many: add support for /home on NFS

[zyga]

This branch adds support for systems running on hosts with NFS-shared /home (or
fragment of /home).

The main problem is that NFS is not transparent to apparmor. When a process
attempts to access NFS-mounted files or directories it will be subject to
network mediation. In the future the kernel may understand what is going on
better and no longer require any workarounds but for now those are necessary.

With this branch, on startup only, snapd will interrogate mounted filesystems
and if NFS is found it will insert additional apparmor snippet into every
apparmor profile. This includes snap application profiles as well as the
profile of snap-confine itself.

The additional profile rules allow "network inet" and "network inet6" access.
For now we are unable to detect NFS filesystems mounted "in flight" at runtime
but we do analyze /etc/fstab and if statically declared NFS filesystem is found
there we assume it may be mounted in the future, even if it is not necessarily
mounted at the given time.

Fixes: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1662552
Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

[jdstrand]

What about reexec?

[jdstrand]

There is also 'nfs'. I wonder if we should include 'cifs' and 'smbfs'....

[zyga]

@jdstrand I've updated this based on your earlier review on IRC. This includes changes to:

• detect re-exec and skip distribution profile reload
• detect possible NFS mounts by looking at /etc/fstab (in addition to actual mounts)
• constrain the search to /home/ or subdirectories
• detect "nfs" in addition to "nfsv4"

In addition to this I added full unit test coverage and I'll re-create the spread test I lost with my snapd checkout last week.

[codecov-io]

Codecov Report

Merging #3958 into master will increase coverage by <.01%.
The diff coverage is 75.86%.

@@            Coverage Diff            @@
##           master   #3958      +/-   ##
=========================================
+ Coverage    75.8%   75.8%   +<.01%     
=========================================
  Files         433     433              
  Lines       37174   37287     +113     
=========================================
+ Hits        28180   28266      +86     
- Misses       7022    7046      +24     
- Partials     1972    1975       +3

Impacted Files	Coverage Δ
interfaces/mount/backend.go	58.33% <0%> (-2.54%)	⬇️
overlord/ifacestate/helpers.go	60.26% <0%> (-1.23%)	⬇️
interfaces/kmod/backend.go	74.07% <0%> (-2.85%)	⬇️
interfaces/systemd/backend.go	53.84% <0%> (-1.22%)	⬇️
interfaces/ifacetest/backend.go	0% <0%> (ø)	⬆️
interfaces/seccomp/backend.go	75% <0%> (-1.6%)	⬇️
interfaces/dbus/backend.go	60% <0%> (-1.65%)	⬇️
interfaces/udev/backend.go	75.36% <0%> (-2.25%)	⬇️
dirs/dirs.go	98.13% <100%> (ø)	⬆️
interfaces/apparmor/backend.go	78.59% <91.57%> (+7.86%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 66efd05...8107d45. Read the comment docs.

[zyga]

Ohhh, it's green on first push :-) Must be my lucky day

[stolowski]

Thanks for working on this! Some early first-pass comments.

[stolowski]

I'd use dirs.SnapConfineAppArmorDir directly, no need for an intermediate temp variable in a simple case like this.

[zyga]

Ack, done.

[stolowski]

I wonder if an inability to determine if we are using NFS here should be fatal (it's fatal in this code if I'm not mistaken), unless we've full faith in our fstab/mountinfo parsing (which we probably need to have given that it's used in some other places afair). Anyway, just mentioning the concern since NFS is not a typical use case - perhaps a warning would be enough. For your consideration.

[zyga]

Interesting question. While we don't expect any errors I agree we should stop the world about it. It is just a workaround for a missing kernel feature (NFS transparency in LSMs). I'll make this non fatal.

[zyga]

Done now.

[stolowski]

Thank you!

[stolowski]

I know we've a deeper and historical problem with hardcoded /home, but I'm not super happy about adding another hardcoded case here. Actually, if we ever fix the problem with hardcoded /home in dirs.go, this fix will break completely and this makes me a sad panda...
Would it be possible to make it more generic and future-proof (e.g. check if any of the filesystems that the snap may potentially be interested in is NFS)? Don't we get the same problem if - say - /usr or /var is NFS-mounted?

[zyga]

This was added by a request from @jdstrand - the idea is that we want to slowly open this up to more use cases. For now we just want to support /home on NFS. We plan to expand this to CIFS as well but not in arbitrary places yet.

Note that /home is already explicitly described in apparmor profiles and there's no easy way around it today.

[stolowski]

Fair enough, thanks.

[jdstrand]

To check for home or not is a difficult question. If we consider that we are lessening the security of the system if NFS is detected, then I think pursuing only doing it when needed is worthwhile. For example, if there is an NFS mount in /srv for something, snaps don't have access to that anyway, so adding network rules to everything snappy for something no snaps will access is wrong. Determining exactly when to apply NFS rules might take some effort, but I think if we are thoughtful and open to iterating, we can do it without too much complexity.

Note that /home is not actually hard-coded in AppArmor policy as included in snappy for app snaps, it is defined via an apparmor tunable which the user can adjust and the apparmor policy for app snaps will be ok.

We do hardcode /home in snap-confine code and apparmor policy though. Until this is resolved, there is no requirement to adjust this PR. If you wanted to make this PR dynamic today, you could do the equivalent of getent passwd, looking at every uid >= 1000, collecting the dirname's of the found homes and then iterate through those to check if on NFS. Of course, this wouldn't catch someone who has a symlink from /home/foo to /var/exports/homes/foo, so could readlink() first. Alternatively, perhaps in the future the core snap can gain 'snap set' config for adding additional locations for HOME (which would update the apparmor tunables). If so, this code could be updated to check /home and any additional directories that were set with snap set.

[stolowski]

❤️

[zyga]

As things go, this test obviously caught a bug in the initial code that worked fine for /home sub-directories but not the full thing :)

[stolowski]

Looks good to me. Thanks for making the changes and for extensive tests!

[stolowski]

I wonder if an inability to determine if we are using NFS here should be fatal (it's fatal in this code if I'm not mistaken), unless we've full faith in our fstab/mountinfo parsing (which we probably need to have given that it's used in some other places afair). Anyway, just mentioning the concern since NFS is not a typical use case - perhaps a warning would be enough. For your consideration.

[zyga]

Interesting question. While we don't expect any errors I agree we should stop the world about it. It is just a workaround for a missing kernel feature (NFS transparency in LSMs). I'll make this non fatal.

[zyga]

Done now.

[stolowski]

Thank you!

[stolowski]

I know we've a deeper and historical problem with hardcoded /home, but I'm not super happy about adding another hardcoded case here. Actually, if we ever fix the problem with hardcoded /home in dirs.go, this fix will break completely and this makes me a sad panda...
Would it be possible to make it more generic and future-proof (e.g. check if any of the filesystems that the snap may potentially be interested in is NFS)? Don't we get the same problem if - say - /usr or /var is NFS-mounted?

[zyga]

This was added by a request from @jdstrand - the idea is that we want to slowly open this up to more use cases. For now we just want to support /home on NFS. We plan to expand this to CIFS as well but not in arbitrary places yet.

Note that /home is already explicitly described in apparmor profiles and there's no easy way around it today.

[stolowski]

Fair enough, thanks.

[jdstrand]

To check for home or not is a difficult question. If we consider that we are lessening the security of the system if NFS is detected, then I think pursuing only doing it when needed is worthwhile. For example, if there is an NFS mount in /srv for something, snaps don't have access to that anyway, so adding network rules to everything snappy for something no snaps will access is wrong. Determining exactly when to apply NFS rules might take some effort, but I think if we are thoughtful and open to iterating, we can do it without too much complexity.

Note that /home is not actually hard-coded in AppArmor policy as included in snappy for app snaps, it is defined via an apparmor tunable which the user can adjust and the apparmor policy for app snaps will be ok.

We do hardcode /home in snap-confine code and apparmor policy though. Until this is resolved, there is no requirement to adjust this PR. If you wanted to make this PR dynamic today, you could do the equivalent of getent passwd, looking at every uid >= 1000, collecting the dirname's of the found homes and then iterate through those to check if on NFS. Of course, this wouldn't catch someone who has a symlink from /home/foo to /var/exports/homes/foo, so could readlink() first. Alternatively, perhaps in the future the core snap can gain 'snap set' config for adding additional locations for HOME (which would update the apparmor tunables). If so, this code could be updated to check /home and any additional directories that were set with snap set.

[chipaca]

Thank you for this.

Could you add a test using proto=udp?

[zyga]

@chipaca oh, great idea. I'll do that.

[jdstrand]

This is looking really good. A few questions, comments, nit-picks inline.

[jdstrand]

Based on a comment further down below, I think this comment can be removed?

[zyga]

I was about to say "but I really want to do that eventually" and then I realized it needs to be the way it is for now. I'll change this comment to explain why.

[jdstrand]

s/snap-confined/snap-confine/

[zyga]

Fixed

[jdstrand]

You are using procSelfExe in Readlink() but hardcoding /proc/self/exe in Errorf.

[zyga]

Done

[jdstrand]

I think this TODO needs to be resolved before merging, no?

[zyga]

Yes, I'll address this next.

[zyga]

Done.

[jdstrand]

While not as important here since we shouldn't be reloading this policy all the time, I think you want '"-O", "no-expr-simplify"'. See LoadProfile() in interfaces/apparmor/apparmor.go for details.

