cmd/snap-update-ns: create missing mount points automatically.

[zyga]

This branch allow snap-update-ns to create missing mount points (directories)
automatically.

The code is not perfect yet, we can only create directories as root and we can
only create them with mode 0755. There are ongoing branches that lift those
restrictions but they are not here yet.

The largest restriction is that we cannot yet create directories on top of read
only filesystems. This will be done with a separate feature branch as it is the
most complex.

The apparmor profile for snap-update-ns when invoked from snap-confine was
extended to allow writes to $SNAP_DATA but nowhere else yet. Eventually, to
support the full layout system we will need write permissions in various
places (essentially everywhere except for a specific blacklist).

Signed-off-by: Zygmunt Krynicki zygmunt.krynicki@canonical.com

[codecov-io]

Codecov Report

Merging #4008 into master will increase coverage by 0.01%.
The diff coverage is 76.51%.

@@            Coverage Diff             @@
##           master    #4008      +/-   ##
==========================================
+ Coverage    75.8%   75.81%   +0.01%     
==========================================
  Files         434      436       +2     
  Lines       37342    37465     +123     
==========================================
+ Hits        28306    28405      +99     
- Misses       7062     7080      +18     
- Partials     1974     1980       +6

Impacted Files	Coverage Δ
cmd/snap-update-ns/main.go	0% <0%> (ø)	⬆️
interfaces/mount/entry.go	65.81% <100%> (+1.52%)	⬆️
cmd/snap-update-ns/freezer.go	56.25% <56.25%> (ø)
cmd/snap-update-ns/utils.go	85.93% <85.93%> (ø)
cmd/snap-update-ns/change.go	97.46% <90.9%> (-2.54%)	⬇️
overlord/ifacestate/helpers.go	60.26% <0%> (+0.66%)	⬆️
cmd/snap-seccomp/main.go	54.4% <0%> (+2.79%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 53d4da9...e32ac7b. Read the comment docs.

[zyga]

This will be addressed after #3965 lands.

[jdstrand]

To limit to directories, use /var/snap/*/**/ w, (do you actually need 'r'?).

[zyga]

We use stat so I assumed we do.

[zyga]

I'll come up with a few spread tests and if we don't need this I will remove this.

[zyga]

We need the r for the SecureMkdirAll implementation now.

[jdstrand]

I don't like the sound of this. If the snap can race snap-update-ns, then the snap is able to create arbitrary directories anywhere the snap-update-ns profile allows, which is already pretty wide and by your own admission, will only get wider.

We can do better than this. Recall openat/mkdirat in sc_nonfatal_mkpath() in cmd/libsnap-confine-private/utils.c

[zyga]

We can do better wrt mkdir but we cannot ever do better wrt mount itself. I can make the better mkdir for sure but the ultimate race towards mount is unfixable without freezing the snap processes or using some new kernel interface for mounting.

[zyga]

I've implemented SecureMkdirAll and used it place of the original now.

[jdstrand]

Re mount, yes, we would have to freeze the process since mount() follows symlinks.

[zyga]

Ack, I'll do that

[zyga]

Done, we are now freezing the group for the update process.

[jdstrand]

This chown is only doing the bottom directory-- if parents were also created, they would not be chowned. It is probably fine to chown all to root:root for now, but if we decide to allow arbitrary ownership, that will get tricky to limit it to only inside the snap and how to declare which directory is supposed to have which ownership (I'm not sure if that is planned).

[jdstrand]

In thinking about this, I think that root:root 0755 is fine for all of the directories because the snap can always adjust the parent directories after creation. The mountpoint permissions will be covered up by whatever is mounted on it, and the snap could adjust that after the fact as well if desired (but, that will change the permissions of the original mountpoint-- we need to be really careful of the mount options for things in SNAP_DATA, SNAP_COMMON or anywhere else the snaps can write to).

[zyga]

I'll update the code to ensure we don't leave non root groups (as snap-confine is not setgid root) now.

