/snapd

Bool file sanitization #324

Merged
merged 4 commits into from Jan 20, 2016

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@zyga @chipaca @niemeyer
@zyga
Contributor

zyga commented Jan 14, 2016

Note: this pull request depends on #322

To enhance the security of the bool-file capability it must not be allowed to create an arbitrary bool-file (e.g. one pointing to /dev/sda or /dev/mem). This is achieved with simple validation against a set of regular expressions describing allowed values.

Currently two kinds of bool file can be created. They can point to:

  • The value of a sysfs GPIO
  • The brightness of a sysfs LED

Additional values can be added as we discover their utility.
@zyga
Check for valid path of bool-file capability type 
To enhance the security of the bool-file capability it must not be
allowed to create an arbitrary bool-file (e.g. one pointing to /dev/sda
or /dev/mem). This is achieved with simple validation against a set of
regular expressions describing allowed values.

Currently two kinds of bool file can be created. They can point to:
- The value of a sysfs GPIO
- The brightness of a sysfs LED

Additional values can be added as we discover their utility.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

All checks have failed

2 failing checks
@snappy-m-o
Integration tests — No test results found.
Details
continuous-integration/travis-ci/pr — The Travis CI build failed
Details
b2bd62c
@zyga
Contributor

zyga commented Jan 14, 2016

/me goes to fix daemon code tests to use allowed paths.

zyga added some commits Jan 14, 2016

@zyga
Use realistic and valid bool-file path for testing 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

1 failing and 2 successful checks
@snappy-m-o
Integration tests — No test results found.
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage increased (+0.07%) to 67.557%
Details
603b49d
@zyga
Merge remote-tracking branch 'upstream/master' into bool-file-sanitiz… 
…ation

All checks have passed

3 successful checks
@snappy-m-o
Integration tests — Success 54 tests run, 0 skipped, 0 failed.
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage increased (+0.02%) to 67.852%
Details
763dc33
@chipaca
Member

chipaca commented Jan 18, 2016

Dear mo, retest this please.
@chipaca
Member

chipaca commented Jan 18, 2016

How relevant to what we're building is the fact that brightness is not always a 0/1 boolean? E.g.,

$ tail /sys/class/leds/dell::kbd_backlight/*brightness
==> /sys/class/leds/dell::kbd_backlight/brightness <==
3

==> /sys/class/leds/dell::kbd_backlight/max_brightness <==
10
caps/types.go
@@ -53,6 +54,13 @@ func (t *BoolFileType) Name() string {
return "bool-file"
}
+var boolFileAllowedPathPatterns = []*regexp.Regexp{
+ // The brightness of standard LED class device
+ regexp.MustCompile("^/sys/class/leds/[^/]+/brightness$"),
@niemeyer

niemeyer Jan 18, 2016

Contributor

Given @chipaca's feedback, doesn't look like this is right.

@zyga

zyga Jan 19, 2016

Contributor

I'd like to keep it for two reasons:

  • it is useful for common keyboard LEDs (caps lock, scroll lock, etc) and for testing on x86
  • vast majority of LEDs have only two states 0 and !0 (no PWM support)

On a given dell laptop, the gadget snap can suppress that LED capability if it doesn't behave correctly. In every other case LEDs are a valid candidate and thus should be allowed.

@niemeyer

niemeyer Jan 20, 2016

Contributor

Please just drop it. This is a very simple test capability that we can improve at will later. This branch could already be merged by now.

@niemeyer

niemeyer Jan 20, 2016

Contributor

Sorry, I take that back. Yes, these cases indeed work with 0 or 1, so we can instead blacklist whatever we don't want later.

caps/types.go
+ valid := false
+ for _, pattern := range boolFileAllowedPathPatterns {
+ if pattern.MatchString(path) {
+ valid = true
@niemeyer

niemeyer Jan 18, 2016

Contributor

return true, and then simplify the rest of the logic accordingly?

@zyga

zyga Jan 19, 2016

Contributor

Done

@niemeyer
Contributor

niemeyer commented Jan 18, 2016

LGTM considering these points.. I'd drop brightness altogether for now.
@zyga
Simplify validation logic 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

All checks have passed

3 successful checks
@snappy-m-o
Integration tests — Success 54 tests run, 0 skipped, 0 failed.
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage decreased (-0.07%) to 67.761%
Details
fc10ee3

niemeyer added a commit that referenced this pull request Jan 20, 2016

@niemeyer
Merge pull request #324 from zyga/bool-file-sanitization 
caps: improve bool-file sanitization

The bool-file capability now checks if the path attribute is pointing
to LED or GPIO within /sys, and errors out otherwise.
634c221

@niemeyer niemeyer merged commit 634c221 into snapcore:master Jan 20, 2016
3 checks passed

3 checks passed

Integration tests Success 54 tests run, 0 skipped, 0 failed.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage decreased (-0.07%) to 67.761%
Details
@niemeyer
Contributor

niemeyer commented Jan 20, 2016

And it's merged by now! ;)

@zyga zyga deleted the zyga:bool-file-sanitization branch Mar 8, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment