interfaces/default: allow mknod for regular files, pipes and sockets (LP: #1636540)

[jdstrand]

This adds SCMP_CMP_MASKED_EQ support for doing things like '|S_IFIFO' in the policy to support
mknod which uses bitmasks for the permissions and file type. Developing this PR uncovered a number of testsuite rough edges, so fix those along the way.

[jdstrand]

@tyhicks - can you take a look at the policy syntax changes?

[zyga]

Can you please explain the reasoning behind this? I'm just unfamiliar and I'd like to understand it better.

[jdstrand]

SCMP_CMP_MASKED_EQ is what you use to check bitmasks (eg, '|S_IFREG'). Since for mknod(2) the second argument is a bitmask for mode_t, we need to see if S_IFREG is set within the mode_t, and you do that with SCMP_CMP_MASKED_EQ. Because SCMP_CMP takes an additional argument for the mask when op is 'SCMP_CMP_MASKED_EQ', we check if the op is 'SCMP_CMP_MASKED_EQ' and give that extra argument, otherwise we do like we've always done. It is sufficient for us to use 'value' for both the mask and the datum because if we have have rule mknod - |S_IFREG - then <mode_t>|S_IFREG matches S_IFREG when using something like mknod(..., S_IFREG|S_IRUSR|S_IWUSR, ...).

For more information, see 'man 3 seccomp_rule_add'.

[jdstrand]

Closing for the moment since the spread test failure needs to be investigated.

[zyga]

The final logged seccomp event is about system call 201 which on x86 is geteuid32 but AFAIR it was added to common.sh when i386 support was fixed.

[jdstrand]

@zyga - the geteuid32 is in the default policy but the denial is not from this test. I think it is from test_restrictions, but I'll make this test clearer so the geteuid32/geteuid stops confusing people.

If you look at the latest travis failure, it is in linode:ubuntu-16.04-32:tests/main/gccgo. c-unit-tests passes everywhere now. The failure in linode:ubuntu-16.04-32:tests/main/gccgo is confusing since c-unit-tests is passing and so are the autopkgtests (minus ppc64el). I'll take a look at that test now.

[jdstrand]

And of course, this seems to be an intermittent failure:

$ spread -reuse -resend -debug linode:ubuntu-16.04-32:tests/main/gccgo
2017/02/01 12:21:39 Allocating linode:ubuntu-16.04-32...
2017/02/01 12:22:36 Allocated linode:ubuntu-16.04-32 (Spread-X).
2017/02/01 12:22:36 Connecting to linode:ubuntu-16.04-32 (Spread-X)...
2017/02/01 12:22:53 Connected to linode:ubuntu-16.04-32 (Spread-X) at 45.79.186.250.
2017/02/01 12:22:53 Sending project content to linode:ubuntu-16.04-32 (Spread-X)...
2017/02/01 12:35:09 Successful tasks: 1
2017/02/01 12:35:09 Aborted tasks: 0
2017/02/01 12:35:09 Keeping linode:ubuntu-16.04-32 (Spread-X) at 45.79.186.250

[jdstrand]

I checked the original log and saw that linode:ubuntu-16.04-32 went to Spread-C and Spread-D. Perhaps Spread-C or Spread-D is out of date?

[jdstrand]

This is annoying. The autopkgtests fail with tests/main/gccgo and so does continuous-integration via travis, but locally and running spread -reuse -resend -debug linode:ubuntu-16.04-32:tests/main/gccgo with spread 27 runs fine. I suspect something wrong with the tests/main/gccgo but I can't get it to reproduce to debug it.

[jdstrand]

Ok, finally got gccgo test to work. Now unrelated tests are failing:

2017/02/01 21:45:42 Successful tasks: 520
2017/02/01 21:45:42 Aborted tasks: 1
2017/02/01 21:45:42 Failed tasks: 3
    - linode:ubuntu-14.04-64:tests/main/snap-run-alias:testsnapdtoolscat
    - linode:ubuntu-14.04-64:tests/regression/lp-1595444
    - linode:ubuntu-16.04-32:tests/main/revert-devmode:remote
2017/02/01 21:45:42 Failed task prepare: 1
    - linode:ubuntu-14.04-64:tests/main/interfaces-cups-control

[jdstrand]

After a couple of tries, the unrelated tests (finally) passed.

[jdstrand]

FYI, @tyhicks and I discussed the syntax changes over IRC and hangout and we agreed the syntax changes in this PR are ok.

[jdstrand]

The zesty-amd64 test failures are unrelated:

2017/02/07 21:44:55 Aborted tasks: 111
2017/02/07 21:44:55 Failed task prepare: 6
    - autopkgtest:ubuntu-17.04-amd64:tests/main/cmdline
    - autopkgtest:ubuntu-17.04-amd64:tests/main/help:install
    - autopkgtest:ubuntu-17.04-amd64:tests/main/help:remove
    - autopkgtest:ubuntu-17.04-amd64:tests/main/interfaces-udev
    - autopkgtest:ubuntu-17.04-amd64:tests/main/security-profiles
    - autopkgtest:ubuntu-17.04-amd64:tests/main/try-snap-is-optional
2017/02/07 21:44:55 Failed task restore: 1
    - autopkgtest:ubuntu-17.04-amd64:tests/main/security-profiles
error: unsuccessful run

[jdstrand]

The continuous integration test is unrelated:
linode:ubuntu-14.04-64:tests/regression/lp-1595444

[jdstrand]

@mvo5 - fyi, not sure what happened if anything, but the CI tests got restarted and just passed.

[zyga]

Let's please wait until snap-confine is executed from the core before landing this

[niemeyer]

Seems fine, but please make sure tests are actually running and verifying what they're supposed to together with the remaining of our automated spread tests.

[niemeyer]

I don't think these tests are even running. Actual tests live in /tests by now.

We need to kill these for good @zyga.

[niemeyer]

Thanks, that's nicer.

[mvo5]

Yeah, we can not land this before #2810 has landed

[mvo5]

We re-generate seccomp/apparmor in 2.23 now on startup. So this can land now AFAICT.

[jdstrand]

@mvo5 - "We re-generate seccomp/apparmor in 2.23 now on startup. So this can land now AFAICT."

We did? Part of that change was supposed to revert the revert of the quotactl and 'ioctl - !TIOCSTI' rules, but that isn't in trunk now.

[niemeyer]

@mvo5 @jdstrand I'm a bit lost here. What are these quotactl changes and what is this PR blocked on?

[mvo5]

@jdstrand Uh, sorry. We do re-generate the profiles now but that is not sufficient because we do not yet run the matching snap-confine. So This can not quite be merged :/

[jdstrand]

It is my understanding that this is now unblocked, so removing that tag, but closing until I have a chance to review and retest everything.

[jdstrand]

I'm told that we can start landing the seccomp changes since snap-confine now is re-exec'd as necessary on classic.

[zyga]

+1

[zyga]

This is now in default debug-each so we could drop this copy.

[zyga]

You don't want this change.

[jdstrand]

Hrmm, that came in as a result of the merge from trunk. Removing.

[jdstrand]

I think it is these that are causing the issues with the testsuite. There are tons of apparmor denials in the snapd-reexec test for snap.network-bind-consumer.network-consumer:

2017-04-19 13:36:01 Error executing linode:ubuntu-14.04-64:tests/main/snapd-reexec : 
-----
+ '[' '' = 0 ']'
+ echo 'Ensure we re-exec by default'
Ensure we re-exec by default
+ snap list
2017/04/19 13:35:59.295076 main.go:237: WARNING: cannot create syslog logger
2017/04/19 13:35:59.431711 main.go:237: WARNING: cannot create syslog logger
Name  Version  Rev   Developer  Notes
core  16-2     1736  canonical  -
+ MATCH 'DEBUG: restarting into'
+ journalctl
error: pattern not found, got:
-- Logs begin at Wed 2017-04-19 13:31:24 UTC, end at Wed 2017-04-19 13:31:25 UTC. --
Apr 19 13:31:24 ubuntu kernel: audit: type=1400 audit(1492608684.195:6094): apparmor="DENIED" operation="accept" profile="snap.network-bind-consumer.network-consumer" pid=16384 comm="python3" laddr=127.0.0.1 lport=8081 family="inet" sock_type="stream" protocol=6 requested_mask="accept" denied_mask="accept"
Apr 19 13:31:24 ubuntu kernel: audit: type=1400 audit(1492608684.195:6095): apparmor="DENIED" operation="accept" profile="snap.network-bind-consumer.network-consumer" pid=16384 comm="python3" laddr=127.0.0.1 lport=8081 family="inet" sock_type="stream" protocol=6 requested_mask="accept" denied_mask="accept"

I'm going to revert the disabling of rate limiting for now so this PR will pass and add a forum topic that the tests should be able to run with this enabled.

[jdstrand]

The xenial-i386 failure is unrelated:

2017-04-27 20:16:45 Failed tasks: 1
    - autopkgtest:ubuntu-16.04-i386:tests/main/completion

[jdstrand]

Thanks for the reviews and merge! :)