/snapd

interfaces/builtin: add dbus-bind interface #1446

Closed
wants to merge 32 commits into
from

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@jdstrand @niemeyer
@jdstrand
Contributor

jdstrand commented Jun 29, 2016
Edited 1 time

This implements dbus-bind in support of 'Apps can't own session bus names'. The bug report recommended this as a starting point for discussion:

plugs:
  my-dbus-bind:
    interface: dbus-bind
    system:
    - org.gnome.Foo
    session:
    - org.gnome.Bar

This branch implements that except I switched plugs and slots. I did this because I was thinking about how the DBus bind to a well-known name suggests the snap is providing a service for other snaps to use and envisioned connecting snaps together, much like how we are doing with the mpris interface. Then I got to thinking about it and decided to implement the plugs side so that we could connect apps and have them talk over dbus. Eg, a gnome app might do:

name: gnome-logs
slots:
  dbus-bind:
    session:
    - org.gnome.Logs

Then another gnome app that wants to talk to gnome-logs would do:

name: gnome-logs-consumer
plugs:
  dbus-bind:
    session:
    - org.gnome.Logs

gnome-logs is allowed to bind to org.gnome.Logs after install so it needs nothing extra, but gnome-logs and gnome-logs-consumer need to be connected with snap connect gnome-logs:dbus-bind gnome-logs-consumer:dbus-bind. On classic systems this is still in effect, but we also allow unconfined to talk to the service (like we did with mpris).

As a result, this is actually a generalized way for snaps to coordinate and connect via DBus that doesn't require privileged access to the system. It intentionally doesn't worry about auto-start and DBus policy files since those sorts of things are handled by the DBus backend. We could in theory auto-connect snaps that are from the same publisher like we did with the content interface if that is interesting for people.

I think people were initially thinking that this interface would be transitional and only for classic, but I don't think it needs to be since it is a way to connect snaps together in interesting ways. That said, we probably want to adjust the review tools for the native case to warn (ie, human review) when the name attribute does not end with $SNAP_NAME to avoid namespace collisions (note, we could enforce snap.$SNAP_NAME.*, but the world has settled on reverse domain names for dbus well-known names so we should at least begin thinking about that. Note 2, ending with $SNAP_NAME is of course imperfect because people could choose whatever reverse domain they want). We could also simply trigger a manual review if specifying dbus-bind as a slot until we decide how to work all this out.

Fixes: LP#1590679

jdstrand added some commits Jun 22, 2016

@jdstrand
interfaces: add preliminary dbus-bind (TODO: attributes)
a289901
@jdstrand
implement SanitizeSlot with tests
94736b4
@jdstrand
perform substitutions in PermanentSlotAppArmor policy
57fb199
@jdstrand
Merge remote-tracking branch 'upstream/master' into dbus-bind
8b7e9f3
@jdstrand
update comments and documentation
98c39de
@jdstrand
Merge remote-tracking branch 'upstream/master' into dbus-bind
413e19c
@jdstrand
update receive and send rules for talking with dbus-daemon
a624250
@jdstrand
add connected plug and connected slot policy. improve tests
34dd46f
@jdstrand
Merge remote-tracking branch 'upstream/master' into dbus-bind
eb2d79b
@jdstrand
add interfaces.SecurityMount to PermanentSlotSnippet
2345399
@jdstrand
BROKEN TEST BRANCH 
Test with:
 go build -tags=excludeintegration -v github.com/snapcore/snapd/... && go test
-tags=excludeintegration -v github.com/snapcore/snapd/interfaces/builtin
969be86
@jdstrand
revert last commit
b743fe7
@jdstrand
Merge remote-tracking branch 'upstream/master' into dbus-bind
af16d22
@jdstrand
start conversion to proposed yaml
2f73a16
@jdstrand
update SanitizeSlot and tests for getBusNames()
24fd251
@jdstrand
remove dbusBindBusNames, iterate through names for policy (TODO: clea… 
…nup)
12721f0
@jdstrand
abstract out shared and individual dbus name rules, fix testsuite
0a62fc2
@jdstrand
update TestPermanentSlotAppArmorSystem() to test abstraction
a978d37
@jdstrand
abstract out AppArmor abstraction calculation
22aeba5
@jdstrand
abstract out individual policy generation to getAppArmorIndividualSni… 
…ppet()
6a865ce
@jdstrand
update comments and shuffle code around
4861623
@jdstrand
update docs, implement plugs, refactor tests, add tests
a6af67f
@jdstrand
Merge remote-tracking branch 'upstream/master' into dbus-bind
ab91e06
@jdstrand
add Introspectable policy
c2da833
@jdstrand
go fmt changes
7954f99
@jdstrand
fix a couple typos and a the mocked test yaml
ce961f0
@jdstrand
ensure that connections specify the same bus and name
11d768c
@jdstrand
non-existent plug should skip. non-existent slot should error
4915bd9
@jdstrand
don't autoconnect

Some checks were not successful

1 failing and 2 successful checks
continuous-integration/travis-ci/pr — The Travis CI build failed
Details
@snappy-m-o
Integration tests — Success
Details
@snappy-m-o
autopkgtest — Success
Details
28577f9
@jdstrand
Merge remote-tracking branch 'upstream/master' into dbus-bind

All checks have passed

3 successful checks
@snappy-m-o
Integration tests — Success
Details
@snappy-m-o
autopkgtest — Success
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
26b8e2e
@jdstrand
fix copy and waste in auto connect test

All checks have passed

3 successful checks
@snappy-m-o
Integration tests — Success
Details
@snappy-m-o
autopkgtest — Success
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
fa105bd
interfaces/builtin/dbus_bind.go
+var dbusBindConnectedSlotAppArmorIndividual = []byte(`
+# Description: Allow DBus consumer to connect to ###DBUS_BIND_NAME###
+
+# Communicate with the well-known named DBus service
@niemeyer

niemeyer Jul 6, 2016

Contributor

This seems a bit strange, or perhaps I just misunderstand what it is. The name "bind" implies we're allowing the snap to bind into the given location, of course. But then what is a "consumer of a dbus bind service", and what are we allowing the plug to do here?

Note that just like we don't have a generic "file" interface, we also probably don't want a generic "dbus" interface that allows anything at all to communicate with anything at all without a slightly more well defined context.

@jdstrand

jdstrand Jul 8, 2016
Edited 1 time

Contributor

First off, this PR represents an exploration of what we could do, why that might be good and the considerations around it.

This is implementing a generic dbus interface. The bind allows binding to a given location, as you mentioned, and we could stop there to unblock gnome apps which I think is what people were expecting. However, I implemented that and got to thinking "why are these gnome apps doing this?" and came to the conclusion that it was so that they could integrate with the shell and the user's session, so I added 'unconfined' rules for that. Then it occurred to me that if we stopped there we would have a bug request next week or next month saying "gnome apps can't interoperate with each other" so I implemented how to connect snaps together in the manner described by this PR.

Now, interfaces are a form of contract and this particular contract is extremely loose-- all it says is once connected you can communicate with whatever methods you want. In practice this is 'probably' ok because this will be used with freedesktop.org standards and stuff 'probably' won't break. But 'probably' is again not a strong contract. I mentioned that we could explore the concept of auto-connecting based on if the publisher matches, and I think if we use this generic approach we should do this (much like with the content interface).

So as an exploration, this is interesting and while I was implementing this I was inspired by the content interface since I think there are many parallels. Where the content interface says "here is a location with a bunch of stuff I assume you know what to do with", the dbus-bind interface says "here is a well-known dbus name with an API I assume you know how to use". If we treat dbus-bind similarly in terms of auto-connecting, I was able to imagine a gnome ecosystem really starting to take off-- ie, gnome developers have a content snap and they develop gnome snaps that autoconnect to this content snap, and those developers may use dbus-bind in their snaps and they autoconnect. Beyond gnome, I thought this might be useful for KDE (snaps from KDE devs), Ubuntu Personal (from Canonical devs), etc. Also, like with the content sharing interface, the user is allowed to manually connect snaps from different publishers at their discretion.

