interfaces/utils: allow commas in filepaths #12697
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Currently, this change affects all uses of I'm very open to any comments or suggestions. Thanks! |
alexmurray
added
the
Needs security review
olivercalder
commented
Apr 6, 2023
alexmurray
approved these changes
Apr 11, 2023
There was a problem hiding this comment.
I was initially quite concerned that by allowing a comma it would then allow malicious snaps to inject arbitrary AppArmor rules and hence escape confinement as the comma is used to delimit separate AppArmor rules within AppArmor profiles.
However, there are a number of things that prevent this currently:
NewPathPattern()appears to only be used in themount-controlandcustom-deviceinterfaces, both of which need a matching snap declaration from the store to be able to be used, and so a snap publisher can only achieve the ability to inject content with the help of a store admin to grant a matching snap declaration- Both of these interfaces quote the generated path with
""which ensures that AppArmor treats the supplied argument as a complete path name rather than as say two AppArmor rules, separated by a comma.
This change does however remove an existing defensive measure to stop possible rule injection, so it will require careful attention to any new future users of NewPathPattern() to ensure they ultimately quote their final argument when emitting AppArmor rules.
So from a security point of view I am not opposed to this change as clearly it is required to allow snaps to specify a custom device path containing a comma which is a real-world use-case.
I wonder if perhaps though it would be worth parameterising NewPathPatter() with a boolean to allow / deny the use of a comma (and hence pass this parameter on to createRegex()) so that this new behaviour can be restricted to just the custom-device interface for now rather than to all / any callers of NewPathPattern() to keep things safer.
alexmurray
removed
Security-High
Needs security review
|
After a bit more discussion, it seems that there are three options regarding when to allow commas:
|
olivercalder
added a commit
to olivercalder/snapd
that referenced
this pull request
Apr 17, 2023
Rather than allowing any caller of `NewPathPattern()` to successfully validate paths containing commas, this change adds a boolean argument which explicitly specifies whether commas should be allowed in the filepath. There are some risks involved with allowing commas in filepaths (see discussion at snapcore#12697), so it is desirable to restrict when commas are allowed based on the caller. In particular, superprivileged interfaces (such as `custom-device` and `mount-control`) have valid needs for commas in filepaths, and users of these interfaces are individually verified, so it is safe for them to use `NewPathPattern()` with commas allowed. Other callers (particularly unprivileged interfaces) should probably not allow commas. I was unsure whether `overlord/hookstate/ctlcmd/mount.go` should call `NewPathPattern()` with commas allowed or not, but since commas had previously been disallowed and tests continue to pass with `allowCommas=false`, then I decided to leave it as `false`. Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
github-actions
bot
added
the
Needs Documentation -auto-
|
I opted for the second option of those listed above. I think a boolean parameter is the most flexible while minimizing duplicate code or execution paths. One question is whether |
pedronis
reviewed
Apr 18, 2023
interfaces/builtin/custom_device.go
Outdated
| @@ -76,7 +76,7 @@ func (iface *customDeviceInterface) validateFilePath(path string, attrName strin | |||
| return fmt.Errorf(`custom-device %q path is not clean: %q`, attrName, path) | |||
| } | |||
|
|
|||
| if _, err := utils.NewPathPattern(path); err != nil { | |||
| if _, err := utils.NewPathPattern(path, true); err != nil { | |||
There was a problem hiding this comment.
when we rarely use boolean args we use constants to help reading:
const allowCommas = true
... utils.NewPathPattern(path, allowCommas) ...
There was a problem hiding this comment.
this needs a corresponding unit test
ernestl
reviewed
Apr 19, 2023
ernestl
reviewed
Apr 19, 2023
ernestl
reviewed
Apr 19, 2023
|
Thanks for the review and suggestions @ernestl Since commas are allowed in filepaths on Linux generally, I don't see why it wouldn't be the case that a user of the mount-control interface might need to mount a device with a comma in its path or mount to a mount point with a comma in its path, regardless of filesystem type. However, I don't think this has yet been a problem in the field. I'm happy to restrict it to the custom-device interface, if that's desirable (particularly with respect to security review). |
Some device paths contain commas outside of groups (i.e. {a,b}) or
classes (i.e. [,.:;'"]). For example, `/dev/foo,bar` is a valid device
path which one might with to use with the custom-device interface.
Most filesystems allow commas in filepaths, as does apparmor:
https://gitlab.com/apparmor/apparmor/-/blob/master/parser/parser_regex.c#L340
Previously, createRegex() would throw an error if a comma was used
outside of a group or class. This commit removes that error and instead
treats commas outside of groups and classes as literal commas. The
accompanying tests are also adjusted to reflect this change.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Rather than allowing any caller of `NewPathPattern()` to successfully validate paths containing commas, this change adds a boolean argument which explicitly specifies whether commas should be allowed in the filepath. There are some risks involved with allowing commas in filepaths (see discussion at snapcore#12697), so it is desirable to restrict when commas are allowed based on the caller. In particular, superprivileged interfaces (such as `custom-device` and `mount-control`) have valid needs for commas in filepaths, and users of these interfaces are individually verified, so it is safe for them to use `NewPathPattern()` with commas allowed. Other callers (particularly unprivileged interfaces) should probably not allow commas. I was unsure whether `overlord/hookstate/ctlcmd/mount.go` should call `NewPathPattern()` with commas allowed or not, but since commas had previously been disallowed and tests continue to pass with `allowCommas=false`, then I decided to leave it as `false`. Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Also, switched `overlord/hookstate/ctlcmd/mount.go` to allow commas (previously did not, but this should match what is allowed in `interfaces/builtin/mount_control.go`. Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Since `,` is not a regex special character, the `QuoteMeta` call is unnecessary. Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
olivercalder
force-pushed
the
commas-in-paths
branch
from
c6c768a
to
730d51a
Compare
ernestl
approved these changes
Apr 20, 2023
pedronis
reviewed
Apr 20, 2023
…=true Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
mvo5
added a commit
that referenced
this pull request
May 27, 2023
* interfaces/utils: allow commas in filepaths
Some device paths contain commas outside of groups (i.e. {a,b}) or
classes (i.e. [,.:;'"]). For example, `/dev/foo,bar` is a valid device
path which one might with to use with the custom-device interface.
