/snapd

tests: add snap-confine privilege test #3428

Merged
merged 4 commits into from Jun 6, 2017

Conversation

Reviewers

@jdstrand jdstrand

@morphis morphis

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@zyga @codecov-io @morphis @jdstrand
@zyga
Contributor

zyga commented Jun 2, 2017
Edited 1 time

This test ensures that snap confine correctly drops privileges (user and
group identifiers) in various scenarios involving sudo and regular users.

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com
@zyga
tests: add snap-confine privilege test 
This test ensures that snap confine correctly drops privileges (user and
grup identifiers) in various scenarios involving sudo and regular users.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

1 failing and 6 successful checks
continuous-integration/travis-ci/pr — The Travis CI build failed
Details
@mvo5
artful-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
@mvo5
xenial-ppc64el — autopkgtest finished (success)
Details
@mvo5
yakkety-amd64 — autopkgtest finished (success)
Details
@mvo5
zesty-amd64 — autopkgtest finished (success)
Details
87b7896
@jdstrand

jdstrand approved these changes Jun 2, 2017 edited
View changes

Thanks for this test! I have some small comments but marking this as approved since the tests themselves are fine.

tests/main/snap-confine-privs/task.yaml
+details: |
+ The openSUSE security team has made a remark about a particular part of
+ snap-confine's UID/GID handling. The code there was, we believe, correct
+ but this test is here to demonstrate that and ensure it never regresses.
@jdstrand

jdstrand Jun 2, 2017

Contributor

The tests prove snap-confine has the desired behavior so we don't have to say 'we believe' here.

tests/main/snap-confine-privs/task.yaml
+ Security review https://bugzilla.opensuse.org/show_bug.cgi?id=986050
+# This test is not executed on a core system simply because of the hassle of
+# building the support C program. In the future it might be improved with the
+# use of the classic snap where we just use classic to build the helper.
@jdstrand

jdstrand Jun 2, 2017

Contributor

Note, core has python3 and python3 has os.getresuid(). I think it is fine to test on just classic, but if you really want it everywhere, keep that in mind. Also, I think this test is valid on other distros where snap-confine is setuid. On those with fscaps, we'd of course need different tests.

@zyga

zyga Jun 2, 2017

Contributor

But python scripts cannot be setuid/setgid as they use an interpreter (bummer).

As for fscaps, that code is not used anymore and I actually removed it in one of my patches today (still pending PR)

@jdstrand

jdstrand Jun 2, 2017
Edited 1 time

Contributor

re interpreted-- oh, right, duh.

@zyga
tests: use "snap run" as /snap/bin is not on secure path 
On Debian /snap/bin is not on the secure path. Programs such as sudo and
su reset PATH to a predictable value and this breaks specific test that
wishes to start a snap command as a regular user.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

All checks have passed

7 successful checks
@mvo5
artful-amd64 — autopkgtest finished (success)
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
@mvo5
xenial-ppc64el — autopkgtest finished (success)
Details
@mvo5
yakkety-amd64 — autopkgtest finished (success)
Details
@mvo5
zesty-amd64 — autopkgtest finished (success)
Details
936d9bf
@codecov-io

codecov-io commented Jun 2, 2017
Edited 1 time

Codecov Report

Merging #3428 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #3428   +/-   ##
=======================================
  Coverage   77.56%   77.56%           
=======================================
  Files         371      371           
  Lines       25519    25519           
=======================================
  Hits        19794    19794           
  Misses       3975     3975           
  Partials     1750     1750
Impacted Files Coverage Δ
interfaces/sorting.go 93.33% <0%> (-3.34%) ⬇️
interfaces/builtin/network_manager.go 81.57% <0%> (ø) ⬆️
cmd/snap/cmd_aliases.go 96% <0%> (+2%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3d65d03...8b9c112. Read the comment docs.
@zyga
tests: use more certain language 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

Some checks were not successful

1 failing and 6 successful checks
@mvo5
artful-amd64 — autopkgtest finished (failure)
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
@mvo5
xenial-ppc64el — autopkgtest finished (success)
Details
@mvo5
yakkety-amd64 — autopkgtest finished (success)
Details
@mvo5
zesty-amd64 — autopkgtest finished (success)
Details
2283746
@morphis

morphis suggested changes Jun 6, 2017
View changes

LGTM, one minor thing

tests/main/snap-confine-privs/uids-and-gids.c
@@ -0,0 +1,24 @@
+#define _GNU_SOURCE
@morphis

morphis Jun 6, 2017

Contributor

Don't we need a proper copyright header here?

@zyga

zyga Jun 6, 2017

Contributor

Corrected, thank you!

@zyga
tests: add GPL header to uids-and-gids.c 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

All checks have passed

7 successful checks
@mvo5
artful-amd64 — autopkgtest finished (success)
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
@mvo5
xenial-ppc64el — autopkgtest finished (success)
Details
@mvo5
yakkety-amd64 — autopkgtest finished (success)
Details
@mvo5
zesty-amd64 — autopkgtest finished (success)
Details
8b9c112

@zyga zyga merged commit c856dfd into snapcore:master Jun 6, 2017
2 of 7 checks passed

2 of 7 checks passed

artful-amd64 autopkgtest running
Details
xenial-amd64 autopkgtest running
Details
xenial-i386 autopkgtest running
Details
xenial-ppc64el autopkgtest running
Details
yakkety-amd64 autopkgtest running
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
zesty-amd64 autopkgtest finished (success)
Details

@zyga zyga deleted the zyga:feature/snap-confine-guid-handing branch Jun 6, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment