tests: add snap-confine privilege test #3428

zyga · 2017-06-02T11:18:52Z

This test ensures that snap confine correctly drops privileges (user and
group identifiers) in various scenarios involving sudo and regular users.

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

This test ensures that snap confine correctly drops privileges (user and grup identifiers) in various scenarios involving sudo and regular users. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

jdstrand

Thanks for this test! I have some small comments but marking this as approved since the tests themselves are fine.

jdstrand · 2017-06-02T11:38:17Z

tests/main/snap-confine-privs/task.yaml

+details: |
+    The openSUSE security team has made a remark about a particular part of
+    snap-confine's UID/GID handling. The code there was, we believe, correct
+    but this test is here to demonstrate that and ensure it never regresses.


The tests prove snap-confine has the desired behavior so we don't have to say 'we believe' here.

jdstrand · 2017-06-02T11:48:00Z

tests/main/snap-confine-privs/task.yaml

+    Security review https://bugzilla.opensuse.org/show_bug.cgi?id=986050
+# This test is not executed on a core system simply because of the hassle of
+# building the support C program. In the future it might be improved with the
+# use of the classic snap where we just use classic to build the helper.


Note, core has python3 and python3 has os.getresuid(). I think it is fine to test on just classic, but if you really want it everywhere, keep that in mind. Also, I think this test is valid on other distros where snap-confine is setuid. On those with fscaps, we'd of course need different tests.

But python scripts cannot be setuid/setgid as they use an interpreter (bummer).

As for fscaps, that code is not used anymore and I actually removed it in one of my patches today (still pending PR)

re interpreted-- oh, right, duh.

On Debian /snap/bin is not on the secure path. Programs such as sudo and su reset PATH to a predictable value and this breaks specific test that wishes to start a snap command as a regular user. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

codecov-io · 2017-06-02T16:59:44Z

Codecov Report

Merging #3428 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #3428   +/-   ##
=======================================
  Coverage   77.56%   77.56%           
=======================================
  Files         371      371           
  Lines       25519    25519           
=======================================
  Hits        19794    19794           
  Misses       3975     3975           
  Partials     1750     1750

Impacted Files	Coverage Δ
interfaces/sorting.go	`93.33% <0%> (-3.34%)`	⬇️
interfaces/builtin/network_manager.go	`81.57% <0%> (ø)`	⬆️
cmd/snap/cmd_aliases.go	`96% <0%> (+2%)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3d65d03...8b9c112. Read the comment docs.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

morphis

LGTM, one minor thing

morphis · 2017-06-06T07:20:39Z

tests/main/snap-confine-privs/uids-and-gids.c

@@ -0,0 +1,24 @@
+#define _GNU_SOURCE


Don't we need a proper copyright header here?

Corrected, thank you!

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

tests: add snap-confine privilege test

87b7896

This test ensures that snap confine correctly drops privileges (user and grup identifiers) in various scenarios involving sudo and regular users. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

jdstrand approved these changes Jun 2, 2017

View reviewed changes

tests: use more certain language

2283746

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

morphis suggested changes Jun 6, 2017

View reviewed changes

tests: add GPL header to uids-and-gids.c

8b9c112

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

zyga merged commit c856dfd into canonical:master Jun 6, 2017

zyga deleted the feature/snap-confine-guid-handing branch June 6, 2017 15:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tests: add snap-confine privilege test #3428

tests: add snap-confine privilege test #3428

zyga commented Jun 2, 2017 •

edited by pedronis

Loading

jdstrand left a comment •

edited

Loading

jdstrand Jun 2, 2017

jdstrand Jun 2, 2017

zyga Jun 2, 2017

jdstrand Jun 2, 2017 •

edited

Loading

codecov-io commented Jun 2, 2017 •

edited

Loading

morphis left a comment

morphis Jun 6, 2017

zyga Jun 6, 2017

tests: add snap-confine privilege test #3428

tests: add snap-confine privilege test #3428

Conversation

zyga commented Jun 2, 2017 • edited by pedronis Loading

jdstrand left a comment • edited Loading

Choose a reason for hiding this comment

jdstrand Jun 2, 2017

Choose a reason for hiding this comment

jdstrand Jun 2, 2017

Choose a reason for hiding this comment

zyga Jun 2, 2017

Choose a reason for hiding this comment

jdstrand Jun 2, 2017 • edited Loading

Choose a reason for hiding this comment

codecov-io commented Jun 2, 2017 • edited Loading

Codecov Report

morphis left a comment

Choose a reason for hiding this comment

morphis Jun 6, 2017

Choose a reason for hiding this comment

zyga Jun 6, 2017

Choose a reason for hiding this comment

zyga commented Jun 2, 2017 •

edited by pedronis

Loading

jdstrand left a comment •

edited

Loading

jdstrand Jun 2, 2017 •

edited

Loading

codecov-io commented Jun 2, 2017 •

edited

Loading