cmd/snap-confine: re-associate with pid-1 mount namespace if required

[zyga]

This patch changes the initialization process of mount namespace
handling code. If the snap-confine process is itself in a namespace
other than that of pid-1 (which happens when snaps with confinement
other than classic are trying to invoke other snaps) then snap-confine
will move itself to the mount namespace of pid-1 before attempting any
other actions.

This allows snap-confine to get access to /run/snapd/ns directory that
has private sharing and thus is not shared with any mount peer groups.

Fixes: https://bugs.launchpad.net/snap-confine/+bug/1644439
Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

[zyga]

NOTE: I managed to avoid the kernel OOPS but the tests will still fail on recursive confinement. I asked @jdstrand to have a look after sharing some ideas on IRC.

The essence of the remaining problem:

qemu:ubuntu-16.04-64 .../tests/regression/lp-1644439# test-snapd-tools.cmd sh -c "/var/lib/snapd/hostfs/usr/bin/strace -o strace.log /var/lib/snapd/hostfs/usr/bin/nsenter -m/proc/1/ns/mnt"
nsenter: cannot open /proc/1/ns/mnt: Permission denied

Then the log file contains:

open("/proc/1/ns/mnt", O_RDONLY)        = -1 EACCES (Permission denied)

the kernel ring buffer contains:

[ 1680.352515] audit: type=1400 audit(1484252277.064:162): apparmor="ALLOWED" operation="exec" profile="snap.test-snapd-tools.cmd" name="/var/lib/snapd/hostfs/usr/bin/strace" pid=25401 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace"
[ 1680.352783] audit: type=1400 audit(1484252277.064:163): apparmor="ALLOWED" operation="open" profile="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace" name="/etc/ld.so.cache" pid=25401 comm="strace" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1680.352902] audit: type=1400 audit(1484252277.064:164): apparmor="ALLOWED" operation="open" profile="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace" name="/lib/x86_64-linux-gnu/libc-2.23.so" pid=25401 comm="strace" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1680.353237] audit: type=1400 audit(1484252277.064:165): apparmor="ALLOWED" operation="file_mprotect" profile="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace" name="/var/lib/snapd/hostfs/usr/bin/strace" pid=25401 comm="strace" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1680.353322] audit: type=1400 audit(1484252277.064:166): apparmor="ALLOWED" operation="file_mprotect" profile="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace" name="/lib/x86_64-linux-gnu/ld-2.23.so" pid=25401 comm="strace" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1680.353672] audit: type=1400 audit(1484252277.064:167): apparmor="ALLOWED" operation="open" profile="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace" name="/home/gopath/src/github.com/snapcore/snapd/tests/regression/lp-1644439/strace.log" pid=25401 comm="strace" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
[ 1680.353681] audit: type=1400 audit(1484252277.064:168): apparmor="ALLOWED" operation="truncate" profile="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace" name="/home/gopath/src/github.com/snapcore/snapd/tests/regression/lp-1644439/strace.log" pid=25401 comm="strace" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
[ 1680.354057] audit: type=1400 audit(1484252277.064:169): apparmor="ALLOWED" operation="exec" profile="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace" name="/var/lib/snapd/hostfs/usr/bin/nsenter" pid=25403 comm="strace" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace//null-/var/lib/snapd/hostfs/usr/bin/nsenter"
[ 1680.354435] audit: type=1400 audit(1484252277.064:170): apparmor="ALLOWED" operation="open" profile="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace//null-/var/lib/snapd/hostfs/usr/bin/nsenter" name="/etc/ld.so.cache" pid=25403 comm="nsenter" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 1680.354657] audit: type=1400 audit(1484252277.064:171): apparmor="ALLOWED" operation="open" profile="snap.test-snapd-tools.cmd//null-/var/lib/snapd/hostfs/usr/bin/strace//null-/var/lib/snapd/hostfs/usr/bin/nsenter" name="/lib/x86_64-linux-gnu/libselinux.so.1" pid=25403 comm="nsenter" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

(I clear the buffer just before running this command)

[jdstrand]

There is nothing in the logs that indicates a problem from AppArmor. Those ALLOWED messages are because you are running strace from under complain mode and the policy doesn't allow using strace, so the violation against policy is logged (but allowed).

[zyga]

@jdstrand correct BUT the permission denied only happens if you do this through apparmor. Try the same idea (unshare -m and then nsenter pid 1 mount ns). In addition the error code suggests apparmor (EACCES rather then EPERM) (or did I get this wrong?)

