Seccomp filters on the Ubuntu Phone

The officially-supported Ubuntu Phones run pretty old kernels. The Nexus 4 and BQ phones all run v3.4, and the Meizu MX4 runs v3.10. Device kernels typically lag a bit behind since so much effort goes into making them compatible with the hardware, but this posed a bit of a complication since the Click confinement model utilizes features of AppArmor v3, which isn't even released yet. However, we like to push the envelope here at Canonical, so we backported it into our phone kernels anyway. Unfortunately, Snappy is another story entirely.

The Snappy confinement model utilizes not only AppArmor, but seccomp filters and cgroups (there's probably more in there somewhere, too). Unfortunately, while seccomp has been around for a while, seccomp filters weren't introduced in until v3.5, which means Snappy won't run on our current phones.

Until now (pretend I had a narrator voice).

Seccomp filters have now been backported to and enabled on all supported Ubuntu phone kernels, allowing them to run Snappy and .snaps fully confined. These changes are hanging around in -proposed, and will be included in OTA9, which is currently set to release on January 27th.

That's not to say that our current phones will ever move entirely to Snappy-- that's not my call, and Snappy isn't ready yet anyway. But at least the underlying support is there.

Comments