An update to snapd now prevents snap-seccomp from parsing seccomp profiles. I hadn’t recompiled a seccomp profile in a week, so I don’t know the exact change, but I can recreate the issue.
I get no errors with versions:
ubuntu@ip-172-31-18-210:~$ snap version
snap 2.37.4+18.04
snapd 2.37.4+18.04
series 16
ubuntu 18.04
kernel 4.15.0-1034-aws
However, after updating snap by installing the core18 and snapd snaps
ubuntu@ip-172-31-18-210:~$ snap version
snap 2.45
snapd 2.45
series 16
ubuntu 18.04
kernel 4.15.0-1034-aws
Ok, thank you for the quick response. I will try the revert. I’m pretty sure it’s the snapd snap.
ubuntu@ip-172-31-18-210:~$ snap list
Name Version Rev Tracking Publisher Notes
amazon-ssm-agent 2.3.714.0 1566 latest/stable/… aws✓ classic
core 16-2.45 9289 latest/stable canonical✓ core
core18 20200427 1754 latest/stable canonical✓ base
snapd 2.45 7777 latest/stable canonical✓ snapd
Yeah, I can share just the snap.core.hook.condigure.src profile I referenced above. When I use my custom profile, it also breaks at the same chown ... -1 line.
# snap-seccomp version information:
# 084c57dfff93b8a0524eba4223545c89ed13f263 2.4.3 9b218ef9a4e508dd8a7f848095cb8875d10a4bf28428ad81fdc3f8dac89108f7 bpf-actlog