[zyga]

This is still a TODO

[jdstrand]

I have to say, the timing of this PR is important. I've had two different people walk up to me today at the sprint complaining that they can't use $SNAP_COMMON/foo or $SNAP_DATA/bar with content interface consuming snaps and I pointed them to this PR. Thanks for taking this on! :)

[zyga]

I will fix this branch and add a useful spread test in a moment. Thank you for re-affirming the utility @jdstrand :-)

[zyga]

@jdstrand I think this ready for another look now. I replied to all the comments and the only remaining TODO is to chown all the path fragments, not just the last one we made. I'll adjust that today but I need to pick one of two ways of doing that (immediately after arch mkdir or after all of them). I'll do a pass on some other PRs that I have and I'll get back here.

[chipaca]

why is this using path and not path/filepath?

[zyga]

EDITED: This module deals with directory names, not file names.

[chipaca]

why not call the variable mkdirAll then?

[zyga]

I wanted to keep the same semantics as os.MkdirAll (to make the two interchangeable). I guess it's not a great reason, I can tweak this.

[chipaca]

could this live in osutil instead?

[zyga]

Yes but @jdstrand requested that we limit imports from other modules. I can move it there if he agrees.

[chipaca]

why stat it at all, and not dive straight into the mkdirall? as it stands there's a window between the stat and the mkdir that can probably be (ab)used

[zyga]

We want to stat it because the error message is different. There's no more any window as the stat is advisory now (mkdirall is coded to defend against that) and all the process are frozen.

[chipaca]

checkpoint

[zyga]

Hmm?

[zyga]

@jdstrand I've changed SecureMkdirAll to chown each created path segment now. I think this is ready for a security review now please.

[jdstrand]

This looks good overall. Thanks for all the hard work on it. Please see comments inline.

[jdstrand]

The final '**' allows creating files as well as directories. I suggest changing this to:

/ r,
/var/ r,
/var/snap/{,*/} r,
/var/snap/*/**/ rw,

[jdstrand]

As discussed in my previous comment, I think that this is the right mode and ownership. Removing the TODO comment and adding a comment as to why this is ok would be good (eg, '// Create the directories with sane permissions. The snap can always change them later if it wants')

[zyga]

Ack, I'll do that. I suspect this also means we don't need to (urgently) pull in the other PR that adds a way for this to be customized.

[jdstrand]

It feels weird that we aren't doing any validation on unparsed. I realize that the fstab files are controlled by snapd, so not strictly a blocker, but this seems to be leaving us open to introducing a future bug if assumptions change. Can you explain the motivation for this? (Eg, the sysMount this is replacing used "", but now you are using strings.Join(unparsed, ",").

[zyga]

Those are needed for things like overlayfs's lower/upper/workdir. I'm not sure if we should have strong validation here given that snap-update-ns reads what snapd wrote. If you feel strongly about it I can add a validation system that will let us be explicit about what is allowed (on top of the mount mediation in apparmor).

[jdstrand]

Not necessarily for this PR, but I feel it is worthwhile to have input validation for maintenance' sake. A typo or something else is caught in unit tests as opposed to spread tests.

[jdstrand]

A comment mentioning that we are freezing all processes in the snap would be good here, which is also why the name of the cgroup is snap.$SNAP and not snap.$SNAP.$COMMAND.

[zyga]

I'll add a comment.

The name of the group is snap.$SNAP because the attack we are trying to fend off is involving the processes naturally inhabiting the mount namespace and that is no longer per-command but instead per-snap, if you recall.

[zyga]

Man, I just realized I misread your comment :)

[jdstrand]

Is 1 second really enough time to wait on a constrained system (eg, rpi under load)?

[zyga]

I think this is a multi-socket thing, otherwise the write/freeze would be immediate. I honestly never saw this take any amount of time (kernel expect could perhaps infer this from the inner workings of the cgroup).

[zyga]

For the sake of being conservative I increased this to three seconds.

[jdstrand]

We seem to be failing open here if the cgroup is still FREEZING. We should be failing closed, since we are freezing to make sure a snap can fiddle with the mountpoints, no?

[zyga]

Aha, good point! I'll correct that, it was meant to fail here as we check for the failure in the call site.

[zyga]

Corrected. I also made this thaw the processes so that we don't break the system when this happens.

[jdstrand]

This comment is wrong for this test.

[zyga]

Thank you, corrected.

[jdstrand]

What is the use case for the relative directory? Doing it this way means we are going to need to be really careful about the current directory which I'd prefer we not have to worry about unless we have to.