[zyga]

Done

[stolowski]

I know we've a deeper and historical problem with hardcoded /home, but I'm not super happy about adding another hardcoded case here. Actually, if we ever fix the problem with hardcoded /home in dirs.go, this fix will break completely and this makes me a sad panda...
Would it be possible to make it more generic and future-proof (e.g. check if any of the filesystems that the snap may potentially be interested in is NFS)? Don't we get the same problem if - say - /usr or /var is NFS-mounted?

[zyga]

This was added by a request from @jdstrand - the idea is that we want to slowly open this up to more use cases. For now we just want to support /home on NFS. We plan to expand this to CIFS as well but not in arbitrary places yet.

Note that /home is already explicitly described in apparmor profiles and there's no easy way around it today.

[stolowski]

Fair enough, thanks.

[jdstrand]

To check for home or not is a difficult question. If we consider that we are lessening the security of the system if NFS is detected, then I think pursuing only doing it when needed is worthwhile. For example, if there is an NFS mount in /srv for something, snaps don't have access to that anyway, so adding network rules to everything snappy for something no snaps will access is wrong. Determining exactly when to apply NFS rules might take some effort, but I think if we are thoughtful and open to iterating, we can do it without too much complexity.

Note that /home is not actually hard-coded in AppArmor policy as included in snappy for app snaps, it is defined via an apparmor tunable which the user can adjust and the apparmor policy for app snaps will be ok.

We do hardcode /home in snap-confine code and apparmor policy though. Until this is resolved, there is no requirement to adjust this PR. If you wanted to make this PR dynamic today, you could do the equivalent of getent passwd, looking at every uid >= 1000, collecting the dirname's of the found homes and then iterate through those to check if on NFS. Of course, this wouldn't catch someone who has a symlink from /home/foo to /var/exports/homes/foo, so could readlink() first. Alternatively, perhaps in the future the core snap can gain 'snap set' config for adding additional locations for HOME (which would update the apparmor tunables). If so, this code could be updated to check /home and any additional directories that were set with snap set.

[jdstrand]

You are specifying etcFstab to mount.LoadProfile() but hardcoding /etc/fstab in Errorf

[zyga]

Done

[jdstrand]

Can you add a comment here like you did above:

// Check if NFS is mounted at or under $HOME. Because NFS is not
// transparent to apparmor we must alter the profile to counter that and
// allow access to SNAP_USER_* files.

[zyga]

Done

[jdstrand]

fstab entry has 'nfs', but comment is NFSv4 here and the test below. I like these tests, we probably want tests for nfs4 and (at least spot checks for) nfs.

[zyga]

This is how it works actually. You get NFSv4 by default but you can still specify NFSv3 by using nfsvers=3. I'll expand tests to include NFSv3 as well.

[jdstrand]

I noticed that we have a lot of tests using MockMountInfo("...") when using MockEtcFstab(""), but not the other way around or when both are set (outside of TestIsHomeUsingNFS()). Was this intentional?

[zyga]

I wrote mountinfo support code first and only then added the trigger code that looked for fstab. Since other tests are checking that they have equivalent power I should perhaps just say "mock stuff so that NFS workaround is enabled" without going into the details of how that is done.

[zyga]

Also done now.

[jdstrand]

If we can't read /proc/self/exe, why would we create the policy file? We want to create the directory but I see no reason why we would fallback to creating the file, even if we don't reload, since something outside of snapd might reload the policy and then have the NFS policy included.

[zyga]

Because the policy is equally applicable to the re-exec case. We generate the local policy file but don't reload the distro profile. When Setup is called it will choose (or not) to reload the core profile. If it chooses to reload it at that time the generated include file will be present and we will benefit from it.

In all cases I think that if we cannot examine /proc/self/exe we will have other trouble elsewhere so I think this is good as is.

[jdstrand]

I understand with the way you wrote setupSnapConfineGeneratedPolicyImpl() why you wrote the test this way, but my point is to fail closed rather than open (and reorder the read on procSelfExe so we don't generate the policy). The idea is if there is a crazy kernel bug on reading /proc/self/exe, we fail early and loud rather than try to plod along.

I also understand your point that being able to read /proc/self/exe or not doesn't really have anything to do with isHomeUsingNFS(), which is why you wrote out the policy. I'll leave the decision up to you (ie, not a blocker).

[zyga]

I'm changing this now.

[jdstrand]

If the policy load fails, it seems to make sense to clean up the generated profile?

[zyga]

Hmmm, I think the re-exec-from-core case may still want that but if we cannot load it ourselves then yeah, lets remove it. I'll make the adjustment.

[zyga]

Done.

