snapcore · zyga · Jun 24, 2016 · May 24, 2016 · May 24, 2016 · May 24, 2016
diff --git a/README.md b/README.md
@@ -17,32 +17,103 @@ killing processing without logging, verify that auditd is not installed.
 ## Apparmor
 
 The apparmor part is similar to aa-exec -p, i.e. it will launch the application
-under the given apparmor profile.
+under the specified apparmor profile.
 
 
 ## Seccomp
 
 The seccomp filter profile in expected to be located in
 `/var/lib/snapd/seccomp/profiles`
 
-The filter file contains lines with syscall names, comments that start
-with "#" or special directives that start with a "@".
+The filter file contains lines with syscall names, comments that start with "#"
+or special directives that start with a "@". Lines with syscall names may
+optionally specify additional arguments. Eg:
 
-The supported special directives are:
-@unrestricted
+        RULE = ( <syscall> [ARGS] | DIRECTIVE )
 
-The unrestricted profile looks like this:
-```
-# Unrestricted profile
-@unrestricted
-```
+        DIRECTIVE = @unrestricted
 
-A very strict profile might look like this:
-```
-# Super strict profile
-read
-write
-```
+        ARGS = ( - | [CONDITIONAL]VALUE )*
+
+        CONDITIONAL = ( '!', '>', '>=', '<', '<=' )
+
+        VALUE = ( UNSIGNED INT | KEY )
+
+        KEY = ( SOCKET DOMAIN | SOCKET TYPE | PRCTL | PRIO )
+
+        SOCKET DOMAIN = ( AF_UNIX | AF_LOCAL | AF_INET | AF_INET6 | AF_IPX |
+        AF_NETLINK | AF_X25 | AF_AX25 | AF_ATMPVC | AF_APPLETALK | AF_PACKET |
+        AF_ALG | AF_CAN )
+
+        SOCKET TYPE = ( SOCK_STREAM | SOCK_DGRAM | SOCK_SEQPACKET | SOCK_RAW |
+        SOCK_RDM | SOCK_PACKET )
+
+        PRCTL = ( PR_CAP_AMBIENT | PR_CAP_AMBIENT_RAISE |
+        PR_CAP_AMBIENT_LOWER | PR_CAP_AMBIENT_IS_SET |
+        PR_CAP_AMBIENT_CLEAR_ALL | PR_CAPBSET_READ | PR_CAPBSET_DROP |
+        PR_SET_CHILD_SUBREAPER | PR_GET_CHILD_SUBREAPER | PR_SET_DUMPABLE |
+        PR_GET_DUMPABLE | PR_SET_ENDIAN | PR_GET_ENDIAN | PR_SET_FPEMU |
+        PR_GET_FPEMU | PR_SET_FPEXC | PR_GET_FPEXC | PR_SET_KEEPCAPS |
+        PR_GET_KEEPCAPS | PR_MCE_KILL | PR_MCE_KILL_GET | PR_SET_MM |
+        PR_SET_MM_START_CODE | PR_SET_MM_END_CODE | PR_SET_MM_START_DATA |
+        PR_SET_MM_END_DATA | PR_SET_MM_START_STACK | PR_SET_MM_START_BRK |
+        PR_SET_MM_BRK | PR_SET_MM_ARG_START | PR_SET_MM_ARG_END |
+        PR_SET_MM_ENV_START | PR_SET_MM_ENV_END | PR_SET_MM_AUXV |
+        PR_SET_MM_EXE_FILE | PR_MPX_ENABLE_MANAGEMENT |
+        PR_MPX_DISABLE_MANAGEMENT | PR_SET_NAME | PR_GET_NAME |
+        PR_SET_NO_NEW_PRIVS | PR_GET_NO_NEW_PRIVS | PR_SET_PDEATHSIG |
+        PR_GET_PDEATHSIG | PR_SET_PTRACER | PR_SET_SECCOMP | PR_GET_SECCOMP |
+        PR_SET_SECUREBITS | PR_GET_SECUREBITS | PR_SET_THP_DISABLE |
+        PR_TASK_PERF_EVENTS_DISABLE | PR_TASK_PERF_EVENTS_ENABLE |
+        PR_GET_THP_DISABLE | PR_GET_TID_ADDRESS | PR_SET_TIMERSLACK |
+        PR_GET_TIMERSLACK | PR_SET_TIMING | PR_GET_TIMING | PR_SET_TSC |
+        PR_GET_TSC | PR_SET_UNALIGN | PR_GET_UNALIGN )
+
+        PRIO = ( PRIO_PROCESS | PRIO_PGRP | PRIO_USER )
+
+See `man 2 socket` and `man 2 prctl` for details on `SOCKET DOMAIN`,
+`SOCKET TYPE` and `PRCTL`.
+
+Specifying '-' as the argument skips filtering for that argument. Not
+specifying a conditional mean exact match. The syntax is meant to reflect
+how `seccomp_rule_add(3)` is used.
+
+Examples:
+
+* The unrestricted profile looks like this:
+
+        # Unrestricted profile
+        @unrestricted
+
+* A very strict profile might look like this:
+
+        # Super strict profile
+        read
+        write
+
+* Use of seccomp argument filtering:
+
+        # allow any socket types for AF_UNIX and AF_LOCAL
+        socket AF_UNIX
+        socket AF_LOCAL
+
+        # Only allow SOCK_STREAM and SOCK_DGRAM for AF_INET
+        socket AF_INET SOCK_STREAM
+        socket AF_INET SOCK_DGRAM
+
+        # Allow renicing of one's own process (arg2 is '0) to higher nice values
+        setpriority - 0 >=0
+
+        # Allow dropping privileges to uid/gid '1' and raising back again
+        setuid <=1
+        setgid <=1
+        seteuid <=1
+        setegid <=1
+
+Limitations
+ * seccomp argument filtering only allows specifying positive integers as
+   arguments which means you may not dereference pointers, etc.
+ * up to 6 arguments may be specified
 
