cmd/snap-seccomp: support parsing 'u:' and 'g:' for username and groups

[jdstrand]

This adds support in snap-seccomp to parse 'u:' and 'g:' in the policy so we can do things like:

setuid u:daemon
fchown - u:root g:shadow

This is a required building block for security policy support for https://forum.snapcraft.io/t/multiple-users-and-groups-in-snaps/1461. It will also be the basis for allowing use of the 'daemon' user and group by default (see https://bugs.launchpad.net/snappy/+bug/1619888/comments/6) for privilege dropping, etc.

[zyga]

Looks okay in general but I have questions about memory management and about possibly-blocking user and group lookups when using networked systems.

[zyga]

I wonder if we should take any special considerations for any networked systems. This can block for any amount of time, correct?

[jdstrand]

IMO, no because everything we will be using it for will be in the local databases. Systems with network NSS modules always include the local database module first so that the system can boot up or function when the system is down. Consider debugging a broken system with no networking-- you need to be able to sudo/su. Not to mention it would be a terribly non-performant system if it had to reach out over the network for 'root' or 'adm'.

Keeping that in mind, here are the only places we are going to use this:

1. 'root'
2. 'daemon'
3. 'shadow'
4. snapd managed users

For 1 and 2, both are defined in the LSB as being required on any Linux system (http://refspecs.linuxfoundation.org/LSB_5.0.0/LSB-Core-generic/LSB-Core-generic/usernames.html)

For 3, the shadow database is in place everywhere in practice. If snapd is ported to a system that uses a different name, it is easy to adjust account-control to do if isNonStandardDistro then use nonstandard-shadow-group. We can cross that bridge when we get there.

For 4, snapd will be adding users to the local system via local system commands (eg, useradd and groupadd)

[jdstrand]

"Keeping that in mind, here are the only places we are going to use this"

Note, it is technically possible we might introduce an interface to allow modifying something in /etc, like we do for shadow, but that would be exactly the same as for shadow.

[zyga]

Do we need to handle malloc failing here?

[zyga]

Do we need to handle realloc failing here? (In which case the original pointer is not free'd). Also when newSize is zero (which is a valid size) NULL MAY be returned.

[zyga]

The error message will be confusing if buf.size starts at zero.

[zyga]

Please go fmt cmd/snap-seccomp/main.go

[zyga]

Marking as -1 until we discuss and address the issue also found in #3805

[jdstrand]

@zyga - note that I literally copied upstream's user.LookupGroup that is in master with only the slightest changes (eg, I didn't pull back user.Group). In other words, this implementation is going to behave exactly like user.Lookup(). The reason being when user.LookupGroup is available, we'd immediately go to that.

[jdstrand]

"Marking as -1 until we discuss and address the issue also found in #3805"

Please see #3805 (comment)

[codecov-io]

Codecov Report

Merging #3804 into master will decrease coverage by <.01%.
The diff coverage is 73.91%.

@@            Coverage Diff             @@
##           master    #3804      +/-   ##
==========================================
- Coverage   75.81%   75.81%   -0.01%     
==========================================
  Files         402      402              
  Lines       34793    34885      +92     
==========================================
+ Hits        26380    26449      +69     
- Misses       6540     6559      +19     
- Partials     1873     1877       +4

Impacted Files	Coverage Δ
cmd/snap-seccomp/main.go	56.49% <73.91%> (+6.7%)	⬆️
interfaces/sorting.go	98.71% <0%> (+1.28%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6a96aa5...7954c38. Read the comment docs.

[jdstrand]

Thanks for the reviews! :)