I'm happy to adjust this PR as necessary to scale it back, put more constraints, go another direction, etc as we continue to explore this concept.

@niemeyer

niemeyer Jul 8, 2016

Contributor

Note that the content interface is constrained to snaps of the same publisher only, or specially whitelisted cases.

That said, perhaps we can build something more generic for dbus, based on the fact we get the name of the interface allowed.

Let's discuss that at the sprint.

interfaces/builtin/dbus_bind.go
+`)
+
+var dbusBindConnectedPlugAppArmorIndividual = []byte(`
+# Communicate with the well-known named DBus service ###DBUS_BIND_NAME###
@niemeyer

niemeyer Jul 6, 2016

Contributor

Same as above. Sounds like this is becoming "dbus" rather than "dbus-bind".

@niemeyer niemeyer changed the title from interfaces: add dbus-bind (LP: #1590679) to interfaces/builtin: add dbus-bind interface Jul 6, 2016

@gnunn1 gnunn1 referenced this pull request in gnunn1/tilix Jul 26, 2016

Closed

Need package maintainers #25

@jdstrand
Contributor

jdstrand commented Jul 27, 2016

From another thread:

"On Wed, 2016-07-27 at 10:37 +0200, Gustavo Niemeyer wrote:

It's not clear to me we want to have that general dbus interface yet. It's
convenient, as it unblocks at once every single dbus use case. The
unfortunate side of doing so is that we lose some clarity and control at
the snapd level.

The alternative to that is having proper interfaces.. for example,
"network-manager", "location-control", etc.
"

The case of network-manager and location-control is clear: these are bona-fide services that many applications need and a proper interface is desired. Indeed, we have interfaces for those already. :)

What I was exploring in the dbus-bind PR was that some desktop environments promote the use of well-known dbus names for their leaf applications so that the applications better integrate into the desktop environment and applications within that environment can access each other more freely (AIUI). This is a design decision of these desktop environments.

If we extend the thinking of 'proper interfaces' to these leaf applications, it means that we will have an interface for Terminix, Rhythmbox, Evolution, Totem, Kmail, etc, etc. I don't think that is particularly useful or desired because new applications in these environments will always need new interfaces, we'll always be in the way and the number of interfaces will be unwieldy. I personally don't want to go down that path.

As mentioned in the PR, we can get out of the way fast by simply allowing the bind but not the communication which is what we discussed in the bug (and why the interface is named 'dbus-bind' currently). The snap itself should then function fine as a leaf application. If there is concern about the interface being too generic, this is the approach I would recommend.

I'd still like people to consider thinking about this more in terms of how we think about content sharing though. Since these well-known dbus names are being registered for a reason (to better integrate), it makes some sense to support that for snaps from the same publisher so that gnome devs can create a proper gnome experience with their snaps, and kde devs can create a proper kde experience with their snaps. Implementation-wise, we do something akin to the exploration in the PR, but we limit the connections to be from the same publisher.

In that light, I agree that 'dbus-bind' may not be quite right for the name, but I think 'dbus' may be too generic of a name for the interface because we aren't supporting all of what dbus can do, only app to app communications through a well-known name. I'm not sure what the alternative would be... dbus-app? (kinda icky but at least hints at what it is trying to do)
@jdstrand
Contributor

jdstrand commented Jul 27, 2016

From another thread:

"On Wed, 2016-07-27 at 10:37 +0200, Gustavo Niemeyer wrote:

It's not clear to me we want to have that general dbus interface yet. It's
convenient, as it unblocks at once every single dbus use case. The
unfortunate side of doing so is that we lose some clarity and control at
the snapd level.

The alternative to that is having proper interfaces.. for example,
"network-manager", "location-control", etc.
"

The case of network-manager and location-control is clear: these are bona-fide services that many applications need and a proper interface is desired. Indeed, we have interfaces for those already. :)

What I was exploring in the dbus-bind PR was that some desktop environments promote the use of well-known dbus names for their leaf applications so that the applications better integrate into the desktop environment and applications within that environment can access each other more freely (AIUI). This is a design decision of these desktop environments.

If we extend the thinking of 'proper interfaces' to these leaf applications, it means that we will have an interface for Terminix, Rhythmbox, Evolution, Totem, Kmail, etc, etc. I don't think that is particularly useful or desired because new applications in these environments will always need new interfaces, we'll always be in the way and the number of interfaces will be unwieldy. I personally don't want to go down that path.

As mentioned in the PR, we can get out of the way fast by simply allowing the bind but not the communication which is what we discussed in the bug (and why the interface is named 'dbus-bind' currently). The snap itself should then function fine as a leaf application. If there is concern about the interface being too generic, this is the approach I would recommend.

I'd still like people to consider thinking about this more in terms of how we think about content sharing though. Since these well-known dbus names are being registered for a reason (to better integrate), it makes some sense to support that for snaps from the same publisher so that gnome devs can create a proper gnome experience with their snaps, and kde devs can create a proper kde experience with their snaps. Implementation-wise, we do something akin to the exploration in the PR, but we limit the connections to be from the same publisher.

In that light, I agree that 'dbus-bind' may not be quite right for the name, but I think 'dbus' may be too generic of a name for the interface because we aren't supporting all of what dbus can do, only app to app communications through a well-known name. I'm not sure what the alternative would be... dbus-app? (kinda icky but at least hints at what it is trying to do)
@jdstrand
Merge remote-tracking branch 'upstream/master' into dbus-bind

All checks have passed

3 successful checks
@snappy-m-o
Integration tests — Success
Details
@snappy-m-o
autopkgtest — Success
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
1d0019b
@jdstrand
Contributor

jdstrand commented Aug 1, 2016

Based on conversation outside of this PR, it sounds like:

  • we should only allow the bind for now, not the communication. Once we understand better what might communicate with one another, we can add back the communication
  • future assertions work will allow for auto-approval once the assertion is granted for binding to this interface. In the short term, adjust the review tools to do a cheap check (if snapname is 'foo' and bind interface is 'bar', auto-approve, else manual)
  • the interface could be named 'dbus-app', comments? While we aren't going to allow communications today, it seems we want to some day. Therefore I think 'dbus-app' makes a lot of sense.

I'm going to close this PR and submit another one so that the code surrounding communications/etc can be more easily referred back to.

@jdstrand jdstrand closed this Aug 1, 2016

jdstrand added a commit to jdstrand/snapd that referenced this pull request Aug 1, 2016

@jdstrand
add dbus-app interface (LP: #1590679) 
This implements dbus-app in support of 'Apps can't own session bus names'. An
exploratory PR is found in: snapcore#1446 but
that PR was more than what is needed and it was decided we should implement a
subset of that to address the bug, and then revisit once more details are
available.

In this PR, we allow dbus binding to a well-known name via 'slots':

  name: gnome-logs
  slots:
    interface: dbus-app
    session:
    - org.gnome.Logs

We use 'slots' instead of plugs because the application performing the bind on
dbus is providing a service end point for other dbus processes to communicate
with. In this implementation, on all-snaps systems we do not allow any
communications to the slot implementation (ie, it may only bind, not send or
receive) and on classic systems we allow communications from unconfined
processes to the slot implementation. In this manner, the snap using this
interface can bind to the dbus well-known name without issue (permanent slot
is unconditionally granted) and it may operate as a leaf application in
all-snaps and classic environments.

Since we know that some applications bind to multiple well-known names, an app
is allowed to bind to any number of names.

Since well-known DBus names are rather free-form and don't typically conform to
the snap name and because snaps sometimes need to bind to multiple well-known
names, the store will ensure that snaps from different publishers do not
collide. Future assertions work will allow for auto-approval in the store once
the assertion is granted for binding to the well-known name. In the short term,
we will adjust the review tools to do an easy check (if snapname is 'foo' and
bind interface is 'bar', auto-approve, else manual).

t#
0e80dfc

@jdstrand jdstrand referenced this pull request Aug 1, 2016

Merged

interfaces/builtin: add dbus interface #1613

@jdstrand
Contributor

jdstrand commented Aug 1, 2016

The new PR for dbus-app is #1613

@jdstrand jdstrand deleted the jdstrand:dbus-bind branch May 5, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment