/snapd

interfaces: recover panics when sanitizing plugs and slots #3208

Closed
wants to merge 2 commits into
from

Conversation

Reviewers

@stolowski stolowski

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
  2.25
3 participants
@zyga @niemeyer @stolowski
@zyga
Contributor

zyga commented Apr 19, 2017

This branch makes snapd more robust against denial of service attacks in case the interface code that is responsible for sanitization of user-controlled plug/slot definition itself panics.

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

zyga added some commits Apr 19, 2017

@zyga
interfaces: add Sanitize{Plug,Slot} that recover panics 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
9b2f3d1
@zyga
interfaces: use safer sanitize functions 
This patch switches the interface repository to the new pair of
Sanitize{Plug,Slot} functions that recover panics if the interface
sanitization code panics.

The interface code is processing user input and like it was found in the
following forum thread, it is not immune to errors. This code will
prevent denial-of-service attacks where snapd would otherwise crash when
presented with a potentially malicious snap.

Forum: https://forum.snapcraft.io/t/snapd-service-doesnt-start/319/5
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

All checks have passed

6 successful checks
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
@mvo5
xenial-ppc64el — autopkgtest finished (success)
Details
@mvo5
yakkety-amd64 — autopkgtest finished (success)
Details
@mvo5
zesty-amd64 — autopkgtest finished (success)
Details
c840130
@stolowski

stolowski reviewed Apr 20, 2017
View changes

I think this is a good idea, it saves us in cases where a bug in sanitize could paralyze snapd. However I think that it will delay a problem to a later stage (when we do connect), and we will inevitably panic anyway, becacuse addConnectedPlug/Slot method will most likely have similar issue to that of Sanitize (or it will panic explicitely because of missing sanitization).
The code in this PR looks fine, but with the above in mind I think we should in addition either: mark the interface as "broken" and do not attempt to connect it later, or handle panics on connect too. What do you think?

@zyga
Contributor

zyga commented Apr 20, 2017

@stolowski but if this code fails it will return an error so sanitize won't work so we won't even add the corresponding plug/slot. No way to connect to something that doesn't exist.
@stolowski

stolowski approved these changes Apr 20, 2017
View changes

Ah, of course you are right! +1

@zyga zyga added this to the 2.25 milestone Apr 25, 2017

@niemeyer
Contributor

niemeyer commented Apr 26, 2017

This needs a more detailed conversation, as it's turning the system into an exception mechanism, which panics are not meant to be. Why this and not every single function we call?

Closing for the time being. Let's discuss elsewhere.

@niemeyer niemeyer closed this Apr 26, 2017

@zyga zyga deleted the zyga:rfc/recover-panics-on-sanitize branch Aug 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment