cmd/snap-confine: refactor and cleanup of seccomp loading (#6426)
* cmd/snap-confine: break down seccomp loading and insertion
We had existing code to load a profile from disk based on a security
tag name, validate a few things, apply that to the current process,
all while handling privilage raising/lowering.
To make the code a little bit more reusable, break the application
of seccomp profile into a new function.
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-confine: reuse sc_apply_seccomp_filter
With the logic to apply a seccomp filter broken out we can now reduce
the size of sc_apply_seccomp_bpf. There's no change in semantics or even
the sequence of system calls involved.
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-confine: tweak signature of sc_apply_seccomp_bpf
The return value of sc_apply_seccomp_bpf is always zero and is never
used by snap-confine. The function always dies in case of problems.
The argument was just the security tag but under an obfuscated name.
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-confine: rename and document seccomp profile loader
The function that loads a seccomp profile for a given security tag
is now called sc_apply_seccomp_profile_for_security_tag. A profile may
be a seccomp BPF filter or the special string "@unrestricted\n". In
addition there is non-trivial behavior when the profile is absent
that was never mentioned in the documentation before.
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-confine: add sc_read_seccomp_filter
This helper just reads a filter to a buffer of a given size.
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-confine: use sc_read_seccomp_filter
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-confine: add a TODO for bpfpath validation
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-seccomp: load global seccomp profile if one exists
Traditionally each snap process would use a custom confinement profile.
This works great since every application and hook can run under an
arbitrary seccomp profile. This doesn't allow us to say, with
confidence, that some basic guarantee applies to all confined processes
though. This patch introduces such capability.
In addition to the per-app or per-hook profile, a global profile is
loaded and attached to each started process. The global profile may be
safely absent, without incurring any errors or startup delays.
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-confine: surface @unrestricted seccomp to main
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-confine: skip global profile when @unrestricted
Signed-off-by: Zygmunt Krynicki <email address hidden>
* tests: adjust tested log pattern
* cmd/snap-confine: rename sys_seccomp back
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-confine: fix indirect pointer SNAFU
Signed-off-by: Zygmunt Krynicki <email address hidden>
* cmd/snap-seccomp: tweak comment
Signed-off-by: Zygmunt Krynicki <email address hidden>