[jdstrand]

Did you turn of kernel rate limiting? sudo sysctl -w kernel.printk_ratelimit=0

[zyga]

The kernel issue is now reported as https://bugs.launchpad.net/apparmor/+bug/1656121

[zyga]

This is blocked on the kernel/apparmor bug and critical for CE for their product development.

[tyhicks]

@zyga there's a kernel waiting for you to test in the launchpad bug. Give it a shot when you get some time.

[zyga]

I tested the test kernel and the results are inconclusive. I could use some hands-on time with jj to debug this further.

[zyga]

JJ has fixed all the issues in apparmor that affected this test. The next kernel release (~2.5 weeks away from now) should make this test green without using the test kernel.

[niemeyer]

Not reading properly: "it typically constructs that directory is not available"

[zyga]

Fixed

[niemeyer]

This is such a clear explanation of the rationale. Thanks! Can we please have this copied over above the function sc_reassociate_with_pid1_mount_ns in ns-support.c as well?

[zyga]

Yes, sure

[zyga]

And done now

[zyga]

Tests failed but this may have been caused by stale kernels used on test images. I'll do a local test in qemu

[niemeyer]

We need to get this out of the pipeline..

@jdstrand @tyhicks Are you happy with this change?

@zyga Can we get the tests fixed?

[zyga]

I just tested this on the -67 kernel from xenial-proposed and it works :-) Looking forward to merging this.

[arapulido]

@zyga The -67 is now in xenial-updates. Can we land this?

[tyhicks]

FYI, I'm going to review this PR later today.

[zyga]

@arapulido oh, indeed. I'll check if we can get a clean run and if tyler agrees we can land this

[zyga]

This is now tagged to 2.24 since CE requested this to be fixed with high priority and we have a high chance of landing it as the fixed kernel is now out.

[tyhicks]

I don't love this change because it opens up a way for a confined application to escape to possibly enter the init namespace. However, I think the code is correct around the mount namespace handling in snap-confine and it should be safe to land.

I had one suggestion to lock down the AppArmor profile a bit and I'd like for you to quickly investigate if it is possible before you merge.

Ack from me.

[tyhicks]

From my quick testing using readlink /proc/1/ns/mnt and nsenter --mount=/proc/1/ns/mnt, you can get away with specifying a single ptrace permission rather than granting all ptrace permissions:

ptrace trace peer=unconfined,

Also, I don't seem to need capability sys_ptrace, but trust that you added it after seeing a denial for that capability.

[zyga]

Thank you for the review. I'll tighten the ptrace rule and see if I need sys_ptrace with the fixed kernel.

[zyga]

I ran a quick test without `capability sys_ptrace that showed green on the regression test. I chose to remove this extra permission. I think it was added when we tested various kernel fixes but I don't think it is required in practice now.

[pedronis]

not quite clear why we need this getenv again

[zyga]

We don't need this. I think it was a part of a very very old fix that can now be simplified

[zyga]

Redundant now, removed

[zyga]

The failure in docker is unrelated to the test and looks network related.

[zyga]

So I got cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied. This seems to imply that in certain cases ptrace capability was required.

[zyga]

Running the .../tests/main/interfaces-locale-control test I got:

[34345.780067] audit: type=1400 audit(1489647627.003:150): apparmor="DENIED" operation="capable" profile="/usr/lib/snapd/snap-confine" pid=31109 comm="snap-confine" capability=19  capname="sys_ptrace"

EDIT:

This occurs during this command in the test:

Then the snap is able to read the locale configuration
++ su -l -c 'locale-control-consumer.get LANG' test
cannot perform readlinkat() on the mount namespace file descriptor of the init process: Permission denied

[tyhicks]

Thanks for trying to remove the capability sys_ptrace, rule. I'm unable to reproduce the denial here by simply using readlink(1) but the denial that you're seeing speaks for itself. This PR still gets my ack with the inclusion of that rule.

[zyga]

Failures in adt are caused by the -66 kernel (the fix is in -67)

[jdstrand]

@zyga - this PR needs to be reverted because the required kernel patches have been reverted. If 2.24 is released with this commit, we will see the OOPSes from https://bugs.launchpad.net/apparmor/+bug/1656121 in production.

[zyga]

@jdstrand a full revert will be messy (lots of patches) but we can disable this easily via: https://github.com/snapcore/snapd/pull/3076/files