 
 ## devices cgroup

diff --git a/configure.ac b/configure.ac
@@ -44,7 +44,7 @@ AC_ARG_ENABLE([confinement],
         *) AC_MSG_ERROR([bad value ${enableval} for --disable-confinement])
     esac], [enable_confinement=yes])
 AM_CONDITIONAL([STRICT_CONFINEMENT], [test "x$enable_confinement" = "xyes"])
-AM_CONDITIONAL([CONFINEMENT_TESTS], [test "x$enable_confinement" = "xyes" && test "x$host_cpu" = "xx86_64" && test "x$build_cpu" = "xx86_64"])
+AM_CONDITIONAL([CONFINEMENT_TESTS], [test "x$enable_confinement" = "xyes" && (test "x$host_cpu" = "xx86_64" && test "x$build_cpu" = "xx86_64") || (test "x$host_cpu" = "xi686" && test "x$build_cpu" = "xi686")])
 
 # Check for required external libraries when confinement is enabled.
 AS_IF([test "x$enable_confinement" = "xyes"], [

diff --git a/debian/changelog b/debian/changelog
@@ -1,10 +1,14 @@
 ubuntu-core-launcher (1.0.33) UNRELEASED; urgency=medium
 
+  [ Zygmunt Krynicki ]
   * New upstream release
   * Break/Replace ubuntu-core-launcher << 1.0.32 so that packages upgrade
     correctly
   * Expose /run when --enable-rootfs-is-core-snap is used
 
+  [ Jamie Strandboge ]
+  * implement seccomp argument filtering (LP: #1446748)
+
  -- Zygmunt Krynicki <zygmunt.krynicki@canonical.com>  Sun, 19 Jun 2016 00:46:10 +0200
 
 ubuntu-core-launcher (1.0.30) yakkety; urgency=medium