interfaces: add ofono interface

[alfonsosanchezbeato]

Add interface for ofono telephony daemon.

[jdstrand]

Thanks for the PR. See inline comments on a number of changes that need to be done and reviewed by the security team.

[jdstrand]

Can you alphabetize this (and move FwupdInterface too)?

[alfonsosanchezbeato]

Done

[jdstrand]

Can you use const ofonoPermanentSlotAppArmor = ... instead and convert to []byte when you need a byte slice? I realize not all interfaces do this yet, but it is a requirement for new interfaces.

[alfonsosanchezbeato]

Done

[jhodapp]

The pulseaudio interface does this already.

[jdstrand]

@jhodapp - yes, this came up as part of the pulseaudio review.

[jdstrand]

Can you limit this to the devices you need based on https://www.kernel.org/doc/Documentation/devices.txt? See interfaces/builtin/opengl.go and browser_support.go for example rules.

[alfonsosanchezbeato]

Done

[jdstrand]

Hrmm, but ok.

[jdstrand]

This rule should be: /run/systemd/seats/{,*} r

But why does ofono care about the seat?

[alfonsosanchezbeato]

Changed. In some cases there are preferences that depend on the user in the seat, like the preferred SIM for voice/data in dual SIM devices.

[jdstrand]

Ok, can you then say something along the lines of # To get current seat preferences for choosing SIM based on user or similar?

[jdstrand]

Another hrm, but ok. Note that we do have the serial-port interface that makes things better than they used to be, but until the core snap adds implicit serial-port slots and the core snap supports dynamic plugging, I don't think we can do better than this.

[morphis]

@jdstrand Right, that was our assumption. Once we have better support from snapd for this we will remove those rules and switch to the serial-port interface.

[alfonsosanchezbeato]

+1 here, we will change this when feasible

[jdstrand]

network netlink covers the other two. Can you remove network netlink?

[alfonsosanchezbeato]

Done

[jdstrand]

Why no interface component here?

[alfonsosanchezbeato]

Changed

[jdstrand]

seccomp argument filter is implemented. What are you wanting to filter on?

[jdstrand]

Can you also add a comment as to what these are for? dbus? networking? etc?

[alfonsosanchezbeato]

Comment was a left over, removed. Added a comment to clarify what are the calls for.

[jdstrand]

Can you add an xml comment here on the provenance of this dbus bus policy?

[alfonsosanchezbeato]

Done

[jdstrand]

Can you also add to the default bus policy:

    <deny own="org.ofono"/>

[alfonsosanchezbeato]

Done

[jdstrand]

Can you provide a comment as to the provenance of these udev rules?

[alfonsosanchezbeato]

Done

[jdstrand]

You can drop this case since the default is to return nil, nil

[alfonsosanchezbeato]

Done

[jdstrand]

This assumes that the ofono snap will not be installable on classic. Is that the case?

Also, on classic this means that a connected plug will have this policy:

# Allow all access to ofono services
dbus (receive, send)
    bus=system
    path=/{,**}
    peer=(label=unconfined),

This is a security hole because this rule grants access to all dbus system services, which is wrong. I suggest instead you:

• add an interface component to the plugs rule
• create a separate variable to hold classic policy and if release.OnClassic append it to the policy

If you do this, you fix the security hole and make the interface work on all snaps, classic and classic with ofono snap.

[alfonsosanchezbeato]

Interface added to apparmor rule. But not sure about what to put there as classic policy, as the ofono package has no apparmor rules.

[jdstrand]

Thank you for fixing the interface omission.

As for classic, look at mpris.go. Notice how it creates both mprisConnectedSlotAppArmor and mprisConnectedSlotAppArmorClassic. Then look in PermanentSlotSnippet how it creates snippet and then appends to snippet when on classic. I suggest you:

• keep ofonoConnectedPlugAppArmor as is
• add ofonoConnectedPlugAppArmorClassic with:

# Allow all access to ofono services on classic
dbus (receive, send)
    bus=system
    path=/{,**}
    interface=org.ofono.*
    peer=(label=unconfined),

• adjust ConnectedPlugSnippet to do:

old := []byte("###SLOT_SECURITY_TAGS###")
new := []byte("")
snippet := bytes.Replace([]byte(ofonoConnectedPlugAppArmor), old, new, -1)
if release.OnClassic {
    snippet = append(snippet, ofonoConnectedPlugAppArmorClassic...)
}
return snippet, nil

[jdstrand]

Please add tests for:

• seccomp on plugs side
• seccomp on slots side
• apparmor on the slots side

[alfonsosanchezbeato]

That is what TestUsedSecuritySystems() was doing, so I it is not clear to me how tests should be. Which ones could I use as reference?

