Attaching screenshots.

Deleted: kinit.jpg 742 KB

	kinit.jpg 742 KB View Download

Deleted: kinit2.jpg 745 KB

	kinit2.jpg 745 KB View Download

And here should be the complete logs: https://drive.google.com/open?id=0Bw8lTgN09o0qaUQ0c3JFc015TVU

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/4b19b7972adf4833702e5f435db75bf992997d10

commit 4b19b7972adf4833702e5f435db75bf992997d10
Author: Lutz Justen <ljusten@chromium.org>
Date: Fri Jan 13 16:02:44 2017

authpolicy: Add support for toggling seccomp filtering behavior

Adds a simple way to set flags in authpolicyd for toggling seccomp
filter behavior. Simply write 'log_seccomp' or 'disable_seccomp' to
/etc/authpolicyd_flags and restart authpolicyd. This is safe as /etc
is usually mounted read-only unless it's explicitly made writable on a
test image.

Note that seccomp failure logging is a debug feature, it shouldn't be
enabled by default.

BUG= chromium:680082 
TEST=Tested setting both flags, works as expected

Change-Id: Ib276b0cf0a3a07fc6a168d2f618272d1446bd9d2
Reviewed-on: https://chromium-review.googlesource.com/427704
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/4b19b7972adf4833702e5f435db75bf992997d10/authpolicy/process_executor.cc
[modify] https://crrev.com/4b19b7972adf4833702e5f435db75bf992997d10/authpolicy/process_executor.h
[modify] https://crrev.com/4b19b7972adf4833702e5f435db75bf992997d10/authpolicy/samba_interface.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/6df3b21fce72810ae17fc0044d782f92da7bb1d5

commit 6df3b21fce72810ae17fc0044d782f92da7bb1d5
Author: Lutz Justen <ljusten@chromium.org>
Date: Mon Jan 16 10:36:40 2017

authpolicy: Enable/fix seccomp filter failure logging

Previously, seccomp filter failures could not be logged since binaries
had to be executed without Minijail's preload library. This caused the
signal handler that logs failures to be wiped by execve since the handler
is installed before execve is called.

The reason the preload library could not be used is that authpolicyd uses
a saved uid (see setresuid) to switch to authpolicyd-exec in minijail.
The saved uid, however, is wiped by execve, so minijail can't switch
to it in the preload library.

This CL switches to authpolicyd-exec in authpolicy code before minijail
is run. This allows using the preload library and seccomp filter logging
works fine.

BUG= chromium:680082 
TEST=Tested setting both flags, works as expected

Change-Id: If34e961fcbc37be111c066f6d32a84b256f5bba9
Reviewed-on: https://chromium-review.googlesource.com/427705
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/6df3b21fce72810ae17fc0044d782f92da7bb1d5/authpolicy/process_executor.cc
[modify] https://crrev.com/6df3b21fce72810ae17fc0044d782f92da7bb1d5/authpolicy/process_executor.h
[modify] https://crrev.com/6df3b21fce72810ae17fc0044d782f92da7bb1d5/authpolicy/samba_interface.cc

Miguel, could you try again? We probably didn't fix it, but we can debug it now. If during device policy fetch kinit crashes again with signal 31, create a flags file (as root)
  mount -o remount,rw /
  echo “log_seccomp” > /etc/authpolicyd_flags
  restart authpolicyd
This should enable logging for these kinds of errors. The logs should contain something like
  blocked syscall: <syscall_name>
Can you see if you can get the logs for the blocked syscall? If you feel adventurous, you can also add the syscall to
  /usr/share/policy/kinit-seccomp.policy
and try again. This will whitelist the syscall, but you might run into further seccomp failures.

To disable seccomp filtering, write disable_seccomp instead of log_seccomp to the flags file. This should allow you further testing.

See also Troubleshooting section in
https://drive.google.com/open?id=1Xsj19HXGdoI9QSfgqw1zyesXepqqqJantQzemHfPV-8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/9ff6ed12972f3d8d96f23237a85c51962f42790e

commit 9ff6ed12972f3d8d96f23237a85c51962f42790e
Author: Thiemo Nagel <tnagel@chromium.org>
Date: Wed Jan 18 20:05:20 2017

authpolicy: Add uname to kinit seccomp filters

Was hit by Krishna on peppy 9195.0.0;57.0.2984.0.

BUG= 680082 
TEST=manual

Change-Id: I16f6494d7fa34a0be2518beb0461a5d2377cd66e
Reviewed-on: https://chromium-review.googlesource.com/430011
Commit-Ready: Thiemo Nagel <tnagel@chromium.org>
Tested-by: Thiemo Nagel <tnagel@chromium.org>
Reviewed-by: Zentaro Kavanagh <zentaro@google.com>

[modify] https://crrev.com/9ff6ed12972f3d8d96f23237a85c51962f42790e/authpolicy/seccomp_filters/kinit-seccomp.policy

Are we sure this is the only syscall that has to be added? They often come in bunches. To speed up the process, it might be more efficient if Krishna adds the syscall himself or we send him a fixed filter file for verification.

Haven't heard back about any problems and mcandia@ was able to join, auth and fetch GPO, so closing this for now.

Tested this on Lars:9202.11.0;57.0.2987.19.
Was successfully able to 'do a AD Domain Join' and Device policies were loaded. 
Was able to sign into an user- User polices were loaded and applied.
Policy Reload of User and Device policies worked.
Will test another device with a 3.18 Kernel when we run our 'multiple device Chromad sanity test pass'. 
Didn't need to disable seccomp.
Didn't see any seccomp failures. Looks like the syscall updates to the filter  works. 
Leaving this bug in fixed status as Testing phase is ongoing. 

bulk Verify of older or not-user-facing Chromad bugs