[jdstrand]

Can you: s/# Workaround for/# snapd autogenerated workaround for/

[zyga]

Done

[jdstrand]

Do you plan to address this TODO in this PR?

[zyga]

No, it's a lot of hairy stuff already. I'll address this with separate PRs.

[jdstrand]

s/so w/so we/

[zyga]

Fixed

[zyga]

@jdstrand I've addressed or commented on all the items you have highlighted except for the .real filename. I'll look into fixing that one properly now.

[zyga]

@jdstrand I believe everything is changed or explained (in one case)

[jdstrand]

Approved (though see my last comment (not a blocker)).

[zyga]

@jdstrand after thinking about it I'll rework the code slightly.

[niemeyer]

Nice, thanks for working on this.

Some simple, and probably last, notes.

[niemeyer]

Can we please fix the name for this directory to "snap-confine" while we have time (no .d)? That convention doesn't make much sense here.

[zyga]

Done

[niemeyer]

That's three levels of indirection, and looking through the code it doesn't look like we need any of it. Can we please have the logic below under the real Initialize, and use the real initialize from tests?

[zyga]

Sure, done now. This also removed some extra boiler plate code :)

[niemeyer]

s/,/:/. Every error and log message in this PR seems to use this convention, and this is not our usual convention. Can you please review all error messages and make sure they follow suit?

As a more general note, let's please be careful to preserve consistency in the code base. I've seen that sort of minor discrepancy often, and if it goes unnoticed the code gradually becomes messy. We can change conventions, but we cannot change them in isolation and without notice.

[zyga]

I was wondering why I got this wrong. I must have got the impression that the cannot quux: %s is the wrong way and cannot quux, %s is the right way of formatting errors somehow (as I tried to be consistent, just going the wrong way).

I've reviewed and corrected all the error messages around this code.

[niemeyer]

Thanks for making that clear. That sort of comment helps much when someone else goes to refactor the logic.

[niemeyer]

Let's please move this up to the common block above.

[zyga]

Done

[niemeyer]

The "might contain" is a truism and would be nice to clarify, in the sense that /etc/fstab might contain NFS entries at all times. Clearly there's something more specific implied there since it mentions both "contains" and "might contain", though.

[zyga]

Re-worded to

// isHomeUsingNFS returns true if NFS mounts are defined or mounted under /home.

[niemeyer]

That name makes more sense indeed, thanks.

[niemeyer]

We tend to unify those lines elsewhere, as in }, {. The extra spacing doesn't buy us much. The comments can go inside the brackets instead of outside, which even improves the readability as it's closer to the data.

[zyga]

Done, the whole section has significantly de-indented itself now.

[niemeyer]

s/file/file:/

[zyga]

Done

[niemeyer]

s/file/file:/

[zyga]

Done

[niemeyer]

Bad copy & paste here.

[zyga]

Ouch, thank you for noticing that. Corrected.

[niemeyer]

s/file/file:/

[zyga]

Done

[niemeyer]

s/file/file:/

[zyga]

Done

[niemeyer]

We need a check here that panics if this is /etc/fstab. We don't want to kill the system by mistake.

[zyga]

Oh, good idea. Done

[niemeyer]

I'm honestly quite surprised that the application needs network access to access the filesytem. I won't question that as we'd not have gotten that far if that wasn't true, but I'd like to hear more about how this ended up like this. It seems to make no sense to me at least.

[zyga]

I'll find the relevant apparmor bug and link it here. EDIT. After some discussion with jj there's a new bug report: https://bugs.launchpad.net/apparmor/+bug/1724903

[zyga]

I also added the reference to the bug report into the source code.

[niemeyer]

It's actually init and then add, not the opposite, but instead of fixing that let's revert and preserve the original function name here as it's symmetrical with other functions around it. It will do whatever it needs to do for adding the backends. We don't need to call out every operation in its name.

[zyga]

Done

[niemeyer]

The package installations should happen at the global location next to every other package installation, and it doesn't have to be purged at restore time. Please coordinate with Sergio so that these packages also go into the image maintenance spread runs so that once we finally manage to cook packages into the images this will be there too.

[zyga]

I'm coordinating this with Sergio now.

[niemeyer]

Ouch. If we end up with more of those, we may as well drop spellchecker.

[zyga]

It would be good to be able to teach the spellchecker about new words. I'll see if I can do that instead of this hack.

[zyga]

Ha, that was actually easier than I thought. Done now.

[niemeyer]

s/bak/orig/

[zyga]

Done

[niemeyer]

exists

[zyga]

Done

[niemeyer]

s/bak/orig/

[zyga]

Done

[zyga]

With the exception of unified location of package installation this is all done now. I've also renamed the generated file to nfs-support and changed glob to *. Let's see if I missed anything or if tests will work.