[jdstrand]

I mean for each of these, add a test that when connected you verify a rule is present. Eg, add TestConnectedPlugSnippetAppArmor():

    plug := &interfaces.Plug{}
    release.OnClassic = false
    snippet, err := s.iface.ConnectedPlugSnippet(s.plug, slot, interfaces.SecurityAppArmor)
    c.Assert(err, IsNil)
        // verify apparmor connected
        c.Assert(string(snippet), testutil.Contains, "#include <abstractions/dbus-strict>")

        // verify classic didn't connect
    c.Assert(string(snippet), Not(testutil.Contains), "peer=(label=unconfined),")

Now do the same for the others.

[jdstrand]

You can drop TestUsedSecuritySystems() - they aren't required any more.

[jdstrand]

This commented still stands.

[jdstrand]

Can you move this to alphabetical order?

[alfonsosanchezbeato]

Done

[alfonsosanchezbeato]

PR refreshed for another round

[jdstrand]

Thanks for the updates, this is close. Please see my inline comments.

[jdstrand]

These aren't quite as fine-grained as I was hoping. It seems from the udev rules that only a handful of devices are known by ofono-- is that true? If so, can you determine the more fine-grained access? If you need help, simply remove these, run in devmode and paste the /run/udev/data denials and we can get more fine-grained.

[alfonsosanchezbeato]

No, ofono knows many more devices (see comment in ofonoPermanentSlotUdev). It uses libudev to get currently connected devices and processes udev events when devices are hot-plugged. When doing this libudev accesses to files in /run/udev/data, I have seen it accessing:

c2:*
c3:*
c188:*
c189:*
n*
+usb:*
+pci:*

An option to narrow this down is to modify ofono udev filter so it is more strict. Another one is to ignore some of the denials as some do not affect apparently the outcome. For instance, of the previous ones only reading char devices 188 and 189 seems critical (those are for /dev/ttyUSB* devices). However, I am a bit concerned about being too restrictive, as modem vendors might use non standard devices with unexpected major numbers.

[jdstrand]

Since this is the ofono service, it is less of a concern to let it have access to /run/udev/data. If you you feel the current accesses are sufficient, +1. It will be nice when we have the dynamic resolution code in place.

[alfonsosanchezbeato]

Great, then I think we can leave this in its current shape until that happens.

[jdstrand]

This assumes that the ofono snap will not be installable on classic. Is that the case?

Also, on classic this means that a connected plug will have this policy:

# Allow all access to ofono services
dbus (receive, send)
    bus=system
    path=/{,**}
    peer=(label=unconfined),

This is a security hole because this rule grants access to all dbus system services, which is wrong. I suggest instead you:

• add an interface component to the plugs rule
• create a separate variable to hold classic policy and if release.OnClassic append it to the policy

If you do this, you fix the security hole and make the interface work on all snaps, classic and classic with ofono snap.

[alfonsosanchezbeato]

Interface added to apparmor rule. But not sure about what to put there as classic policy, as the ofono package has no apparmor rules.

[jdstrand]

Thank you for fixing the interface omission.

As for classic, look at mpris.go. Notice how it creates both mprisConnectedSlotAppArmor and mprisConnectedSlotAppArmorClassic. Then look in PermanentSlotSnippet how it creates snippet and then appends to snippet when on classic. I suggest you:

• keep ofonoConnectedPlugAppArmor as is
• add ofonoConnectedPlugAppArmorClassic with:

# Allow all access to ofono services on classic
dbus (receive, send)
    bus=system
    path=/{,**}
    interface=org.ofono.*
    peer=(label=unconfined),

• adjust ConnectedPlugSnippet to do:

old := []byte("###SLOT_SECURITY_TAGS###")
new := []byte("")
snippet := bytes.Replace([]byte(ofonoConnectedPlugAppArmor), old, new, -1)
if release.OnClassic {
    snippet = append(snippet, ofonoConnectedPlugAppArmorClassic...)
}
return snippet, nil

[jdstrand]

Typo: /Snipped/Snippet/

[jdstrand]

Please also test for c.Assert(string(snippet), testutil.Contains, "#include <abstractions/dbus-strict>") here.

[jdstrand]

Please add tests for:

• seccomp on plugs side
• seccomp on slots side
• apparmor on the slots side

[alfonsosanchezbeato]

That is what TestUsedSecuritySystems() was doing, so I it is not clear to me how tests should be. Which ones could I use as reference?

[jdstrand]

I mean for each of these, add a test that when connected you verify a rule is present. Eg, add TestConnectedPlugSnippetAppArmor():

    plug := &interfaces.Plug{}
    release.OnClassic = false
    snippet, err := s.iface.ConnectedPlugSnippet(s.plug, slot, interfaces.SecurityAppArmor)
    c.Assert(err, IsNil)
        // verify apparmor connected
        c.Assert(string(snippet), testutil.Contains, "#include <abstractions/dbus-strict>")

        // verify classic didn't connect
    c.Assert(string(snippet), Not(testutil.Contains), "peer=(label=unconfined),")

Now do the same for the others.

[alfonsosanchezbeato]

Thanks for the review. PR refreshed addressing issues. Only remaining point should be permissions for /run/udev/data/ (see comment on that).

