/snapd

Bool file symlinks #329

Closed
wants to merge 2 commits into
from

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@zyga @niemeyer
@zyga
Contributor

zyga commented Jan 15, 2016

This branch contains support for dereferencing symbolic links in bool-file's security code. This is required to effectively allow "/sys/class/leds/$something/brightness" which translates to "/sys/devices/pci.../usb.../something/etc".

zyga added some commits Jan 14, 2016

@zyga
Add support for dereferencing bool-file's path 
In certain places, like apparmor support, we need to handle the real
path, without any symbolic links in place. This patch adds a method for
obtaining dereferenced path of a bool-type capability.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
88f68bb
@zyga
Use dereferenced (real) paths in apparmor snippets 
Apparmor uses real paths to check security permissions. If a process
needs to open /sys/foo/bar but it is a symbolic link to /sys/device/blah
then the apparmor profile must refer to (and allow) the latter path.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

1 failing and 2 successful checks
@snappy-m-o
Integration tests — No test results found.
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
coverage/coveralls — Coverage decreased (-0.02%) to 67.804%
Details
0beaf4e
caps/types.go
+type notSanitizedError struct{}
+
+func (e *notSanitizedError) Error() string {
+ return "capability is not sanitized"
@niemeyer

niemeyer Jan 20, 2016

Contributor

I don't really understand what this is trying to say.. my guess is that other people likely won't as well.

It should also be a var:

var errNotSanitized = errors.New("foo bar")

Or even inline, since there's really a single occurrence right now, which is never used in an error check.

caps/types.go
+func (t *BoolFileType) dereferencedPath(c *Capability) (string, error) {
+ path := c.Attrs["path"]
+ if path == "" {
+ return "", &notSanitizedError{}
@niemeyer

niemeyer Jan 20, 2016

Contributor 
return fmt.Errorf("bool-file capability is invalid: missing path attribute")

?

@niemeyer

niemeyer Jan 20, 2016

Contributor

Actually, perhaps even:

return fmt.Errorf("%q bool-file capability is invalid: missing path attribute", c.Name)

So we say what the actual capability is as well.

caps/types.go
+ }
+ realPath, err := evalSymlinks(path)
+ if err != nil {
+ return "", fmt.Errorf("bool-file path is invalid: %s", err)
@niemeyer

niemeyer Jan 20, 2016

Contributor 
return fmt.Errorf("%q bool-file capability has invalid path attribute: %s", c.Name, err)
@niemeyer
Contributor

niemeyer commented Jan 20, 2016

The error reporting needs tweaking, but the direction this is going looks good!

The description should be tweaked after the agreements on the mailing list too.

@zyga zyga closed this Jan 22, 2016

@zyga
Contributor

zyga commented Jan 22, 2016

I'll re-propose this, with fixes, to skills.

@zyga zyga deleted the zyga:bool-file-symlinks branch Mar 8, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment