Implement lxd-client interface exposing the lxd snap (LP: #1634880)

[kalikiana]

https://bugs.launchpad.net/snappy/+bug/1634880

[stgraber]

Not sure what that flag means, but if it means that other snaps will be allowed to auto-connect without special casing in the store, then this is a terrible idea.

Accessing the LXD socket is equivalent to having root access on the system. It lets you access everything on the filesystem and effectively bypass all seccomp and apparmor policies.

It's certainly fine for us to hardcode a few exceptions for well behaved, trusted snaps, but we should never allow a random snap to the store to connect to LXD without an explicit "snap connect" from the user.

[stgraber]

Right, so again, if my understanding of how snapd works nowadays is correct, this should absolutely not be True.

[stgraber]

Left a few in-line comments. tl&dr is that we should NEVER allow an untrusted snap to connect to the LXD daemon.

Only snaps that we'd trust with full unconfined root privileges on the machine should be allowed to talk to connect to the lxd interface without requiring user interaction.

Access to the lxd socket allows you to alter the host network setup, access any character or block devices in /dev, bind-mount any path on the filesystem, load any apparmor policy and bypass any existing apparmor or seccomp policies.

I'd say that this interface should be changed to never auto-connect for now. Then the downstream snaps that want to use it can start using it by asking users to manually connect, then once those snaps are deemed stable enough and have been reviewed for safety, an exception can be added so that the store version of those snaps will auto-connect to the lxd interface.

[stgraber]

@jdstrand

[stgraber]

Hmm, so those don't cover what you actually need to connect to a unix socket, which would be "socket()" and "connect()", rather than "setsockopt()" and "bind()".

Those two are the usual suspects for Go clients which will always call them when establishing a network connection. That's certainly fine, but also not really relevant for this interface.

Especially when you consider that all the needed bits are already in the auto-connectable "network" interface.

[jdstrand]

After changing to a slot implementation, change this to:

lxd:
  allow-installation: false
  deny-connection: true
  deny-auto-connection: true  

This will require the slot side implementation to need a snap declaration to even be installed and requires a plugging snap to also need a snap declaration to connect to lxd. I fully agree with @stgraber's comments regarding how privileged this interface is, and adjusting the base declaration to do this addresses those concerns. You'll of course need to adjust the testsuite changes accordingly.

[jdstrand]

This should be renamed as 'lxd' with the lxd snap adding 'slots: [ lxd ]' and clients using 'plugs: [ lxd ]'. See interfaces/builtin/docker.go for an example of what this might look like. We do this because as implemented, the 'lxd-client' interface is assuming there is something to connect to at /var/snap/lxd/common/lxd/unix.socket, but that is only there when the lxd snap is installed. Doing it as I suggest will allow the lxd snap to be auto-installed when installing a client that needs it (when that feature is implemented).

[stgraber]

Sounds good, though I think you meant "lxd" and "lxd-client" above rather than "lxc" and "lxc-client" :)

[jdstrand]

Erf, yes. 'lxd'. I'll adjust the comment.

[jdstrand]

I think you do want whatever seccomp rules are needed to talk to and use the socket without any other 'plugs'.

[stgraber]

From a basic netcat, we see:

socket(AF_LOCAL, SOCK_STREAM, 0)        = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
connect(3, {sa_family=AF_LOCAL, sun_path="/var/lib/lxd/unix.socket"}, 26) = 0
poll([{fd=3, events=POLLIN}, {fd=0, events=POLLIN}], 2, -1
) = 1 ([{fd=0, revents=POLLIN}])
read(0, "\n", 2048)                     = 1
write(3, "\n", 1)                       = 1
poll([{fd=3, events=POLLIN}, {fd=0, events=POLLIN}], 2, -1) = 1 ([{fd=3, revents=POLLIN|POLLHUP}])
read(3, "HTTP/1.1 400 Bad Request\r\nConten"..., 2048) = 88
write(1, "HTTP/1.1 400 Bad Request\r\nConten"..., 88HTTP/1.1 400 Bad Request
Content-Type: text/plain
Connection: close

400 Bad Request) = 88
poll([{fd=3, events=POLLIN}, {fd=0, events=POLLIN}], 2, -1) = 1 ([{fd=3, revents=POLLIN|POLLHUP}])
read(3, "", 2048)                       = 0
shutdown(3, SHUT_RD)                    = 0
close(3)                                = 0

So that's:

• socket (included in base)
• fcntl (included in base)
• connect (included in base)
• poll (included in base)
• read (included in base)
• write (included in base)
• shutdown
• close (included in base)

So looks like all that would be allowed for a basic unix socket connection would be "shutdown". Everything else being allowed already by default.

That obviously won't actually let you interact with the socket from something that's written in Go and does extra fancy socket setup, but that's specific to the client rather than the interface.

[jdstrand]

This should be:

// allow what declarations allowed
return true

which simply says that the interface won't override whatever the base and snap declarations allow, and with the suggested changes for the base declaration, this is the correct approach.

[jdstrand]

Please remove this since it won't be an implicit plug any more.

[kalikiana]

So the current state is, by changing the rules locally I can install an lxd snap with slots: [lxd], and a test snap using the Go API via the socket works. From what I understand it's expected that local testing of the correct rules as in the current code is impossible.

[stgraber]

Looks like your branch needs rebasing. You don't usually want Merge commits in a pull request.

[jdstrand]

This is close; thanks for your changes! Just a few more minor requests.

[jdstrand]

I'm not sure why lxd is a snowflake in TestAutoConnectPlugSlot. Can you comment?

[jdstrand]

Please add another test to TestSlotInstallation() for lxd, underneath the docker one.

[jdstrand]

Can you update this description to be like the one you have in lxdConnectedPlugSecComp?

[jdstrand]

Can you remove 'Usage' from here?

[jdstrand]

Can you add a test here for interfaces.SecuritySecComp?

[jdstrand]

This function is named incorrectly. You are testing ConnectedPlugSnippet.

[jdstrand]

Can you add another test for TestConnectedPlugPolicySecComp and look for shutdown in the same manner that you are searching for an apparmor rule here?

[jdstrand]

Please add the following comment: // allow what declarations allowed

[jdstrand]

Thanks for the updates!

[mvo5]

LGTM as well, if @jdstrand is happy please merge.

[vicamo]

@jdstrand any example how may one downstream snap use this interface?

[jdstrand]

@vicamo - The interface only gives access to the lxd socket via plugs: [ lxd ] so you can use whatever client tools and libraries to access lxd. Note this is an extremely privileged interface and it is restricted by the base declaration and it requires a snap declaration to install and use. Please see this bug when developing a snap that uses this interface:

https://bugs.launchpad.net/snappy/+bug/1640874

[vicamo]

@jdstrand, yes, I read that notice from your comments, and it's what we need. Thank you.