[alfonsosanchezbeato]

Branch refreshed adding permissions for unconfined apps in permanent slot.

[jdstrand]

Thanks for the changes. A few more things remain. Please see inline comments.

[jdstrand]

This will allow everything to connect to ofono. Please use this instead:

# Allow traffic to/from our path and interface with any method for unconfined
# clients to talk to our ofono services.
dbus (receive, send)
    bus=system
    path=/{,**}
    interface=org.ofono.*
    peer=(label=unconfined),

[jdstrand]

Please adjust this comment to be:

# Allow access to the unconfined ofono services on classic.

[jdstrand]

Please remove: connect, getpeername, getsockname, setsockopt, socketpair and socket. They are all included in the default template.

[jdstrand]

Please remove: connect, getsockname and socket. They are all included in the default template.

[jdstrand]

Please use this instead: c.Check(string(snippet), testutil.Contains, "send\n") (getsockname is already in the default template).

[jdstrand]

You can drop TestUsedSecuritySystems() - they aren't required any more.

[jdstrand]

This commented still stands.

[jdstrand]

Please use this instead: c.Check(string(snippet), testutil.Contains, "peer=(label=snap (interface=org.ofono.* is in PermanentSlotAppArmor).

[jdstrand]

Please add: c.Check(string(snippet), testutil.Contains, "listen\n") (setsockopt is in default policy.

[alfonsosanchezbeato]

Thanks for the review. PR refreshed after addressing comments.

[tonyespy]

A quick scan of the code also shows /dev/dsp being used by tools/huawei-audio, and /dev/chnlat11 being used by unit/test-caif.c. Might be worth adding these now.

[alfonsosanchezbeato]

Good point. Added, plus a couple of additional ones I found.

[jdstrand]

+1 regarding security policy provided you fix the comment I mentioned needing fixing just now.

[jdstrand]

This comment is wrong. It should be // Let confined apps access unconfined ofono on classic

[alfonsosanchezbeato]

Comment changed and branch refreshed.

[jdstrand]

Now that the base declaration is more finalized (also see #2269), please adjust this to be:

   ofono:                                                              
     allow-installation:                                                         
       slot-snap-type:                                                           
         - app                                                                   
         - core                                                                  
     deny-auto-connection: true                                                  
     deny-connection:                                                            
       on-classic: false 

This says that this may be supplied as an app snap or via core (ie, on classic) and if supplied via an app snap, then a snap declaration is required to connect to the the slot implementation.

[jdstrand]

Please move this down below and use:

"ofono":       []string{"app", "core"}

[jdstrand]

You can drop 'Usage' now that we have the base declaration. Also, please adjust the whitespace before 'gives'.

[jdstrand]

For readability, can you move this rule and comment down below with the other /dev rules?

[jdstrand]

It looks like 'at_console' is deprecated: https://lists.fedoraproject.org/pipermail/devel/2014-May/199004.html. Considering the lack of policykit on Ubuntu Core it seems like removing it and relying on the root and default policy would be wise. Can you comment on why 'at_console' is here?

[alfonsosanchezbeato]

I copied this over from ofono default policy file. Removed this in the refreshed branch, as it is not really needed and does not make much sense anyway.

[jdstrand]

I've rethought this section since previous reviews. With the proposed implementation, classic systems with connected plugs get to talk to unconfined ofono as well as the security label of the ofono snap, but this snap won't exist on a classic system where the deb would be used instead. Can you confirm this?

If that is true, instead of using ofonoConnectedPlugAppArmorClassic, instead conditionally set new to unconfined when OnClassic and to slotAppLabelExpr(slot) when not and drop ofonoConnectedPlugAppArmorClassic altogether.

[alfonsosanchezbeato]

Well, I can see both things happening (ofono client using the snap or using the deb in a classic system). Maybe we should not be too restrictive and allow both things, if not an issue security-wise. Same should apply to the modem-manager interface changes: I have changed it back to the way you mention here, but maybe I should leave the change I just made. We can discuss on irc.

[jdstrand]

Re "ofono client using the snap or using the deb in a classic system"> if that is the case, then you can leave this as is.

[alfonsosanchezbeato]

Awesome, I will leave this bit as it is now.

[jdstrand]

You can drop this test-- you aren't adding seccomp policy for slots.

[jdstrand]

Feel free to drop this.

[jdstrand]

and this...

[alfonsosanchezbeato]

Branch refreshed after addressing comments.

[jdstrand]

Thanks for the changes!

[alfonsosanchezbeato]

@jdstrand, thanks for the review. No more changes on my side, as I have left the classic parts as they are now.

[alfonsosanchezbeato]

@jdstrand FYI I have added a couple of additional apparmor permissions:

+/run/udev/data/+usb-serial:* r,
+/run/udev/data/+platform:* r,
+/run/udev/data/+pnp:* r,

[jdstrand]

Those new accesses are fine.