interfaces/many: deny arbitrary desktop files and misc from /usr/share

interfaces/builtin/browser_support.go

@@ -111,19 +111,23 @@ deny capability mknod,
 `
 
 const browserSupportConnectedPlugAppArmorWithSandbox = `
-# Leaks installed applications
 # TODO: should this be somewhere else?
 /etc/mailcap r,
-# Snaps should be using xdg-open from the runtime instead of reading these
-# files directly since the snap is unable to do anything with these files
-# but these accesses have been allowed for a long time and remain so as not
-# to break existing snaps. These could be changed to explicit deny rules,
-# but that provides a worse debugging experience. Combined, the risks
-# outweigh the benefits of closing this information leak for the small
-# number of snaps allowed to use allow-sandbox: true. Reference:
-# https://forum.snapcraft.io/t/cannot-open-pdf-attachment-with-thunderbird/11845
-/usr/share/applications/{,*} r,
-/var/lib/snapd/desktop/applications/{,*} r,
+
+# While /usr/share/applications comes from the base runtime of the snap, it
+# has some things that snaps actually need, so allow access to those and deny
+# access to the others. This is duplicated from desktop for compatibility with
+# existing snaps.
+/usr/share/applications/ r,
+/usr/share/applications/mimeapps.list r,
+/usr/share/applications/xdg-open.desktop r,
+# silence noisy denials from desktop files in core* snaps that aren't usable by
+# snaps
+deny /usr/share/applications/python*.desktop r,
+deny /usr/share/applications/vim.desktop r,
+deny /usr/share/applications/snap-handle-link.desktop r,  # core16
+
+# Chromium content api unfortunately needs these for normal operation
 owner @{PROC}/@{pid}/fd/[0-9]* w,
 
 # Various files in /run/udev/data needed by Chrome Settings. Leaks device

interfaces/builtin/desktop.go

@@ -158,7 +158,18 @@ dbus (receive)
 
 # Allow use of snapd's internal 'xdg-open'
 /usr/bin/xdg-open ixr,
-/usr/share/applications/{,*} r,
+# While /usr/share/applications comes from the base runtime of the snap, it
+# has some things that snaps actually need, so allow access to those and deny
+# access to the others
+/usr/share/applications/ r,
+/usr/share/applications/mimeapps.list r,
+/usr/share/applications/xdg-open.desktop r,
+# silence noisy denials from desktop files in core* snaps that aren't usable by
+# snaps
+deny /usr/share/applications/python*.desktop r,
+deny /usr/share/applications/vim.desktop r,
+deny /usr/share/applications/snap-handle-link.desktop r,  # core16
+
 dbus (send)
     bus=session
     path=/

interfaces/builtin/desktop_legacy.go

@@ -19,6 +19,13 @@
 
 package builtin
 
+import (
+	"strings"
+
+	"github.com/snapcore/snapd/interfaces"
+	"github.com/snapcore/snapd/interfaces/apparmor"
+)
+
 const desktopLegacySummary = `allows privileged access to desktop legacy methods`
 
 // While this gives privileged access to legacy methods we should auto-connect
@@ -234,13 +241,14 @@ dbus (send)
     interface=org.gtk.vfs.MountTracker
     member=LookupMount,
 
-# This leaks the names of snaps with desktop files
-/var/lib/snapd/desktop/applications/ r,
-/var/lib/snapd/desktop/applications/mimeinfo.cache r,
-# Support BAMF_DESKTOP_FILE_HINT by allowing reading our desktop files
-# parallel-installs: this leaks read access to desktop files owned by keyed
-# instances of @{SNAP_NAME} to @{SNAP_NAME} snap
-/var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,
+###SNAP_DESKTOP_FILE_RULES###
+# Snaps are unable to use the data in mimeinfo.cache (since they can't execute
+# the returned desktop file themselves). unity messaging menu doesn't require
+# mimeinfo.cache and xdg-mime will fallback to reading the desktop files
+# directly to look for MimeType. Since reading the snap's own desktop files is
+# allowed, we can safely deny access to this file (and xdg-mime will either
+# return one of the snap's mimetypes, or none).
+deny /var/lib/snapd/desktop/applications/mimeinfo.cache r,
 
