asserts,interfaces/builtin,overlord/assertstate: introduce base-declaration #2037
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…s term in the match errors, use the term 'constraint(s)' and the notation /alt#N/ for pin pointing alternatives in compile error messages
…tring for maybe a bit more clarity
and fixing up stuff
|
based #2035 |
|
@jdstrand this has the first pass at the base-declaration plumbing |
niemeyer
approved these changes
Sep 30, 2016
| var builtinBaseDeclaration *BaseDeclaration | ||
|
|
||
| // BuiltinBaseDeclaration exposes the initialized builtin base-declaration assertion. This is used by overlord/assertstate, other code should use assertstate.BaseDeclaration. | ||
| func BuiltinBaseDeclaration() *BaseDeclaration { |
There was a problem hiding this comment.
Nice implementation of that idea.
| // sanity | ||
| var _ consistencyChecker = (*BaseDeclaration)(nil) | ||
|
|
||
| func assembleBaseDeclaration(assert assertionBase) (Assertion, error) { |
There was a problem hiding this comment.
Nice to see this so short and reusing the existing infra.
jdstrand
reviewed
Sep 30, 2016
There was a problem hiding this comment.
We can put my 'Base declarations thoughts, part 2' in baseDeclarationHeaders in a future commit (feel free to add that yourself and I can review). This would probably be useful sooner rather than later for running the spread tests once the connection and install code is honoring the base declaration.
| return err | ||
| } | ||
| if h["type"] != "base-declaration" { | ||
| return fmt.Errorf("the builtin base-declaration headers sport the wrong type") |
There was a problem hiding this comment.
This seems very casual for an error message.
There was a problem hiding this comment.
Perhaps: wrong type specified in builtin base-declaration headers
| return fmt.Errorf("the builtin base-declaration headers sport the wrong type") | ||
| } | ||
| h["timestamp"] = time.Now().UTC().Format(time.RFC3339) | ||
| h["sign-key-sha3-384"] = "lhSOrK6PQ22AJBuQ6btNW2NGAs-lZd4zsd6O5qRY7ylFDQVCD_0rurr66osdF-n9" // sha3-384("$builtin") |
There was a problem hiding this comment.
I don't understand why we are setting this to a hardcoded value. Can you explain why and how it can't somehow be abused in the face of coding errors?
There was a problem hiding this comment.
We discussed this a bit on IRC. I was expecting that we would skip any signing checks since the document isn't signed (eg pseudo-code 'if base-declaration, warn else, verify'). Instead, this code is providing a sha-384 for a non-existent public key which is non-obvious (to me anyway) why that should work and is ok.
That said, I understand that we will be signing the base declaration soonish, so I don't want to waste people's time or to introduce corner cases that might introduce verification bugs, so if @pedronis and @niemeyer as experts in the assertions code are ok with this as is, +1 so long as we add a 'FIXME' comment that details why this is working correctly and is safe. @pedronis thought he might also explore a code change, which should be reviewed by @niemeyer.
| allow-installation: | ||
| slot-snap-type: | ||
| - core | ||
| ` |
There was a problem hiding this comment.
baseDeclarationHeaders is how I envisioned it.
mwhudson
pushed a commit
to mwhudson/snapd
that referenced
this pull request
Mar 5, 2019
Imported using git-ubuntu import. Changelog parent: d92891f New changelog entries: * New upstream release, LP: #1637215: - release: os-release on core has changed - tests: /dev/ptmx does not work on powerpc, skip here - docs: moved to github.com/snapcore/snapd/wiki (snapcore#2258) - debian: golang is not installable on powerpc, use golang-any * New upstream release, LP: #1637215: - overlord/ifacestate: add unit tests for undo of setup-snap- security (snapcore#2243) - daemon,overlord,snap,tests: download to .partial in final dir (snapcore#2237) - overlord/state: marshaling tests for lanes (snapcore#2245) - overlord/state: introduce state lanes (snapcore#2241) - overlord/snapstate: fix revert+refresh (snapcore#2224) - interfaces/sytemd: enable/disable generated service units (snapcore#2229) - many: fix incorrect security files generation on undo - overlord/snapstate: add dynamic snapdX.Y assumes (snapcore#2227) - interfaces: network-manager: give slot full read-write access to /run/NetworkManager - docs: update the name of the command for the cross-build - overlord/snapstate: fix missing argument to Noticef - snapstate: ensure gadget/core/kernel can not be disabled (snapcore#2218) - asserts: limit to 1y only if len(models) == 0 (snapcore#2219) - debian: only install share/locale if available (missing on powerpc) - overlrod/snapstate: fix revert followed by refresh to old-current (snapcore#2214) - interfaces/builtin: network-manager and bluez can change hostname (snapcore#2204) - snap: switch the auto-import dir to /run/snapd/auto-import - docs: less details about cloud.cfg as requested in trello (snapcore#2206) - spread.yaml: Ensure ubuntu user has passwordless sudo for autopkgtests (snapcore#2201) - interfaces/builtin: add dcdbas-control interface - boot: do not set boot to try mode if the revision is unchanged - interfaces: add shutdown interface (snapcore#2162) - interfaces: add system-power-control interface - many: use the new systemd backend for configuring GPIOs - overlord/ifacestate: setup security for slots before plugs - snap: spool assertion candidates if snapd is not up yet - store,daemon,overlord: download things to a partials dir - asserts,daemon: implement system-user-authority header/concept - interfaces/builtin: home base declaration rule using on-classic for its policy - interfaces/builtin: finish decl based checks - asserts: bump snap-declaration to allow signing with new-style plugs and slots - overlord: checks for kernel installation/refresh based on model assertion and previous kernel - tests/lib/fakestore: fix logic to distinguish assertion not found errors - client: add a few explicit error types (around the request cycle) - tests/lib/fakestore/cmd/fakestore: make it log, and fix a typo - overlord/snapstate: two bugs for one - snappy: disable auto-import of assertions on classic (snapcore#2122) - overlord/snapstate: move trash cleanup to a cleanup handler (snapcore#2173) - daemon: make create-user --known fail on classic without --force- managed (snapcore#2123) - asserts,interfaces/policy: implement on-classic plug/slot constraints - overlord: check that the first installed gadget matches the model assertion - tests: use the snapd-control-consumer snap from the store - cmd/snap: make snap run not talk to snapd for finding the revision - snap/squashfs: try to hard link instead of copying. Also, switch to osutil.CopyFile for cp invocation. - store: send supported max-format when retrieving assertions - snapstate, devicestate: do not remove seed - boot,image,overlord,partition: read/write boot variables in single operation - tests: reenable ubuntu-core tests on qemu - asserts,interfaces/policy: allow OR-ing of subrule constraints in plug/slot rules - many: move from flags as ints to flags as structs-of-bools (snapcore#2156) - many: add supports for keeping and finding assertions with different format iterations - snap: stop using ubuntu-core-launcher, use snap-confine - many: introduce an assertion format iteration concept, refuse to add unsupported assertion - interfaces: tweak wording and comment - spread.yaml: dump apparmor denials on spread failure - tests: unflake ubuntu-core-reboot (snapcore#2150) - cmd/snap: tweak unknown command error message (snapcore#2139) - client,daemon,cmd: add payment-declined error kind (snapcore#2107) - cmd/snap: update remove command help (snapcore#2145) - many: removed frameworks target and fixed service files (snapcore#2138) - asserts,snap: validate attributes to a JSON-compatible type subset (snapcore#2140) - asserts: remove unused serial-proof type - tests: skip auto-import tests on systems without test keys (snapcore#2142) - overlord/devicestate: don't spam the debug log on classic (snapcore#2141) - cmd/snap: simplify auto-import mountinfo parsing (snapcore#2135) - tests: run ubuntu-core upgrades on isolated machine (snapcore#2137) - overlord/devicestate: recover seeding from old external approach (snapcore#2134) - overlord: merge overlord/boot pkg into overlord/devicestate (snapcore#2118) - daemon: add postCreateUserSuite test suite (snapcore#2124) - tests: abort tests if an update process is scheduled (snapcore#2119) - snapstate: avoid reboots if nothing in the boot setup has changed (snapcore#2117) - cmd/snap: do not auto-import from loop or non-dev devices (snapcore#2121) - tests: add spread test for `snap auto-import` (snapcore#2126) - tests: add test for auto-mount assertion import (snapcore#2127) - osutil: add missing unit tests for IsMounted (snapcore#2133) - tests: check for failure creating user on managed ubuntu-core systems (snapcore#2096) - snap: ignore /dev/loop addings from udev (snapcore#2111) - tests: remove snapd.boot-ok reference (snapcore#2109) - tests: enable tests related to the home interface in all-snaps (snapcore#2106) - snapstate: only import defaults from gadget on install (snapcore#2105) - many: move firstboot code into the snapd daemon (snapcore#2033) - store: send correct JSON type of string for expected payment amount (snapcore#2103) - cmd/snap: rename is-managed to managed and tune (snapcore#2102) - interfaces,overlord/ifacestate: initial cleaning up of no arg AutoConnect related bits (snapcore#2090) - client, cmd: prompt for password when buying (snapcore#2086) - snapstate: fix hanging `snap remove` if snap is no longer mounted - image: support gadget specific cloud.conf file (snapcore#2101) - cmd/snap,ctlcmd: fix behavior of snap(ctl) get (snapcore#2093) - store: local users download from the anonymous url (snapcore#2100) - docs/hooks.md: fix typos (snapcore#2099) - many: check installation of slots and plugs against declarations - docs: fix missing "=" in the systemd-active docs - store: do not set store auth for local users (snapcore#2092) - interfaces,overlord/ifacestate: use declaration-based checking for auto-connect (snapcore#2071) - overlord, daemon, snap: support gadget config defaults (snapcore#2082)The main semantic changes are: - tests: fix snap-disconnect tests after core rename (snapcore#2088) - client,daemon,overlord,cmd: add /v2/users and create-user on auto- import (snapcore#2074) - many: abbreviated forms of disconnect (snapcore#2066) - asserts: require lowercase model until insensitive matching is ready (snapcore#2076) - cmd/snap: add version command, same as --version (snapcore#2075) - all: use "core" by default but allow "ubuntu-core" still (snapcore#2070) - overlord/devicestate, docs/hooks.md: nest prepare-device configuration options - daemon: fix login API to return local macaroons (snapcore#2078) - daemon: do not hardcode UID in userLookup (snapcore#2080) - client, cmd: connect fixes (snapcore#2026) - many: preparations for switching most of autoconnect to use the declarationsfor now: - overlord/auth: update CheckMacaroon to verify local snapd macaroons (snapcore#2069) - cmd/snap: trivial auto-import and download tweaks (snapcore#2067) - interfaces: add repo.ResolveConnect that handles name resolution - interfaces/policy: introduce InstallCandidate and its checks - interfaces/policy,overlord: check connection requests against the declarations in ifacestate - many: setup snapd macaroon for local users (snapcore#2051)Next step: do snapd macaroons verification. - interfaces/policy: implement snap-id/publisher-id checks - many: change Connect to take ConnRef instead of strings (snapcore#2060) - snap: auto mount block devices and import assertions (snapcore#2047) - daemon: add `snap create-user --force-managed` support (snapcore#2041) - docs: remove references to removed buying features (snapcore#2057) - interfaces,docs: allow sharing SNAP{,_DATA,_COMMON} via content iface (snapcore#2063) - interfaces: add Plug/Slot/Connection reference helpers (snapcore#2056) - client,daemon,cmd/snap: improve create-user APIs (snapcore#2054) - many: introduce snap refresh --ignore-validation <snap> to override refresh validation (snapcore#2052) - daemon: add support for `snap create-user --known` (snapcore#2040) - interfaces/policy: start of interface policy checking code based on declarations (snapcore#2050) - overlord/configstate: support nested configuration (snapcore#2039) - asserts,interfaces/builtin,overlord/assertstate: introduce base- declaration (snapcore#2037) - interfaces: builtin: Allow writing DHCP lease files to /run/NetworkManager/dhcp (snapcore#2049) - many: remove all traces of the /v2/buy/methods endpoint (snapcore#2045) - tests: add external spread backend (snapcore#1918) - asserts: parse the slot rules in snap-declarations (snapcore#2035) - interfaces: allow read of /etc/ld.so.preload by default for armhf on series 16 (snapcore#2048) - store: change purchase to order and store clean up first pass (snapcore#2043) - daemon, store: switch to new store APIs in snapd (snapcore#2036) - many: add email to UserState (snapcore#2038) - asserts: support parsing the plugs stanza i.e. plug rules in snap- declarations (snapcore#2027) - store: apply deltas if explicitly enabled (snapcore#2031) - tests: fix create-key/snap-sign test isolation (snapcore#2032) - snap/implicit: don't restrict the camera iface to clasic (snapcore#2025) - client, cmd: change buy command to match UX document (snapcore#2011) - coreconfig: nuke it. Also, ignore po/snappy.pot. (snapcore#2030) - store: download deltas if explicitly enabled (snapcore#2017) - many: allow use of the system user assertion with create-user (snapcore#1990) - asserts,overlord,snap: add prepare-device hook for device registration (snapcore#2005) - debian: adjust packaging for trusty/deputy systemd (snapcore#2003) - asserts: introduce AttributeConstraints (snapcore#2015) - interface/builtin: access system bus on screen-inhibit-control - tests: add firewall-control interface test (snapcore#2009) - snapstate: pass errors from ListRefresh in updateInfo (snapcore#2018) - README: add links to IRC, mailing list and social media (snapcore#2022) - docs: add `configure` hook to hooks list (snapcore#2024)LP: #1596629 - cmd/snap,configstate: rename apply-config variables to configure. (snapcore#2023) - store: retry download on 500 (snapcore#2019) - interfaces/builtin: support time and date settings via 'org.freedesktop.timedate1 (snapcore#1832)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This introduces a base-declaration assertion with the default policies (for now about interfaces) that govern all snaps.
This has the assertion definition itself, the first pass at plumbing to have the content defined in interfaces/builtin, while the forward compatible (with the idea to revision/distribute this through the store) interface to it is asserstate.BaseDeclaration.
The assertion is not used yet in any way.