Friday, 10 June 2016

Re: libseccomp 2.3.1 uses negative (pseudo) syscall numbers by default

On Fri, 2016-06-10 at 18:32 +0100, Dimitri John Ledkov wrote:
> Hello,
> New libseccomp is in yakkety proposed. There is a change, on some
> architecutres, w.r.t. to canonical representation of syscall
> numbers.....
> There are normal syscall numbers and multiplexed ones. And some are
> exposed as both - direct numbers and negative pseudo syscall numbers.
> All filtering should remain in place for both direct and pseudo
> numbers.
That's interesting.

> But I had to adjust our autopkgtests for this, and I'm wondering if
> there are any other pieces of software to fix as a result of this
> upstream change on some architectures (e.g. lxc, apparmor, click,
> snapd, juju, etc....)
AppArmor shouldn't care and click doesn't do anything with seccomp.

snapd does, but we take the syscall and use seccomp_syscall_resolve_name() from
libseccomp to get the syscall number to feed into seccomp_rule_add_* so it
should be fine.

Jamie Strandboge |