snapctl: support running by the snap app itself, not only just from hooks

cmd/snap-confine/Makefile.am

@@ -67,7 +67,9 @@ snap_confine_SOURCES = \
 	ns-support.c \
 	ns-support.h \
 	apparmor-support.c \
-	apparmor-support.h
+	apparmor-support.h \
+	context-support.c \
+	context-support.h
 
 snap_confine_CFLAGS = -Wall -Werror $(AM_CFLAGS)
 snap_confine_LDFLAGS = $(AM_LDFLAGS)

cmd/snap-confine/context-support.c

@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "cleanup-funcs.h"
+#include "config.h"
+#include "context-support.h"
+#include "utils.h"
+
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#define CONTEXTS_DIR "/var/lib/snapd/contexts"
+
+char *sc_nonfatal_context_get_from_snapd(const char *snap_name,
+					 struct sc_error **errorp)
+{
+	char context_path[PATH_MAX];
+	char *context_val = NULL;
+	struct sc_error *err = NULL;
+
+	if (snap_name == NULL) {
+		die("SNAP_NAME is not set");
+	}
+
+	int fd __attribute__ ((cleanup(sc_cleanup_close))) = -1;
+	must_snprintf(context_path, sizeof(context_path), "%s/snap.%s",
+		      CONTEXTS_DIR, snap_name);
+	fd = open(context_path, O_RDONLY | O_NOFOLLOW | O_CLOEXEC);
+	if (fd < 0) {
+		err =
+		    sc_error_init(SC_CONTEXT_DOMAIN, 0,
+				  "cannot open context file %s, SNAP_CONTEXT will not be set: %s",
+				  context_path, strerror(errno));
+		goto out;
+	}
+	// context is a 32 bytes, base64-encoding makes it 44.
+	context_val = calloc(1, 45);
+	if (context_val == NULL) {
+		die("failed to allocate memory for snap context");
+	}
+	if (read(fd, context_val, 44) < 0) {
+		free(context_val);
+		context_val = NULL;
+		err =
+		    sc_error_init(SC_CONTEXT_DOMAIN, 0,
+				  "failed to read context file %s: %s",
+				  context_path, strerror(errno));
+		goto out;
+	}
+
+ out:
+	sc_error_forward(errorp, err);
+	return context_val;
+}
+
+void sc_context_set_environment(const char *context)
+{
+	if (context != NULL) {
+		// Overwrite context env value.
+		setenv("SNAP_CONTEXT", context, 1);
+	}
+}

cmd/snap-confine/context-support.h

@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2017 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef SNAP_CONFINE_CONTEXT_SUPPORT_H
+#define SNAP_CONFINE_CONTEXT_SUPPORT_H
+
+#include "error.h"
+
+/**
+ * Error domain for errors related to snap context handling.
+ **/
+#define SC_CONTEXT_DOMAIN "context"
+
+/**
+ * Return snap context string for given snap.
+ *
+ * The context value is read from /var/lib/snapd/contexts/snap.<snapname>
+ * file. The caller of the function takes the ownership of the returned context
+ * string.
+ * If the file cannot be read then an error is returned in errorp and
+ * the function returns NULL.
+ **/
+char *sc_nonfatal_context_get_from_snapd(const char *snap_name,
+					 struct sc_error **errorp);
+
+/**
+ * Set the snap context environment variable.
+ *
+ * Set the SNAP_CONTEXT environment variable with the value of context.
+ **/
+void sc_context_set_environment(const char *context);
+
+#endif

cmd/snap-confine/snap-confine.apparmor.in

@@ -257,6 +257,9 @@
     # Allow snap-confine to move to the void
     /var/lib/snapd/void/ r,
 