# Description: Allows access to app-specific directories and basic runtime
#
# The default seccomp policy is default deny with a whitelist of allowed
# syscalls. The default policy is intended to be safe for any application to
# use and should be evaluated in conjunction with other security backends (eg
# AppArmor). For example, a few particularly problematic syscalls that are left
# out of the default policy are (non-exhaustive):
# - kexec_load
# - create_module, init_module, finit_module, delete_module (kernel modules)
# - name_to_handle_at (history of vulnerabilities)
# - open_by_handle_at (history of vulnerabilities)
# - ptrace (can be used to break out of sandbox with <4.8 kernels)
# - add_key, keyctl, request_key (kernel keyring)
#
# Allowed accesses
#
access
faccessat
alarm
brk
# ARM private syscalls
breakpoint
cacheflush
get_tls
set_tls
usr26
usr32
capget
# AppArmor mediates capabilities, so allow capset (useful for apps that for
# example want to drop capabilities)
capset
chdir
fchdir
# We can't effectively block file perms due to open() with O_CREAT, so allow
# chmod until we have syscall arg filtering (LP: #1446748)
chmod
fchmod
fchmodat
# Daemons typically run as 'root' so allow chown to 'root'. DAC will prevent
# non-root from chowning to root.
# (chown root:root)
chown - u:root g:root
chown32 - u:root g:root
fchown - u:root g:root
fchown32 - u:root g:root
fchownat - - u:root g:root
lchown - u:root g:root
lchown32 - u:root g:root
# (chown root)
chown - u:root -1
chown32 - u:root -1
fchown - u:root -1
fchown32 - u:root -1
fchownat - - u:root -1
lchown - u:root -1
lchown32 - u:root -1
# (chgrp root)
chown - -1 g:root
chown32 - -1 g:root
fchown - -1 g:root
fchown32 - -1 g:root
fchownat - - -1 g:root
lchown - -1 g:root
lchown32 - -1 g:root
clock_getres
clock_getres_time64
clock_gettime
clock_gettime64
clock_nanosleep
clock_nanosleep_time64
clone
close
# needed by ls -l
connect
chroot
creat
dup
dup2
dup3
epoll_create
epoll_create1
epoll_ctl
epoll_ctl_old
epoll_pwait
epoll_wait
epoll_wait_old
eventfd
eventfd2
execve
execveat
_exit
exit
exit_group
fallocate
# requires CAP_SYS_ADMIN
#fanotify_init
#fanotify_mark
fcntl
fcntl64
flock
fork
ftime
futex
futex_time64
get_mempolicy
get_robust_list
get_thread_area
getcpu
getcwd
getdents
getdents64
getegid
getegid32
geteuid
geteuid32
getgid
getgid32
getgroups
getgroups32
getitimer
getpgid
getpgrp
getpid
getppid
getpriority
getrandom
getresgid
getresgid32
getresuid
getresuid32
getrlimit
ugetrlimit
getrusage
getsid
gettid
gettimeofday
getuid
getuid32
getxattr
fgetxattr
lgetxattr
inotify_add_watch
inotify_init
inotify_init1
inotify_rm_watch
# TIOCSTI allows for faking input (man tty_ioctl)
# TODO: this should be scaled back even more
ioctl - !TIOCSTI
io_cancel
io_destroy
io_getevents
io_pgetevents
io_pgetevents_time64
io_setup
io_submit
ioprio_get
# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
#ioprio_set
ipc
kill
link
linkat
listxattr
llistxattr
flistxattr
lseek
llseek
_llseek
lstat
lstat64
madvise
fadvise64
fadvise64_64
arm_fadvise64_64
mbind
membarrier
memfd_create
mincore
mkdir
mkdirat
mlock
mlock2
mlockall
mmap
mmap2
# Allow mknod for regular files, pipes and sockets (and not block or char
# devices)
mknod - |S_IFREG -
mknodat - - |S_IFREG -
mknod - |S_IFIFO -
mknodat - - |S_IFIFO -
mknod - |S_IFSOCK -
mknodat - - |S_IFSOCK -
modify_ldt
mprotect
# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
#mq_getsetattr
#mq_notify
#mq_open
#mq_timedreceive
#mq_timedreceive_time64
#mq_timedsend
#mq_timedsend_time64
#mq_unlink
mremap
msgctl
msgget
msgrcv
msgsnd
msync
munlock
munlockall
munmap
nanosleep
# Argument filtering with gt/ge/lt/le does not work properly with
# libseccomp < 2.4 or golang-seccomp < 0.9.1. See:
# - https://bugs.launchpad.net/snapd/+bug/1825052/comments/9
# - https://github.com/seccomp/libseccomp/issues/69
# Eventually we want to use >=0, but we need libseccomp and golang-seccomp to
# be updated everywhere first. In the meantime, use <=19 and rely on the fact
# that AppArmor mediates CAP_SYS_NICE (and for systems without AppArmor, we
# ignore this lack of mediation since snaps are not meaningfully confined).
#
# Allow using nice() with default or lower priority
nice <=19
# Allow using setpriority to set the priority of the calling process to default
# or lower priority (eg, 'nice -n 9 <command>')
setpriority PRIO_PROCESS 0 <=19
# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
open
openat
pause
personality
pipe
pipe2
poll
ppoll
ppoll_time64
# LP: #1446748 - support syscall arg filtering
prctl
arch_prctl
read
pread
pread64
preadv
readv
readahead
readdir
readlink
readlinkat
# allow reading from sockets
recv
recvfrom
recvmsg
recvmmsg
recvmmsg_time64
remap_file_pages
removexattr
fremovexattr
lremovexattr
rename
renameat
renameat2
# The man page says this shouldn't be needed, but we've seen denials for it
# in the wild
restart_syscall
rmdir
rt_sigaction
rt_sigpending
rt_sigprocmask
rt_sigqueueinfo
rt_sigreturn
rt_sigsuspend
rt_sigtimedwait
rt_sigtimedwait_time64
rt_tgsigqueueinfo
sched_getaffinity
sched_getattr
sched_getparam
sched_get_priority_max
sched_get_priority_min
sched_getscheduler
sched_rr_get_interval
sched_rr_get_interval_time64
# enforce pid_t is 0 so the app may only change its own scheduler and affinity.
# Use process-control interface for controlling other pids.
sched_setaffinity 0 - -
sched_setparam 0 -
# 'sched_setscheduler' without argument filtering was allowed in 2.21 and
# earlier and 2.22 added 'sched_setscheduler 0 - -', introducing LP: #1661265.
# For now, continue to allow sched_setscheduler unconditionally.
sched_setscheduler
sched_yield
# Allow configuring seccomp filter. This is ok because the kernel enforces that
# the new filter is a subset of the current filter (ie, no widening
# permissions)
seccomp
select
_newselect
pselect
pselect6
pselect6_time64
# Allow use of SysV semaphores. Note that allocated resources are not freed by
# OOM which can lead to global kernel resource leakage.
semctl
semget
semop
semtimedop
semtimedop_time64
# allow sending to sockets
send
sendto
sendmsg
sendmmsg
sendfile
sendfile64
# These break isolation but are common and can't be mediated at the seccomp
# level with arg filtering
setpgid
setpgrp
set_thread_area
setitimer
# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
# limits
setrlimit
prlimit64
set_mempolicy
set_robust_list
setsid
set_tid_address
setxattr
fsetxattr
lsetxattr
shmat
shmctl
shmdt
shmget
shutdown
signal
sigaction
signalfd
signalfd4
sigaltstack
sigpending
sigprocmask
sigreturn
sigsuspend
sigtimedwait
sigwaitinfo
# AppArmor mediates AF_UNIX/AF_LOCAL via 'unix' rules and all other AF_*
# domains via 'network' rules. We won't allow bare 'network' AppArmor rules, so
# we can allow 'socket' for all domains except AF_NETLINK and let AppArmor
# handle the rest.
socket AF_UNIX
socket AF_LOCAL
socket AF_INET
socket AF_INET6
socket AF_IPX
socket AF_X25
socket AF_AX25
socket AF_ATMPVC
socket AF_APPLETALK
socket AF_PACKET
socket AF_ALG
socket AF_CAN
socket AF_BRIDGE
socket AF_NETROM
socket AF_ROSE
socket AF_NETBEUI
socket AF_SECURITY
socket AF_KEY
socket AF_ASH
socket AF_ECONET
socket AF_SNA
socket AF_IRDA
socket AF_PPPOX
socket AF_WANPIPE
socket AF_BLUETOOTH
socket AF_RDS
socket AF_LLC
socket AF_TIPC
socket AF_IUCV
socket AF_RXRPC
socket AF_ISDN
socket AF_PHONET
socket AF_IEEE802154
socket AF_CAIF
socket AF_NFC
socket AF_VSOCK
socket AF_MPLS
socket AF_IB
# For usrsctp, AppArmor doesn't support 'network conn,' since AF_CONN is
# userspace and encapsulated in other domains that are mediated. As such, do
# not allow AF_CONN by default here.
# socket AF_CONN
# For AF_NETLINK, we'll use a combination of AppArmor coarse mediation and
# seccomp arg filtering of netlink families.
# socket AF_NETLINK - -
# needed by snapctl
getsockopt
setsockopt
getsockname
getpeername
# Per man page, on Linux this is limited to only AF_UNIX so it is ok to have
# in the default template
socketpair
splice
stat
stat64
fstat
fstat64
fstatat64
lstat
newfstatat
oldfstat
oldlstat
oldstat
statx
statfs
statfs64
fstatfs
fstatfs64
statvfs
fstatvfs
ustat
symlink
symlinkat
sync
sync_file_range
sync_file_range2
arm_sync_file_range
fdatasync
fsync
syncfs
sysinfo
syslog
tee
tgkill
time
timer_create
timer_delete
timer_getoverrun
timer_gettime
timer_gettime64
timer_settime
timer_settime64
timerfd
timerfd_create
timerfd_gettime
timerfd_gettime64
timerfd_settime
timerfd_settime64
times
tkill
truncate
truncate64
ftruncate
ftruncate64
umask
uname
olduname
oldolduname
unlink
unlinkat
utime
utimensat
utimensat_time64
utimes
futimesat
vfork
vmsplice
wait4
oldwait4
waitpid
waitid
write
writev
pwrite
pwrite64
pwritev
# Allow these and rely on AppArmor to mediate CAP_SETUID and CAP_SETGID. When
# dropping to particular UID/GIDs, we'll use a different set of
# argument-filtered syscalls.
setgid
setgid32
setregid
setregid32
setresgid
setresgid32
setresuid
setresuid32
setreuid
setreuid32
setuid
setuid32
I can reproduce this. What appears to be the problem is that the /usr/lib/snapd/snap-seccomp on your host system isn’t new enough to understand the chown - u:root -1 line, and snap-seccomp does not re-exec it seems (I would have assumed that it would). This is because /usr/lib/snapd/snap-seccomp on your host system comes from the snapd deb, which it appears is from the bionic-security pocket at version 2.37 and thus is too old to understand the new system-usernames specification with the chown line.
What you can do in the meantime is always use snap-seccomp from the snapd and/or core snaps instead of from the deb by running /snap/{snapd,core}/current/usr/lib/snapd/snap-seccomp ..., or you can upgrade the version of snapd from the deb to the one from bionic-updates.
