-
Notifications
You must be signed in to change notification settings - Fork 573
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests: add snap-confine privilege test #3428
Conversation
This test ensures that snap confine correctly drops privileges (user and grup identifiers) in various scenarios involving sudo and regular users. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this test! I have some small comments but marking this as approved since the tests themselves are fine.
details: | | ||
The openSUSE security team has made a remark about a particular part of | ||
snap-confine's UID/GID handling. The code there was, we believe, correct | ||
but this test is here to demonstrate that and ensure it never regresses. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tests prove snap-confine has the desired behavior so we don't have to say 'we believe' here.
Security review https://bugzilla.opensuse.org/show_bug.cgi?id=986050 | ||
# This test is not executed on a core system simply because of the hassle of | ||
# building the support C program. In the future it might be improved with the | ||
# use of the classic snap where we just use classic to build the helper. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note, core has python3 and python3 has os.getresuid(). I think it is fine to test on just classic, but if you really want it everywhere, keep that in mind. Also, I think this test is valid on other distros where snap-confine is setuid. On those with fscaps, we'd of course need different tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But python scripts cannot be setuid/setgid as they use an interpreter (bummer).
As for fscaps, that code is not used anymore and I actually removed it in one of my patches today (still pending PR)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
re interpreted-- oh, right, duh.
On Debian /snap/bin is not on the secure path. Programs such as sudo and su reset PATH to a predictable value and this breaks specific test that wishes to start a snap command as a regular user. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Codecov Report
@@ Coverage Diff @@
## master #3428 +/- ##
=======================================
Coverage 77.56% 77.56%
=======================================
Files 371 371
Lines 25519 25519
=======================================
Hits 19794 19794
Misses 3975 3975
Partials 1750 1750
Continue to review full report at Codecov.
|
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, one minor thing
@@ -0,0 +1,24 @@ | |||
#define _GNU_SOURCE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we need a proper copyright header here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Corrected, thank you!
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
This test ensures that snap confine correctly drops privileges (user and
group identifiers) in various scenarios involving sudo and regular users.
Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com