interfaces/greengrass-support: add support for Amazon Greengrass as a snap

[jdstrand]

Amazon Greengrass (https://aws.amazon.com/greengrass) consists of several parts: remote AWS, greengrassd and so-called 'lambda functions'. greengrassd communicates with AWS and launches lambda functions within a sandbox. This interface allows greengrassd to launch lambda functions within the Greengrass sandbox. The Greengrass sandbox is proprietary software and not designed to work with snappy confinement. The Greengrass sandbox for lambda functions consists of (only as it pertains to interactions with the snappy sandbox):

• OOM score adjustments
• cgroups
• drops Linux capabilities
• dropping privileges to non-root (ie, gcc_user and gcc_group)
• manipulating the environment of lambda functions
• overlayfs (readonly underlays with writable overlays)
• bind mounts to mask sensitive /proc entries
• pivot_root
• use of NO_NEW_PRIVS

As such, the greengrass-support interface provides a lot of privilege to the connected snap and like other interfaces of this kind, it requires a snap declaration for installation.

Due to how Greengrass is designed, lambda functions have the same snappy permissions as greengrassd and their confinement primarily comes from the Greengrass sandbox. Various ideas were explored for snappy security policy to make lambda function confinement stricter (eg, having a separate strict profile for lambda functions that the snappy sandbox would enforce when executing lambda functions). Because of greengrassd's use of NO_NEW_PRIVS, the only way to achieve this was to use AppArmor policy stacking, but there are various kernel and userspace bugs that prevent pursuing this at this time. Once these bugs are addressed, a future update to this interface may implement policy stacking to further restrict lambda functions.

Lastly, this interface was developed using a partially functional snap from @didrocks and I expect some iterating and profile additions once the fully functionally snap is available (@didrocks and Amazon are working together on this). As is, the interface is able to launch greengrassd which then launches several processes as sandboxed lambda functions, so the interface should be pretty close to being finalized as is (and is therefore IMO ok to commit to snapd now).

[jdstrand]

@didrocks - if you want to test this, simply create a devmode snap and use 'plugs: [network-bind, greengrass-support]'. Then do:

$ sudo snap install --dangerous --devmode /path/to/snap
$ sudo snap connect greengrass:greengrass-support

You can of course also try it in strict mode like I did :)

[codecov-io]

Codecov Report

Merging #3467 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #3467      +/-   ##
==========================================
+ Coverage   77.16%   77.16%   +<.01%     
==========================================
  Files         373      374       +1     
  Lines       25793    25803      +10     
==========================================
+ Hits        19903    19912       +9     
  Misses       4133     4133              
- Partials     1757     1758       +1

Impacted Files	Coverage Δ
interfaces/policy/basedeclaration.go	40.74% <ø> (ø)	⬆️
interfaces/builtin/greengrass_support.go	100% <100%> (ø)
overlord/snapstate/snapstate.go	81.28% <0%> (-0.24%)	⬇️
overlord/ifacestate/helpers.go	65.54% <0%> (ø)	⬆️
cmd/snap/cmd_aliases.go	96% <0%> (+2%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2afccb5...0011f7d. Read the comment docs.

[niemeyer]

Name seems fine, code seems fine, permissions seem extremely rich. Trusting you on the latter.

[jdstrand]

@niemeyer - indeed it is rather permissive. This interface can be thought of in the same general category as docker-support, lxd-support and kubernetes-support which is why it has a restrictive installation constraint in the base declaration.

[deadprogram]

Sorry to bother you all, but could you please point me to where I can install this snap, and ideally an example of it in use? Thank you very much!

[dipenpradhan]

Hi @jdstrand and @didrocks, I'm trying to find the AWS Greengrass snap or build a snap version of it myself. Can you help me figure out how to get Greengrass running on Ubuntu Core please!