+    # Allow snap-confine to read snap contexts
+    /var/lib/snapd/contexts/snap.* r,
+
     # Support for the quirk system
     /var/ r,
     /var/lib/ r,

cmd/snap-confine/snap-confine.c

@@ -37,6 +37,7 @@
 #include "quirks.h"
 #include "secure-getenv.h"
 #include "apparmor-support.h"
+#include "context-support.h"
 
 int main(int argc, char **argv)
 {
@@ -88,6 +89,26 @@ int main(int argc, char **argv)
 		die("need to run as root or suid");
 	}
 #endif
+
+	char *snap_context __attribute__ ((cleanup(sc_cleanup_string))) = NULL;
+	const char *snap_name = getenv("SNAP_NAME");
+	if (snap_name != NULL) {
+		if (!verify_snap_name(snap_name)) {
+			die("invalid SNAP_NAME");
+		}
+		// Do no get snap context value if running a hook (we don't want to overwrite hook's SNAP_CONTEXT)
+		if (!verify_is_hook_security_tag(security_tag)) {
+			struct sc_error *err
+			    __attribute__ ((cleanup(sc_cleanup_error))) = NULL;
+			snap_context =
+			    sc_nonfatal_context_get_from_snapd(snap_name, &err);
+			if (err != NULL) {
+				error("cannot get context: %s",
+				      sc_error_msg(err));
+			}
+		}
+	}
+
 	struct sc_apparmor apparmor;
 	sc_init_apparmor_support(&apparmor);
 #ifdef HAVE_SECCOMP
@@ -108,13 +129,12 @@ int main(int argc, char **argv)
 			debug
 			    ("skipping sandbox setup, classic confinement in use");
 		} else {
-			const char *group_name = getenv("SNAP_NAME");
-			if (group_name == NULL) {
+			if (snap_name == NULL) {
 				die("SNAP_NAME is not set");
 			}
 			sc_initialize_ns_groups();
 			struct sc_ns_group *group = NULL;
-			group = sc_open_ns_group(group_name, 0);
+			group = sc_open_ns_group(snap_name, 0);
 			sc_lock_ns_mutex(group);
 			sc_create_or_join_ns_group(group, &apparmor);
 			if (sc_should_populate_ns_group(group)) {
@@ -154,7 +174,9 @@ int main(int argc, char **argv)
 #if 0
 	setup_user_xdg_runtime_dir();
 #endif
-
+	if (snap_context != NULL) {
+		sc_context_set_environment(snap_context);
+	}
 	// https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement
 	sc_maybe_aa_change_onexec(&apparmor, security_tag);
 #ifdef HAVE_SECCOMP

cmd/snap-confine/snap.c

@@ -43,3 +43,31 @@ bool verify_security_tag(const char *security_tag)
 
 	return (status == 0);
 }
+
+bool verify_is_hook_security_tag(const char *security_tag)
+{
+	const char *whitelist_re =
+	    "^snap\\.[a-z](-?[a-z0-9])*\\.(hook\\.[a-z](-?[a-z])*)$";
+
+	regex_t re;
+	if (regcomp(&re, whitelist_re, REG_EXTENDED | REG_NOSUB) != 0)
+		die("can not compile regex %s", whitelist_re);
+
+	int status = regexec(&re, security_tag, 0, NULL, 0);
+	regfree(&re);
+
+	return (status == 0);
+}
+
+bool verify_snap_name(const char *name)
+{
+	const char *whitelist_re = "[a-z](-?[a-z0-9])*$";
+	regex_t re;
+	if (regcomp(&re, whitelist_re, REG_EXTENDED | REG_NOSUB) != 0)
+		die("can not compile regex %s", whitelist_re);
+
+	int status = regexec(&re, name, 0, NULL, 0);
+	regfree(&re);
+
+	return (status == 0);
+}

cmd/snap-confine/snap.h

@@ -21,5 +21,7 @@
 #include <stdbool.h>
 
 bool verify_security_tag(const char *security_tag);
+bool verify_is_hook_security_tag(const char *security_tag);
+bool verify_snap_name(const char *name);
 
 #endif

daemon/api.go

@@ -2147,6 +2147,9 @@ func runSnapctl(c *Command, r *http.Request, user *auth.UserState) Response {
 	// Right now snapctl is only used for hooks. If at some point it grows
 	// beyond that, this probably shouldn't go straight to the HookManager.
 	context, _ := c.d.overlord.HookManager().Context(snapctlOptions.ContextID)
+	if context == nil {
+		context, _ = c.d.overlord.HookManager().SnapContext(snapctlOptions.ContextID)
+	}
 	stdout, stderr, err := ctlcmd.Run(context, snapctlOptions.Args)
 	if err != nil {
 		if e, ok := err.(*flags.Error); ok && e.Type == flags.ErrHelp {

dirs/dirs.go

@@ -51,6 +51,7 @@ var (
 	SnapDeviceDir string
 
 	SnapAssertsDBDir      string
+	SnapContextsDir       string
 	SnapTrustedAccountKey string
 	SnapAssertsSpoolDir   string
 