 # glib-networking's GLib proxy (different than the portal's proxy service
 # org.freedesktop.portal.ProxyResolver)
@@ -261,13 +269,25 @@ accept
 accept4
 `
 
+type desktopLegacyInterface struct {
+	commonInterface
+}
+
+func (iface *desktopLegacyInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
+	snippet := strings.Join(getDesktopFileRules(plug.Snap().DesktopPrefix()), "\n")
+	spec.AddSnippet(strings.Replace(desktopLegacyConnectedPlugAppArmor, "###SNAP_DESKTOP_FILE_RULES###", snippet+"\n", -1))
+
+	return nil
+}
+
 func init() {
-	registerIface(&commonInterface{
-		name:                  "desktop-legacy",
-		summary:               desktopLegacySummary,
-		implicitOnClassic:     true,
-		baseDeclarationSlots:  desktopLegacyBaseDeclarationSlots,
-		connectedPlugAppArmor: desktopLegacyConnectedPlugAppArmor,
-		connectedPlugSecComp:  desktopLegacyConnectedPlugSecComp,
+	registerIface(&desktopLegacyInterface{
+		commonInterface: commonInterface{
+			name:                 "desktop-legacy",
+			summary:              desktopLegacySummary,
+			implicitOnClassic:    true,
+			baseDeclarationSlots: desktopLegacyBaseDeclarationSlots,
+			connectedPlugSecComp: desktopLegacyConnectedPlugSecComp,
+		},
 	})
 }

interfaces/builtin/desktop_legacy_test.go

@@ -80,6 +80,15 @@ func (s *DesktopLegacyInterfaceSuite) TestAppArmorSpec(c *C) {
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "# Description: Can access common desktop legacy methods")
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "#include <abstractions/dbus-accessibility-strict>")
 	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `peer=(addr="@/tmp/ibus/dbus-*"),`)
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `deny /var/lib/snapd/desktop/applications/mimeinfo.cache r,`)
+
+	// getDesktopFileRules() rules
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `# This leaks the names of snaps with desktop files`)
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `/var/lib/snapd/desktop/applications/ r,`)
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `/var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,`)
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `deny /var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,`)
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `deny /var/lib/snapd/desktop/applications/[^c]* r,`)
+	c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, `deny /var/lib/snapd/desktop/applications/consume[^r]* r,`)
 
 	// connected plug to core slot
 	spec = &apparmor.Specification{}

interfaces/builtin/export_test.go

@@ -37,6 +37,8 @@ var (
 	LabelExpr                   = labelExpr
 	PlugAppLabelExpr            = plugAppLabelExpr
 	SlotAppLabelExpr            = slotAppLabelExpr
+	AareExclusivePatterns       = aareExclusivePatterns
+	GetDesktopFileRules         = getDesktopFileRules
 )
 
 func MprisGetName(iface interfaces.Interface, attribs map[string]interface{}) (string, error) {

interfaces/builtin/unity7.go

@@ -62,8 +62,6 @@ owner @{HOME}/.local/share/fonts/{,**} r,
 
 # subset of gnome abstraction
 /etc/gnome/defaults.list r,
-/usr/share/gnome/applications/             r,
-/usr/share/applications/mimeinfo.cache     r,
 
 /etc/gtk-*/*                               r,
 /usr/lib{,32,64}/gtk-*/**                  mr,
@@ -80,22 +78,29 @@ owner @{HOME}/.local/share/fonts/{,**} r,
 /usr/share/icons/*/index.theme             rk,
 /usr/share/pixmaps/                        r,
 /usr/share/pixmaps/**                      r,
-/usr/share/unity/icons/**                  r,
-/usr/share/thumbnailer/icons/**            r,
-/usr/share/themes/**                       r,
 