As it is, snap-confine does a chdir('/') sometime before sc_setup_mount_profiles() (what calls snap-update-ns) in setup_private_mount(), so the relative handling does nothing when called from snap-confine. I don't see any callers of os.Chdir() or osutil.ChDir() that are relevant to snap-update-ns, so the current working directory is whatever snapd seems to be running under. Considering all of this, I'd prefer we explicitly construct the absolute paths.

[zyga]

We don't really need it. I was just trying to write some library-worthy code. I can make it always absolute if you prefer.

[zyga]

Done.

[jdstrand]

It is a bit weird that you need to specify '0' here since you aren't using O_CREAT, but since it's a syscall, I guess it makes sense. Not a blocker.

[zyga]

Yeah, that's not something we can avoid in the go binding to the syscall.

[jdstrand]

Thank you for using path.Clean()

[jdstrand]

I suggest a stronger statement // Note that at the time this is run, all the snap's processes are frozen.

[zyga]

@jdstrand all of the comments have been addressed! Thank you for the review :)

[jdstrand]

Thanks for the updates! It would be nice if you could add the additional comment in line.

[jdstrand]

If you are going to make another commit, a comment here would be nice saying that we actively chose not to support relative directories. Eg:

// Only support absolute paths to avoid bugs in snap-confine when
// called from anywhere

[zyga]

Sure, I'll add this before merging. Thank you!

[zyga]

Done

[mvo5]

Looks good, some cosmetic suggestions inside.

[mvo5]

This comment feels a bit cryptic: for someone not familiar with the details that dosn't contain any special behaviour is hard to parse. Maybe: doPerform() or performOnly() or just fold it into perform and extract the ensureMountPoint thing into ensureMountPointForAction or somesuch? Looking at the code it seems like Perform() and lowLevelPerform could just be a single method maybe (neither is very long or complex)?

[zyga]

They are separated because code further ahead needs to call lowLevelPerform. I'll adjust comments on this but I need them separate in one way or another.

[zyga]

Done now

[mvo5]

How can a snap process do "malicious activity"? Isn't the cgroup protected via apparmor from the snap anyway? Or does malicious mean something else in this context?

[zyga]

It means attempting to mount a symlink attack against mount. I'll adjust the comment to be explicit about this.

[zyga]

Done now

[mvo5]

Don't we need a defer sysClose(fd) here?

[zyga]

Indeed, let me rework this.

[mvo5]

Why do we keep previousFd instead of using defer sysClose(fd) ?

[zyga]

See below.

[mvo5]

Why do we have the sysClose() between this error check? The error is for the err in 101 so it feels harder to read this way than if the err check is followed immediately after the sysOpenat(). Maybe defer sysClose() would help to make this easier to read?

[zyga]

The code is designed to ensure that we only keep two file descriptors around. The one for the parent directory and the one for the entry inside it. Everything is paired correctly.

As for defer, we could do that but it would mean we need to keep more file descriptors open for no good reason.

[mvo5]

I think this can be renamed to "EnsureMountPoint()" (or possible even ensureMountPoint) and the var ensureMountPoint can be removed. AFAICT this is not reassigned anywhere in the code.

[zyga]

+1

[zyga]

Done now

[mvo5]

Thanks for this test!

[zyga]

More is coming here :) This is just a start

[chipaca]

I'd suggest also O_PATH. But you need to use golang.org/x/sys/unix instead of syscall (which we should do as much as possible anyway)

[zyga]

Done

[zyga]

Undone because O_PATH cannot be used with fchown.

[chipaca]

you could also segments := strings.FieldsFunc(filepath.Clean(name), isSlash) (with func isSlash(c rune) bool { return c == '/' }) and avoid the if in the loop

[zyga]

Done

[chipaca]

I'm a little bit unhappy about this approach. It's probably not worth worrying about, but I worry: this uses a lot more filehandles than necessary. On the other hand, doing the cleanup by hand, even with a helper, is not obviously right to the reader. On the other other hand, we're ignoring all the close errors. Sigh.

[zyga]

Look at the history, one of the most recent patches introduces defer, if we pop that we're back to hand-done cleanup logic that only uses a pair of FDs

[chipaca]

shouldn't we sync everything to disk on success?

[zyga]

No, this is not a requirement of this operation.