@@ -123,6 +124,7 @@ func SetRootDir(rootdir string) {
 	SnapSocket = filepath.Join(rootdir, "/run/snapd-snap.socket")
 
 	SnapAssertsDBDir = filepath.Join(rootdir, snappyDir, "assertions")
+	SnapContextsDir = filepath.Join(rootdir, snappyDir, "contexts")
 	SnapAssertsSpoolDir = filepath.Join(rootdir, "run/snapd/auto-import")
 
 	SnapStateFile = filepath.Join(rootdir, snappyDir, "state.json")

overlord/hookstate/context.go

@@ -34,6 +34,7 @@ import (
 // Context represents the context under which a given hook is running.
 type Context struct {
 	task    *state.Task
+	state   *state.State
 	setup   *HookSetup
 	id      string
 	handler Handler
@@ -56,13 +57,45 @@ func NewContext(task *state.Task, setup *HookSetup, handler Handler) (*Context,
 
 	return &Context{
 		task:    task,
+		state:   task.State(),
 		setup:   setup,
 		id:      base64.URLEncoding.EncodeToString(idBytes),
 		handler: handler,
 		cache:   make(map[interface{}]interface{}),
 	}, nil
 }
 
+// NewSnapContext returns a new snap Context.
+func NewSnapContext(state *state.State, setup *HookSetup, handler Handler) (*Context, error) {
+	// Generate a secure, random ID for this context
+	idBytes := make([]byte, 32)
+	_, err := rand.Read(idBytes)
+	if err != nil {
+		return nil, fmt.Errorf("cannot generate context ID: %s", err)
+	}
+
+	return &Context{
+		task:    nil,
+		state:   state,
+		setup:   setup,
+		id:      base64.URLEncoding.EncodeToString(idBytes),
+		handler: handler,
+		cache:   make(map[interface{}]interface{}),
+	}, nil
+}
+
+// NewSnapContextWithID returns a new snap Context with a predefined contextID (must be base64-encoded).
+func NewSnapContextWithID(state *state.State, setup *HookSetup, handler Handler, contextID string) *Context {
+	return &Context{
+		task:    nil,
+		state:   state,
+		setup:   setup,
+		id:      contextID,
+		handler: handler,
+		cache:   make(map[interface{}]interface{}),
+	}
+}
+
 // SnapName returns the name of the snap containing the hook.
 func (c *Context) SnapName() string {
 	return c.setup.Snap
@@ -92,14 +125,22 @@ func (c *Context) Handler() Handler {
 // and OnDone/Done).
 func (c *Context) Lock() {
 	c.mutex.Lock()
-	c.task.State().Lock()
+	if c.task != nil {
+		c.task.State().Lock()
+	} else {
+		c.state.Lock()
+	}
 	atomic.AddInt32(&c.mutexChecker, 1)
 }
 
 // Unlock releases the lock for this context.
 func (c *Context) Unlock() {
 	atomic.AddInt32(&c.mutexChecker, -1)
-	c.task.State().Unlock()
+	if c.task != nil {
+		c.task.State().Unlock()
+	} else {
+		c.state.Unlock()
+	}
 	c.mutex.Unlock()
 }
 
@@ -165,7 +206,7 @@ func (c *Context) Get(key string, value interface{}) error {
 
 // State returns the state contained within the context
 func (c *Context) State() *state.State {
-	return c.task.State()
+	return c.state
 }
 
 // Cached returns the cached value associated with the provided key. It returns
@@ -211,3 +252,8 @@ func (c *Context) Done() error {
 
 	return firstErr
 }
+
+// IsSnapContext returns true if the context is a snap context.
+func (c *Context) IsSnapContext() bool {
+	return c.task == nil
+}

overlord/hookstate/ctlcmd/set.go

@@ -79,6 +79,11 @@ func (s *setCommand) Execute(args []string) error {
 
 		transaction.Set(s.context().SnapName(), key, value)
 	}
+	context.Lock()
+	if context.IsSnapContext() {
+		transaction.Commit()
+	}
+	context.Unlock()
 
 	return nil
 }