 # The snapcraft desktop part may look for schema files in various locations, so
 # allow reading system installed schemas.
 /usr/share/glib*/schemas/{,*}              r,
-/usr/share/gnome/glib*/schemas/{,*}        r,
-/usr/share/ubuntu/glib*/schemas/{,*}       r,
 
 # Snappy's 'xdg-open' talks to the snapd-xdg-open service which currently works
 # only in environments supporting dbus-send (eg, X11). In the future once
 # snappy's xdg-open supports all snaps images, this access may move to another
-# interface.
+# interface. This is duplicated from desktop for compatibility with existing
+# snaps.
 /usr/bin/xdg-open ixr,
-/usr/share/applications/{,*} r,
+# While /usr/share/applications comes from the base runtime of the snap, it
+# has some things that snaps actually need, so allow access to those and deny
+# access to the others. This is duplicated from desktop for compatibility with
+# existing snaps.
+/usr/share/applications/ r,
+/usr/share/applications/mimeapps.list r,
+/usr/share/applications/xdg-open.desktop r,
+# silence noisy denials from desktop files in core* snaps that aren't usable by
+# snaps
+deny /usr/share/applications/python*.desktop r,
+deny /usr/share/applications/vim.desktop r,
+deny /usr/share/applications/snap-handle-link.desktop r,  # core16
 
 # This allow access to the first version of the snapd-xdg-open
 # version which was shipped outside of snapd
@@ -492,16 +497,14 @@ dbus (receive)
     member=Get*
     peer=(label=unconfined),
 
-# unity messaging menu
-# first, allow finding the desktop file
-/usr/share/applications/ r,
-# this leaks the names of snaps with desktop files
-/var/lib/snapd/desktop/applications/ r,
-/var/lib/snapd/desktop/applications/mimeinfo.cache r,
-# Support BAMF_DESKTOP_FILE_HINT by allowing reading our desktop files
-# parallel-installs: when @{SNAP_INSTANCE_DESKTOP} == @{SNAP_NAME},
-# this leaks read access to desktop files of parallel installs of the snap
-/var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,
+###SNAP_DESKTOP_FILE_RULES###
+# Snaps are unable to use the data in mimeinfo.cache (since they can't execute
+# the returned desktop file themselves). unity messaging menu doesn't require
+# mimeinfo.cache and xdg-mime will fallback to reading the desktop files
+# directly to look for MimeType. Since reading the snap's own desktop files is
+# allowed, we can safely deny access to this file (and xdg-mime will either
+# return one of the snap's mimetypes, or none).
+deny /var/lib/snapd/desktop/applications/mimeinfo.cache r,
 
 # then allow talking to Unity DBus service
 dbus (send)
@@ -670,6 +673,11 @@ func (iface *unity7Interface) AppArmorConnectedPlug(spec *apparmor.Specification
 	new = strings.Replace(new, "+", "_", -1)
 	old := "###UNITY_SNAP_NAME###"
 	snippet := strings.Replace(unity7ConnectedPlugAppArmor, old, new, -1)
+
+	old = "###SNAP_DESKTOP_FILE_RULES###"
+	new = strings.Join(getDesktopFileRules(plug.Snap().DesktopPrefix()), "\n")
+	snippet = strings.Replace(snippet, old, new+"\n", -1)
+
 	spec.AddSnippet(snippet)
 	return nil
 }

