interfaces/builtin: add lsm self-attr syscall allowances#16665
interfaces/builtin: add lsm self-attr syscall allowances#16665zyga wants to merge 1 commit intocanonical:masterfrom
Conversation
zyga
added
the
Needs security review
There was a problem hiding this comment.
Pull request overview
This PR adds syscall allowances for the new LSM (Linux Security Module) self-attribute APIs to several snapd interfaces. These syscalls (lsm_get_self_attr and lsm_set_self_attr) are the modern kernel APIs for reading and writing process LSM attributes, replacing direct /proc file access. The changes ensure interfaces that read or write AppArmor labels via /proc/.../attr/ files also have the corresponding syscall permissions.
Changes:
- Add
lsm_get_self_attrto interfaces that read AppArmor current labels (system-observe, cups-control, kubernetes-support kubelet/default flavors) - Add
lsm_set_self_attrto docker-support which writes to attr/exec - Update all relevant test files to verify the new syscall permissions are present
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| interfaces/builtin/system_observe.go | Adds lsm_get_self_attr syscall for reading AppArmor current labels |
| interfaces/builtin/system_observe_test.go | Adds test assertion verifying lsm_get_self_attr is present in seccomp profile |
| interfaces/builtin/kubernetes_support.go | Adds lsm_get_self_attr to kubelet seccomp snippet for reading process attributes |
| interfaces/builtin/kubernetes_support_test.go | Adds test assertions for kubelet/default flavors having the syscall, and kubeproxy/autobind-unix not having it |
| interfaces/builtin/docker_support.go | Adds lsm_set_self_attr syscall for writing to attr/exec |
| interfaces/builtin/docker_support_test.go | Adds test assertion verifying lsm_set_self_attr is present in seccomp profile |
| interfaces/builtin/cups_control.go | Adds seccomp import and SecCompPermanentSlot method with lsm_get_self_attr syscall |
| interfaces/builtin/cups_control_test.go | Adds seccomp import and two test functions verifying syscall presence on core and classic |
|
Fri Feb 27 11:36:05 UTC 2026 Failures:Preparing:
Executing:
Restoring:
Skipped tests from snapd-testing-skip
|
| ` | ||
|
|
||
| const cupsControlPermanentSlotSecComp = ` | ||
| lsm_get_self_attr |
There was a problem hiding this comment.
should we allow reading /proc/self/attr/current for consistency?
There was a problem hiding this comment.
maybe, this issue with /proc/self/attr/current is it value will change based on the LSM that has claimed it. For this reason apparmor provides the alternative /proc/self/attr/apparmor/current and smack /proc/self/attr/smack/current
The other question around this, is does access to /proc/self/attr/current belong in a seccomp interface, or should there be an lsm interface.
There was a problem hiding this comment.
I should note that there is work in progress to add more lsm syscalls, both around namespacing and policy loads.
There was a problem hiding this comment.
We kind of do via the existing permanent slot:
@{PROC}/[0-9]*/attr/{,apparmor/}current r,
Add lsm_get_self_attr to interfaces that read AppArmor current labels
and add lsm_set_self_attr where AppArmor allows writing process
attr/exec.
Include seccomp coverage updates in tests for system-observe,
cups-control, docker-support, and kubernetes-support flavors.
No syscall addition for browser-support: it explicitly denies access to
/proc/.../attr/{,apparmor/}current.
No explicit syscall addition for lxd-support: its seccomp policy is
@unrestricted.
The k8s-support interface has both get and set per advice from John
Johansen.
Jira: https://warthogs.atlassian.net/browse/AA-1000
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
zyga
force-pushed
the
feature/lsm-syscalls-AA-1000
branch
from
14ce710 to
1a5360d
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #16665 +/- ##
==========================================
+ Coverage 77.53% 77.54% +0.01%
==========================================
Files 1354 1353 -1
Lines 186920 186967 +47
Branches 2446 2446
==========================================
+ Hits 144921 144981 +60
+ Misses 33236 33219 -17
- Partials 8763 8767 +4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Add lsm_get_self_attr to interfaces that read AppArmor current labels and add lsm_set_self_attr where AppArmor allows writing process attr/exec.
Include seccomp coverage updates in tests for system-observe, cups-control, docker-support, and kubernetes-support flavors.
No syscall addition for browser-support: it explicitly denies access to /proc/.../attr/{,apparmor/}current.
No explicit syscall addition for lxd-support: its seccomp policy is @unrestricted.
Jira: https://warthogs.atlassian.net/browse/AA-1000
Thanks for helping us make a better snapd!
Have you signed the license agreement and read the contribution guide?