Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(2.34) cmd/snap-confine: allow ptrace read for 4.18 kernels #5579

Merged
merged 1 commit into from Jul 31, 2018
Merged

(2.34) cmd/snap-confine: allow ptrace read for 4.18 kernels #5579

merged 1 commit into from Jul 31, 2018

Conversation

jdstrand
Copy link

@jdstrand jdstrand commented Jul 30, 2018
edited

Kernels < 4.18 incorrectly require 'ptrace trace' to read /proc/1/ns/mnt and
this was corrected to only require 'ptrace read'. This commit simply adds
'ptrace read peer=unconfined,', leaving the old 'trace' rule. A future commit
will remove the 'trace' rule by default and interrogate the kernel to
conditionally add it back when needed.

Reference:
https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/19

cmd/snap-confine: allow ptrace read for 4.18 kernels
7921783 
Kernels < 4.18 incorrectly require 'ptrace trace' to read /proc/1/ns/mnt and
this was correctly to only require 'ptrace read'. This commit simply adds
'ptrace read peer=unconfined,', leaving the old 'trace' rule. A future commit
will remove the 'trace' rule by default and interrogate the kernel to
conditionally add it back when needed.

Reference:
https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/19
@jdstrand jdstrand added the Simple 😃 A small PR which can be reviewed quickly label Jul 30, 2018
@jdstrand jdstrand added this to the 2.34 milestone Jul 30, 2018
@jdstrand jdstrand requested a review from mvo5 July 30, 2018 21:14
@jdstrand
Copy link
Author

@mvo5 - this isn't super urgent for 2.34, but it would be nice to have sooner than later.

@bboozzoo bboozzoo changed the title cmd/snap-confine: allow ptrace read for 4.18 kernels (2.34) cmd/snap-confine: allow ptrace read for 4.18 kernels Jul 31, 2018
@jdstrand
Copy link
Author

FYI, the test failures are unrelated -- gce failures on arch.

@mvo5 mvo5 merged commit 7ef3443 into snapcore:release/2.34 Jul 31, 2018
@jdstrand
Copy link
Author

Thanks!

@jdstrand jdstrand deleted the add-ptrace-read-for-4.18-2.34 branch August 2, 2018 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bboozzoo bboozzoo bboozzoo approved these changes

@mvo5 mvo5 Awaiting requested review from mvo5

Assignees
No one assigned
Labels
Simple 😃 A small PR which can be reviewed quickly
Projects
None yet
Milestone
2.34
3 participants
@jdstrand @bboozzoo @mvo5