these patches in order to move > away from the default action of killing snaps when they bump into the sandbox > walls and, instead, return an errno that is properly logged (LP: #1721676). > > The patches have been acked by seccomp maintainer Kees Cook and they've been > merged into 4.14: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c0a3a64e723324ae6dda53214061a71de63808c3 > > See the test case descriptions in the bugs mentioned above for a list of > successful tests that I've performed (they all pass). > > Thanks! > > Tyler > > Similar to Stefan's comments. The backports and cherry picks look good to me. Given that these are from upstream, have been tested and are from trusted developers I'm OK with these changes even though they are a large changeset and I'm not 100% sure if these changes are fully correct because I don't have the seccomp domain knowledge. Acked-by: Colin Ian King <colin.king@canonical.com>
Applied to xenial master-next branch. Thanks. Cascardo. Applied-to: xenial/master-next