interfaces/builtin/unity7_test.go

@@ -90,6 +90,23 @@ func (s *Unity7InterfaceSuite) TestUsedSecuritySystems(c *C) {
 	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other-snap.app2"})
 	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap.app2"), testutil.Contains, `/usr/share/pixmaps`)
 	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap.app2"), testutil.Contains, `path=/com/canonical/indicator/messages/other_snap_*_desktop`)
+	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap.app2"), testutil.Contains, `deny /var/lib/snapd/desktop/applications/mimeinfo.cache r,`)
+
+	// getDesktopFileRules() rules
+	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap.app2"), testutil.Contains, `# This leaks the names of snaps with desktop files`)
+	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap.app2"), testutil.Contains, `/var/lib/snapd/desktop/applications/ r,`)
+	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap.app2"), testutil.Contains, `/var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,`)
+	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap.app2"), testutil.Contains, `deny /var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,`)
+	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap.app2"), testutil.Contains, `deny /var/lib/snapd/desktop/applications/[^o]* r,`)
+	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap.app2"), testutil.Contains, `deny /var/lib/snapd/desktop/applications/other-sna[^p]* r,`)
+
+	// connected plugs for instance name have a non-nil security snippet for apparmor
+	apparmorSpec = &apparmor.Specification{}
+	err = apparmorSpec.AddConnectedPlug(s.iface, s.plugInst, s.slot)
+	c.Assert(err, IsNil)
+	c.Assert(apparmorSpec.SecurityTags(), DeepEquals, []string{"snap.other-snap_instance.app2"})
+	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap_instance.app2"), testutil.Contains, `/usr/share/pixmaps`)
+	c.Assert(apparmorSpec.SnippetForTag("snap.other-snap_instance.app2"), testutil.Contains, `path=/com/canonical/indicator/messages/other_snap_instance_*_desktop`)
 
 	// connected plugs for instance name have a non-nil security snippet for apparmor
 	apparmorSpec = &apparmor.Specification{}

interfaces/builtin/utils.go

@@ -26,6 +26,7 @@ import (
 	"regexp"
 	"sort"
 
+	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/snap"
@@ -125,3 +126,58 @@ func verifySlotPathAttribute(slotRef *interfaces.SlotRef, attrs interfaces.Attre
 	}
 	return cleanPath, nil
 }
+
+// aareExclusivePatterns takes a string and generates deny alternations. Eg,
+// aareExclusivePatterns("foo") returns:
+// []string{
+//   "[^f]*",
+//   "f[^o]*",
+//   "fo[^o]*",
+// }
+func aareExclusivePatterns(orig string) []string {
+	// This function currently is only intended to be used with desktop
+	// prefixes as calculated by info.DesktopPrefix (the snap name and
+	// instance name, if present). To avoid having to worry about aare
+	// special characters, etc, perform ValidateDesktopPrefix() and return
+	// an empty list if invalid. If this function is modified for other
+	// input, aare/quoting/etc will have to be considered.
+	if !snap.ValidateDesktopPrefix(orig) {
+		return make([]string, 0)
+	}
+
+	s := make([]string, len(orig))
+
+	prefix := ""
+	for i, letter := range orig {
+		prefix = orig[:i]
+		s[i] = fmt.Sprintf("%s[^%c]*", prefix, letter)
+	}
+	return s
+}
+
+// getDesktopFileRules(<snap instance name>) generates snippet rules for
+// allowing access to the specified snap's desktop files in
+// dirs.SnapDesktopFilesDir, but explicitly denies access to all other snaps'
+// desktop files since xdg libraries may try to read all the desktop files
+// in the dir, causing excessive noise. (LP: #1868051)
+func getDesktopFileRules(snapInstanceName string) []string {
+	baseDir := dirs.SnapDesktopFilesDir
+
+	rules := []string{
+		"# Support applications which use the unity messaging menu, xdg-mime, etc",
+		"# This leaks the names of snaps with desktop files",
+		fmt.Sprintf("%s/ r,", baseDir),
+		"# Allowing reading only our desktop files (required by (at least) the unity",
+		"# messaging menu).",
+		"# parallel-installs: this leaks read access to desktop files owned by keyed",
+		"# instances of @{SNAP_NAME} to @{SNAP_NAME} snap",
+		fmt.Sprintf("%s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,", baseDir),
+		"# Explicitly deny access to other snap's desktop files",
+		fmt.Sprintf("deny %s/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,", baseDir),
+	}
+	for _, t := range aareExclusivePatterns(snapInstanceName) {
+		rules = append(rules, fmt.Sprintf("deny %s/%s r,", baseDir, t))
+	}
+
+	return rules
+}