cmd/snap-seccomp: add full complement of ptrace constants #6120
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The snap-seccomp executable needs to understand each constant
it is given. When encountering unexpected constants it just returns
an error.
Since patch 093b366
"interfaces/browser-support, cmd/snap-seccomp: Allow read-only ptrace,
for the Breakpad crash reporter." snap-seccomp will choke on the
profiles generated for the browser-support interface.
Since patch 353aa70 "cmd/snap-seccomp:
only look for PTRACE_GETFPX?REGS where available" snap-seccomp contains
additional logic that handles various ptrace constants with
architecture-specific build tags. I'm not sure why this was done because
all of the constants are available in the C header file sys/ptrace.h
Initially I was thinking about making the parser silently ignore certain
PTRACE values but I have since reconsidered to just add the full since
they are just defined and are available at build time. After all, it
doesn't hurt if they don't work on a given architecture (at a kernel
level). We just want to white-list them in case they do work.
Fixes: https://bugs.launchpad.net/snapd/+bug/1802124
Signed-off-by: Zygmunt Krynicki me@zygoon.pl