i/builtin: allow @ in custom-device filepaths #14651
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #14651 +/- ##
==========================================
+ Coverage 78.95% 79.01% +0.06%
==========================================
Files 1084 1085 +1
Lines 146638 147512 +874
==========================================
+ Hits 115773 116558 +785
- Misses 23667 23725 +58
- Partials 7198 7229 +31
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
Need to modify the slot so that the |
|
CC @jslarraz we might need to update review-tools to also allow this |
interfaces/builtin/custom_device.go
Outdated
|
|
||
| // Validating regexp for udev device names. | ||
| // We forbid: | ||
| // - `|`: it's valid for udev, but more work for us | ||
| // - `{}`: have a special meaning for AppArmor | ||
| // - `@`: denotes a variable in AppArmor |
There was a problem hiding this comment.
I am not sure this is entirely correct, looking at apparmor.d manpage, a variable is defined to have this format:
VARIABLE = '@{' ALPHA [ ( ALPHANUMERIC | '_' ) ... ] '}'
I am also told that folks are using system-files as a workaround, which means that AppArmor parser may actually be happy with paths containing @ as long as it's not @{..}. I'm guessing, it's likely @ does not need escaping at all in this case, since the profiles worked for system-files? At the same time, I suspect that system-files may simply not validate the path correctly, so it'd be great to align both interface implementations to use common code for validation.
There was a problem hiding this comment.
@alexmurray @jslarraz do you know what are the rules around @ in profiles is it's not part of a variable reference nor denotes an abstract unit socket path?
There was a problem hiding this comment.
My motivation behind prohibiting @ in device paths was to preserve the existing behavior, while allowing @ for filepaths. But there's not a technical reason for this, I just wanted to minimize the change in behavior.
Regarding usage of @, I think there are cases where @ has a special meaning in profiles without being followed by {. Some examples from the manpage:
the @ character, similar to how they are reported (as paths) by netstat
-x. The address then follows and may contain pattern matching and any
characters including the null character. In apparmor null characters
must be specified by using an escape sequence \000 or \x00. The pattern
matching is the same as is used by file path matching so * will not
match / even though it has no special meaning with in an abstract
socket name. Eg.
unix addr=@*,
# Allow SOCK_STREAM connect, receive and send on an abstract socket @bar
# with peer running under profile '/foo'
unix (connect, receive, send) type=stream peer=(label=/foo,addr="@bar"),
# Allow accepting connections from and receiving from peer running under
# profile '/bar' on abstract socket '@foo'
unix (accept, receive) addr=@foo peer=(label=/bar),
But these examples all pertain to unix sockets, not filepaths, so probably it would be fine to not escape @ in filepaths? Though then we need to ensure that filepaths don't contain @{, as right now they can contain {} characters (though device paths cannot). I do think it is safe to universally escape @ symbols, if that would be simpler. I'd be interested to hear what the security people think :)
There was a problem hiding this comment.
I think abstract sockets have somewhat unusual apparmor names, at least in audit messages. I don't recall how this behaves in the parser though. I could check quickly and report back.
|
If feels like we need a test to actually prove whatever we end up doing works? |
interfaces/builtin/custom_device.go
Outdated
|
|
||
| // Validating regexp for udev device names. | ||
| // We forbid: | ||
| // - `|`: it's valid for udev, but more work for us | ||
| // - `{}`: have a special meaning for AppArmor | ||
| // - `@`: denotes a variable in AppArmor |
There was a problem hiding this comment.
I think abstract sockets have somewhat unusual apparmor names, at least in audit messages. I don't recall how this behaves in the parser though. I could check quickly and report back.
olivercalder
force-pushed
the
SNAPDENG-32542-allow-at-in-paths
branch
from
53deba2
to
27757ed
Compare
|
Spotted by @ZeyadYasser and myself today, there's a bug in In a separate PR, I think we should add validation that |
|
Before merging, the "escape @ ..." commit and its revert should be purged from the git log, since the associated messages are no longer correct. |
olivercalder
added
the
Needs security review
olivercalder
force-pushed
the
SNAPDENG-32542-allow-at-in-paths
branch
from
27757ed
to
4b963b0
Compare
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
AppArmor variables take the form @{foo} in rules, so we cannot allow a
specified filepath to contain substrings of this form. Such paths should
never be necessary.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
olivercalder
force-pushed
the
SNAPDENG-32542-allow-at-in-paths
branch
from
213abe7
to
8cf28da
Compare
* master: (44 commits) wrappers: do not reload activation units (canonical#14724) gadget/install: support for no{exec,dev,suid} mount flags interfaces/builtin/mount_control: add support for nfs mounts (canonical#14694) tests: use gojq - part 1 (canonical#14686) interfaces/desktop-legacy: allow DBus access to com.canonical.dbusmenu interfaces/builtin/fwupd.go: allow access to nvmem for thunderbolt plugin tests: removing uc16 executions (canonical#14575) tests: Added arm github runner to build snapd (canonical#14504) tests: no need to run spread when there are not tests matching the filter (canonical#14728) tests/lib/tools/store-state: exit on errors, update relevant tests (canonical#14725) tests: udpate the github workflow to run tests suggested by spread-filter tool (canonical#14519) testtime: add mockable timers for use in tests (canonical#14672) interface/screen_inhibit_control: Improve screen inhibit control for use on core (canonical#14134) tests: use images with 20G disk in openstack (canonical#14720) i/builtin: allow @ in custom-device filepaths (canonical#14651) tests: refactor test-snapd-desktop-layout-with-content tests: fix broken app definition tests: capitalize sentences in comments tests: wrap very long shell line tests: fix raciness in async startup and sync install ...
Allow the
@symbol to occur in filepaths for the custom-device interface. This is common in paths under/sys/, such as/sys/devices/platform/soc@0/soc@0:bus@30000000/30350000.ocotp-ctrl/imx-ocotp0/nvmem.This work is tracked internally by https://warthogs.atlassian.net/browse/SNAPDENG-32542