Most filesystems allow commas in filepaths, as does apparmor:
https://gitlab.com/apparmor/apparmor/-/blob/master/parser/parser_regex.c#L340
Previously, createRegex() would throw an error if a comma was used
outside of a group or class. This commit removes that error and instead
treats commas outside of groups and classes as literal commas. The
accompanying tests are also adjusted to reflect this change.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* interfaces/utils: added argument to allow commas in filepaths
Rather than allowing any caller of `NewPathPattern()` to successfully
validate paths containing commas, this change adds a boolean argument
which explicitly specifies whether commas should be allowed in the
filepath.
There are some risks involved with allowing commas in filepaths (see
discussion at #12697), so it is
desirable to restrict when commas are allowed based on the caller. In
particular, superprivileged interfaces (such as `custom-device` and
`mount-control`) have valid needs for commas in filepaths, and users of
these interfaces are individually verified, so it is safe for them to
use `NewPathPattern()` with commas allowed. Other callers (particularly
unprivileged interfaces) should probably not allow commas.
I was unsure whether `overlord/hookstate/ctlcmd/mount.go` should call
`NewPathPattern()` with commas allowed or not, but since commas had
previously been disallowed and tests continue to pass with
`allowCommas=false`, then I decided to leave it as `false`.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* interfaces/{builtin,utils}: added named variables for allowCommas
Also, switched `overlord/hookstate/ctlcmd/mount.go` to allow commas
(previously did not, but this should match what is allowed in
`interfaces/builtin/mount_control.go`.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* interfaces/utils: added unit tests for commas in paths
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* interfaces/utils: remove `QuoteMeta` when adding `","` to path regex
Since `,` is not a regex special character, the `QuoteMeta` call is
unnecessary.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* interfaces/utils: renamed TestCommasInRegex to TestCreateRegexWithCommas
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* many: added unit tests for callers of NewPathPattern with allowCommas=true
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
---------
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>
alexmurray
pushed a commit
to alexmurray/snapd
that referenced
this pull request
Oct 17, 2023
* interfaces/utils: allow commas in filepaths
Some device paths contain commas outside of groups (i.e. {a,b}) or
classes (i.e. [,.:;'"]). For example, `/dev/foo,bar` is a valid device
path which one might with to use with the custom-device interface.
Most filesystems allow commas in filepaths, as does apparmor:
https://gitlab.com/apparmor/apparmor/-/blob/master/parser/parser_regex.c#L340
Previously, createRegex() would throw an error if a comma was used
outside of a group or class. This commit removes that error and instead
treats commas outside of groups and classes as literal commas. The
accompanying tests are also adjusted to reflect this change.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* interfaces/utils: added argument to allow commas in filepaths
Rather than allowing any caller of `NewPathPattern()` to successfully
validate paths containing commas, this change adds a boolean argument
which explicitly specifies whether commas should be allowed in the
filepath.
There are some risks involved with allowing commas in filepaths (see
discussion at snapcore#12697), so it is
desirable to restrict when commas are allowed based on the caller. In
particular, superprivileged interfaces (such as `custom-device` and
`mount-control`) have valid needs for commas in filepaths, and users of
these interfaces are individually verified, so it is safe for them to
use `NewPathPattern()` with commas allowed. Other callers (particularly
unprivileged interfaces) should probably not allow commas.
I was unsure whether `overlord/hookstate/ctlcmd/mount.go` should call
`NewPathPattern()` with commas allowed or not, but since commas had
previously been disallowed and tests continue to pass with
`allowCommas=false`, then I decided to leave it as `false`.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* interfaces/{builtin,utils}: added named variables for allowCommas
Also, switched `overlord/hookstate/ctlcmd/mount.go` to allow commas
(previously did not, but this should match what is allowed in
`interfaces/builtin/mount_control.go`.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* interfaces/utils: added unit tests for commas in paths
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* interfaces/utils: remove `QuoteMeta` when adding `","` to path regex
Since `,` is not a regex special character, the `QuoteMeta` call is
unnecessary.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* interfaces/utils: renamed TestCommasInRegex to TestCreateRegexWithCommas
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* many: added unit tests for callers of NewPathPattern with allowCommas=true
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
---------
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Co-authored-by: Michael Vogt <mvo@ubuntu.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some device paths contain commas outside of groups (i.e.
{a,b}) or classes (i.e.[,.:;'"]). For example,/dev/foo,baris a valid device path which one might wish to use with the custom-device interface.Most filesystems allow commas in filepaths, as does apparmor: https://gitlab.com/apparmor/apparmor/-/blob/master/parser/parser_regex.c#L340
Previously,
createRegex()would throw an error if a comma was used outside of a group or class. This commit removes that error and instead treats commas outside of groups and classes as literal commas. The accompanying tests are also adjusted to reflect this change.